Feeling better about compliance

On Tuesday I attended a day long seminar on Compliance the focused on Risk Management. It was put on by the guys at Tech Target and SearchSecurity.com. I wasn't expecting much for several reasons. Primarily it was free (vendor sponsored) and it was only a day. What can they tell you in a day that you probably don't already know? Actually more than I expected. It was a very well done seminar. There were 4 main speakers, a vendor Q&A session and of course the vendor arena.

With everything that is going on at work I almost decided not to go, but at the last minute decided that it may be worth it if for nothing else it would get me out of the office for a while so I didn't have to think too much about all that I have to do. Also compliance is coming at me hard and fast and I wanted a "refresher" and hopefully a new perspective on what is coming. I was not disappointed in the least. The speakers were informational and entertaining. If you have done much in the field of compliance or risk management you know that they can be boring if left to themselves. Of course the best part of it was the peer networking that goes on at events such as this. The value of a good network can't be overlooked.

What I brought away from the day was actually encouraging. Compliance is still looming over my head, but I actually feel pretty good about getting a handle on it. It will take a lot of work and a fair amount of money, but I don't think it's going to be the bear that I had imagined (knock on wood). I also found out that I am NOT subject to PCI!!!!!! I spoke with the Risk Manager and Information Security Officer for a large Financial Institution who is very well versed on PCI and it's implications for various institutions. This was a difficult question to get a straight answer to. Every person that I talked to gave me different answers, but most of them qualified their answer with "I think" or "I believe". The guy I spoke with is doing things the same way that we will be doing them and he said that they don't even look at PCI except for the framework of it and the benefit that can be gained by that.

Well, it's back to the grind. I've got to place my Cisco order today or I won't have routers and switches to have my WAN in place in time. Not a good thought.