Pretexting and compliance

With the HP scandal being front page news there is a lot of talk about what they did, what was legal and what was ethical. It should make all of us think about our situations and where we are security professionals and our companies stand on similar issues. It should also lead us to look at where exactly we stand in regards to compliance on these and other issues. How many of us really knew if pretexting was legal and what regulations cover it.

How about other compliance issues? Often compliance and security are handled by different groups but they can directly affect each other and if the left hand doesn't know what the right hand is doing then we can bring trouble on ourselves. Compliance is tricky ground and depending on what industry your company is in, is it public or private, who our customers are, what data we have, etc.. we may be subject to several different regulations. They may be industry specific, state or federal. Here is a good blog post on the pretexting issue specifically, but it points out that not knowing can get you in trouble. Ignorance is certainly not bliss.

I know in the financial industry we come under scrutiny from a long list of agencies and regulations. I don't claim to know all the why and wherefores of what may bite me, but I have to have a good idea as to what they are so that I can reccommend and impelement the proper controls and technologies to keep us out of hot water. It my not be my job technically, but I'm not going to take a chance that I will implement something that another department says is OK and then find out later that it doesn't do the job or that it actually put us out of compliance. I won't go around (to quote the bloggers phrase of the week) "with my head stuck in the sand".

This is very similar to what I wrote about a few weeks back regarding HIPAA. I was astonished to find out who had no idea that they were subject to HIPAA and even more astonished to find out that many didn't care. Instead of security by obscurity they were going to claim compliance by ignorance.