Ask HN: Frustrations with PCI-DSS, HIPAA, SOX compliance?
Hi everyone,
I am curious to hear about other people's frustrations with PCI-DSS, HIPAA, or SOX compliance.
From an IT perspective, one of the biggest frustrations I have is with the man-power required to satisfy keeping up with the requirements. A lot of the guidelines are common sense, but the overhead for maintaining change management, documented policies/procedures, approvals, audits, etc are tough. Certainly, in the ideal sense these things are great to have but in reality it is tough to make time for them when you've got other business needs to satisfy.
What are some of your biggest frustrations with compliance and what are some tools you use to 'cope'?
Cheers!
10 comments
[ 2.8 ms ] story [ 40.1 ms ] threadp.s. I also read "The Phoenix Project" [3] a couple days ago and it give some good ideas on how to stop in insanity.
[1] http://www.amazon.com/Visible-Ops-Handbook-Implementing-Prac...
[2] https://puppetlabs.com/
[3] http://www.amazon.ca/The-Phoenix-Project-Business-ebook/dp/B...
[1] http://bestpractical.com/rt/
[2] http://twiki.org/
We also use puppet with git. This allows us to version everything that goes into production via a puppet tweak. This is great for rolling back changes or getting an of what was deployed. Like I said, read that visible ops handbook.
I Program the integrations from online stores to payment gateways. None of my programs saves any credit card info, yet I'm not sure if I can state that their PCI compliance?
"Merchant / Services" I can understand, but what about a "piece" of software?