[thewebguyd]

> IT. They tend to over-interpret regulation, and super-restrict beyond what is needed for actual de-facto compliance.

IME this is less the fault of IT and more so bad auditors that won't consider, or just don't understand, what compensating controls are. If it doesn't meet their little checklist exactly, they fail the audit.

[antonvs]

> IT. They tend to over-interpret regulation, and super-restrict beyond what is needed for actual de-facto compliance.

This is such a nonsensical claim. If a company is asking someone from IT to read the regulations and implement them, then obviously you’re going to get something that conforms to the written specification they were provided.

But a company that does that is basically delegating both compliance and legal functions to IT. No sane company does that.

[VonGallifrey]

> But a company that does that is basically delegating both compliance and legal functions to IT. No sane company does that.

I was a Software Dev in a small (but fully regulated and licensed) stock exchange. We used to have guidance from legal experts, market experts, and traders, but in the last project I worked on, they just dumped 300 pages of laws and regulations on my desk and asked me what needed to be done. Why? Because the experts we used to have were either fired or left. Along with any product managers. I guess company leadership thought they were no longer needed.

Insane is right. I told them that this is not how it is supposed to work. I can't tell them what needs to be done. I am not a legal expert who can just interpret these regulations.

I was forced out of the company after that, but honestly, no one would want to work in such an environment anyway.

[thewebguyd]

> But a company that does that is basically delegating both compliance and legal functions to IT

This actually happens scarily often, especially in smaller companies. No F500 is doing this, but there are tons of "mid market" sized non-tech companies (think 80 to 150 employees in size) that basically rely on the IT department of 1 or 2 people, or an MSSP for pretty much everything. No legal team, maybe an attorney they consult with once or twice a year if you're lucky.

[mlinhares]

That's actually pretty important, if you're an eng doing compliance work and you don't have legal counsel working side by wide with you you might be putting yourself up for legal troubles down the line. I'm glad I can always rely on legal do do their job here when doing this kind of work, I wouldn't want to do work like this just out of my ass.

[DaedalusII]

perfect IT response

regulation are written ambiguously and the specifications do not match the industry

I have even seen regulators refuse to specific legislated laws because "thats not what the government meant", giving a company the choice of following the law and being fined, or breaking the law to please the regulatory agency

[dumah]

Regulators don’t want to provide arbitrarily detail into their interpretation or likely judgements on issues that may come up for many reasons, good and bad.

One good one is that providing concrete razors for compliant and non-compliant behavior accelerates the gaming of the rules.

[fragmede]

> compensating controls

How to say you deal with PCI compliance without saying you steal with PCi compliance.

[mgh95]

Compensating controls also come up in the context of BSA/AML.

[ValtteriL]

Also in IEC 62443

[mgh95]

Also in OFAC compliance. It just comes up in a lot of places where workflows are compliance heavy.

[hparadiz]

It's cause IT never has to live with the consequences of their decisions. Who cares if the other department keeps bleeding talent because you twisted the knobs so hard no one wants to work in your system?

[JimBlackwood]

Sounds like communication between departments sucks. If IT develops for them, you’d expect there to be a feedback loop?

[hparadiz]

Yes. Exactly. This is not a reflection of where I am now in any way shape or form. Just my observation of previous places I've worked.

[lmz]

Why would they care? They take the blame when it gets hacked, but don't really get any upside for bending the rules to make people work easier. CYA rule-following is just to be expected.