Tame the compliance beast and challenge those auditors


I was in London not too long ago for a security conference and travel frequently. Quite often the stale, dry cabin air bothers my sinuses so I usually carry a small bottle of saline nasal spray.

Anyway since the attempted plot to blow-up planes using small amounts of liquid explosives and some electronic device as a catalyst, rules on what you can carry onto the airplanes have changed – you can still bring on board your exploding iPhone though.

Anyway I was on my way through San Francisco International’s security checkpoint and put the nasal spray in my jacket pocket and placed it in the x-ray machine with my shoes and belt. I guess the bottle looked suspicious, as multiple TSA agents discussed what it was and what they should do. One walked over and asked me what it was, I said it was for my nose.

He walked away and called a supervisor over who then came over to tell me that I couldn’t bring it on board. I told her that it was less than 4 ounces and I needed it – without even blinking she handed it back to me and said “OK”.

How many times has an auditor asked your organisation to make changes to processes, or implement controls that are neither cost-effective, improve your security or even make any sense?

I have talked to many enterprises that are confronted with requirements from auditors that do not make sense for them. For example 12 character length passwords that must be changed every 90 days and contain a combination of alpha-numeric characters – arggghhhh – what a nightmare to manage, not to mention the support costs, and the proven fact that this does not actually improve security.

"Recommended For You"

IT security and the separation of duties Can we be compliant and yet insecure?