Too Much Risk. Too Complex Controls.

0
601

Too Much Risk. Too Complex Controls.

turteltaub-adam-200x200-150x150By Adam Turteltaub
adam.turteltaub@corporatecompliance.org

I have to admit that I’m sometimes skeptical of academic papers about compliance.  At times they can be a bit too, well, academic.  But recently a group of researchers wrote a very interesting study about IT security practices in the healthcare setting that provide lessons learned for all industries.

The researchers found that while the policies in place may have been well-intended, they just didn’t work because they were wholly impractical.

The need for multiple passwords and frequent changes to them led to users finding it impossible to keep track of them all and having to write them down on sticky notes.  Logging people out after five minutes of non-use seemed reasonable, but in the course of a long day, and with a one-minute re-authentication process, more than an  hour each day was estimated spent in simply logging in over and over again.

And the list goes on.

Read the report.  It’s a good overview of how good policies can have bad results.  It’s also an argument for spending time with the people who will have to follow a policy to see where things may go awry.

[clickToTweet tweet=”Too Much Risk. Too Complex Controls @AdamTurteltaub” quote=”Too Much Risk. Too Complex Controls.” theme=”style3″]