How do you dictate common sense?  That’s the real heart of the problem that people who build compliance frameworks have to struggle with.  You can’t force people to do the right thing when the right thing is not easily definable.

This is why I’m convinced that compliance just doesn’t work for what we are trying to get it to do in the information security world.  You run the risks of either leaving too many loopholes that people can get through too easily, or you end up dictating the solution for people with no flexibility.

About the only way where compliance makes sense is in a very limited scope in much the same way you would use a SLA with an external vendor.  In this case, the compliance rules or a similar SLA are a compensating control for the risk to the buyer.

• The Vendors are Already Jumping on the 07-11 Bandwagon
• In Search of a Better Catalog of Controls
• Core Belief #4 — Compliance is a Dead-End
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Cloud Computing and the Government