Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Best Practices: Do We Need Them?

I was recently reading the Food & Drug Administration (FDA)'s Web page on information security, when I happened across some pages on other manufacturing and quality control standards and regulations. I was a bit shocked to read that GxP was the current standard for various regulatory compliance areas for pharmaceutical companies. GxP, I should explain, represents Good Practices, not Best Practices. That is, for example, Good Manufacturing Practice or Good Clinical Practice.

This struck me as a bit odd: Good enough was the plan of the day for manufacturing life-saving drugs. This was a surprise to me as an IT security professional used to requirements born in banking and the Federal Financial Institutions Examination Council (FFIEC). Then there are the government regulations such as the National Industrial Security Program Operating Manual (DoD 5220.22-M), the Federal Information Security Management Act of 2002 (FISMA), Sarbanes Oxley (SOX), and the compliance requirements of the Health Insurance Portability and Accountability Act (HIPAA).

While I was pondering this, I got yet another call from a security vendor about how his product offering was the "best practice" in the industry and would surely have my company in the forefront of compliance. I started to suspect he believed I had a squeaky snake in my company which needed oiling when he began detailing how much we "needed" his widget or we would not be SOX compliant, risking fines and jail, even though we are a very small, privately held company with an annual security budget similar to the cost of his enterprise class, distributed, n-tier widget.

I continued to think about "IT best practices": Who defines them and who needs them? I began to research other industry documents, legal tests, and regulations. Other industries, I found, define good practices and standard approaches. Their publications and documents define the baseline, the median or minimum, to be considered good and respectable. Anything below that, indicating shoddy performance, means that a job needed redoing. Anything better was the hallmark of someone who went above and beyond what was required. This is why one person referred to himself as Overbuilders Inc. - he always used stock twice as sturdy as normal and he charged like it also.

While waiting during another of the seeming constant delays at O’Hare airport, I found a landscaping professional magazine in the airport describing water features (you and I call them small ponds and fountains for the yard) and how to install them for the uninitiated landscaper. I read about the minimum things one had to do to meet customer’s expectations at a minimum of effort and cost and about how to avoid call-backs and meet code requirements. Building codes define "minimal acceptable standards" that homes, lots and apparently water features have to meet.

  • 1