A good regulatory compliance resource

I know I’ve been on a Windows Mobile kick for the past few days, but it’s not all I’ve been doing. I just recently turned in the final draft of Chapter 4 of my DCAR (Discovery, Compliance, Archival, and Retention) ebook to my editors at Windows IT Pro, so I expect to be seeing that go live on the website in the very near future. As always, I’ll let you know once I know it’s up.

This chapter was a very difficult one to write, because it (by design) had very little to do with technology. The technological challenges of DCAR — especially the regulatory compliance aspects of DCAR — get a lot of airtime in our industry; we’re a tech-oriented industry, and frankly, tech solutions are a heck of a lot easier to figure out than people and process problems.

So, chapter 4 is all about people and processes. I have a fairly firm theory: any time you have an issue and need to make a change, it is either going to be a process change or a tech change. You won’t have to do one or the other — and if you find that you do, it has been my experience that you’re really making two changes, or solving two problems, at once. This leads directly to a quote from Exchange MVP Ed Crowley:

There are seldom good technological solutions to behavioral problems.

One of the groups I’ve worked with at Microsoft, Microsoft Solutions for Security and Compliance(MSSC), is spending a lot of time focusing on regulatory compliance as a pain point for their customers. Via their secguide blog, I recently discovered the Regulatory Compliance blog, which is turning out to have some interesting and thought-prooiking posts from a variety of really smart and talented people. Give it a look-see.

I’d like to highlight one recent post of note: Regulatory Compliance Planning Guide Beta Coming. I eagerly await this guide; I think it’s going to be chock full of the same kind of crunchy usefulness as previous guidance produced by MSSC. Paul and I worked worked with them last fall to help produce the Windows Server 2003 Security Guide v2.0 and the Threats and Countermeasures Guide v2.0.

Don’t forget to check out the secguide blog as well; they have a lot of interesting and useful security content, much of which is applicable to DCAR solutions and concerns.