I hate to break it to you but we're already regulated: PCI, SOX, FERPA, HIPPA.
Regulation happens as a reaction to a problem. When we screw up (or are forced to screw up by management that is stupid about IT) bad things happen. The remedy is regulation. If you mean "when will there be a 'license to sysadmin' required to do our work?" I don't think it will ever happen; we'll just all be in an industry that is regulated for one reason or another. "How can we prevent this?" The medical profession prevents it by creating their own system of self-regulation. A surgeon can do any kind of surgery but might be "board certified" in certain procedures. The board sets up standards and/or best practices. In most states it is illegal to do surgery that you aren't board certified for; in other states it is just unethical but not illegal (which is why quacks are drawn to certain states). So, following that model we could establish best practices and offer certifications based on them. They wouldn't be vendor-specific, they'd be like good hygiene: "irreplaceable data should be backed up", "accounts should be centrally administered", "more than 1 person should know an admin password", and so on. I pick those examples because they're pretty "duh! obvious!" and yet there are famous failures where they were violated: http://techcrunch.com/2009/01/03/journalspace-drama-all-data-lost-without-backup-company-deadpooled/ http://infosecindia.com/2011/04/06/ex-employee-uses-secret-account-to-hack-into-gucci-systems/ http://articles.sfgate.com/2008-07-15/bay-area/17171009_1_computer-network-computer-system-access Tom -- See you in Boston! Dec 4-9, Boston, Usenix LISA, www.usenix.org/event/lisa11 Dec 4-5, Boston, ACM CHIMIT, chimit.acm.org _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
