This is about interpretations, and how they transform law into something unrecognisable.
The first example is karshrut, the orthodox jewish diet. Its origins can be traced mostly to the eleventh chapter of the third book of Bible (or Torah, if you like) – the Leviticus:
And the LORD spake unto Moses and to Aaron, saying unto them, Speak unto the children of Israel, saying, These are the beasts which ye shall eat among all the beasts that are on the earth…
(the full text is here)
Couple of thousand years later, we find the concise set of rules transformed into something very complicated, apparently bloated and sometimes conflicting. The main thing is – if you want to sell kosher food, you cannot just claim that the food is kosher. There is no self-assessment. You must hire someone from a Kashrut authority to supervise your processes and certify your compliance. To something that is vaguely based on the initial law.
A more recent but very similar example is An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes, commonly referred to as the Sarbanes-Oxley Act (or just SOX). It is the US Congress’ response to series of corporate scandals, including burst of the telecom bubble (read Om Malik’s excellent book “Broadbandits” about it), and Enron demise.
The act is about implementing audit and security controls so that corporate executives won’t tamper with financial results in order to inflate share price and such. Yes, it includes something about information security – so vague that I can easily post the entire Section 404 here:
SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall –
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
That’s it. Much shorter than the Leviticus Chapter 14. Do you see anything about firewalls, intrusion detection and prevention systems, antivirus software and email journaling? Me too. The law requires have verifiable set of controls around financial information (which is reasonable); the controls aren’t defined (which is bad); and it’s up to the auditors to define what’s required.
Boom! Big Five acounting firms (okay, they’re Big Four – Andersen becape a scapegoat) all of a sudden have a lot of new business to do. That is, they interpret the law at their will, and they are charging a fee to check compliance to what is largely a result of their own imagination. In just five years, SOX resulted in creation of a new Kashrut system.
Probably I should give examples of SOX stupidity. The most fascinating one, if true, is this one: based on SOX, the IT auditors require all routers to be tested under high load for a fortnight before connecting those to production. I cannot name the source, nor the auditors here – just heard it through the grapevine. But for some reason I tend to believe it.
CEOs, CFOs and CIOs hardly ever touch routers or administer servers. In all cases of corporate fraud they were using other means to defraud the investors.
Compliance is only good if it brings benefits. More secure infrastructure is usually more stable, because it must be well-managed to stay secure. But it’s very easy (and tempting, to some) to go overboard with compliance. If you attend a presentation of a new product, and you hear “SOX” or “HIPAA” in the first five minutes – walk away.