What Are Your Regulatory Compliance Pains?

We are in the process of planning our roadmap for upcoming guidance.  One of the areas we'd like to focus on is regulatory compliance.  Therefore, we'd like to ask for your input:

What are the biggest regulatory compliance pains that you have to deal with?

Your input will definitely be considered as we make our plans for future guidance.  You can send your compliance pains to secwish@microsoft.com.

Thanks a lot!
Bill

Comments

• Anonymous
  January 01, 2003
  PingBack from http://winblogs.security-feed.com/2006/09/01/what-are-your-regulatory-compliance-pains/

• Anonymous
  September 02, 2006

• There's no easy, turn-key solution for showing failed logins, powerful id activity, etc.  on relevant hardware, including windows servers, routers, unix boxes.   Keep in mind the constraints that all user ids need to have their passwords reset every 90 days.  Some servers are in workgroups.  Reports need to be available for a year.  Reports need to be reviewed weekly.
  
  * People are locking themselves out pretty continuously becuase of the stringent password policies.  This requires a lot more help desk activity.  -User calls help desk -Help desk verifies identity -Help desk unlocks or resets account -Help desk sends an email to help desk application (help desk applications are notoriously clumsy; better send an email to log the activity)
  
  * Databases need to email users about the following issues:  Password not changed, Original password not changed, Account locked out for inactivity, etc.
  
  * The other big pain: the workflows and time reminders.  Every so many days x needs to occur and be performed by person with role y.  Roles and persons need to be distinct so people can move in and out of roles.  Every change requires approvals by 2 other people.  I envision an approval agent in the system tray that find the person on the internet with the particular role and lets them know an approval is waiting for their review.