My Take on the 36 Hour Rule
It doesn’t cover us. . .
. . . but we’ll agree to it anyway.
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .
I thought I’d write a quick DNL about the new 36 hour rule. It’s due in May, so I am not surprised I’ve already held several conversations with Clients about an “impending addendum.”
I told them that we don’t believe we are covered by the rule; we deliver network monitoring, event log consolidation and monitoring, and other services that do not fall into the categories put forth in publication. Therefore, this new rule is only applicable to providers performing those services. As infotex is a Managed Security Service Provider, we do not provide services covered by the BSCA and are currently not required to meet the expectations in the new rule. I then told them that I would sign the agreement anyway, because as far as I’m concerned if my Clients want me to agree to something I should try to accommodate them. I then pointed them to the rule, so they could decide for themselves.
I then called my lawyer, who gave me his blessing (yes, we can agree to this). The conversation included this: “Jim, I would agree not to put an oil rig in the gulf coast to avoid another BP oil rig disaster if a bank wanted me to.”
The only stipulation: we will print the guidance in its current form and attach it to the addendum, and the addendum will say “to the extent that the 36 Hour Rule covers infotex.”
Those Clients must have then read the rule, because I have not heard back from them!
Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex
Dans New Leaf is a fun blog to inspire thought in the area of IT Governance.