When ISO-9001 came along, the original intent was simply to 1) document what you should do in order to produce parts to your specifications, and 2) document how well you followed those processes. Simple, right? Companies made WAAAY more work for themselves than they needed to, because the people who were assigned to assure compliance went crazy, carving out kingdoms for themselves, making all sorts of ridiculous rules and documentation demands that actually had nothing to do with implementing the spirit of the standard.
When SOX came along, I saw the same thing happen to IT. The concept was the same: 1) document your separation of duties and authority, and 2) document how well you were working in regards to that. What we got was a complete, secondary industry of consultancy which demanded ridiculous things, which did nothing to improve security or compliance, and onerous documentation of all the things that were missing the point.
I blame Microsoft for being complicit in giving corporations the ability to, for instance, prevent a user from changing his desktop background, as though this had anything whatsoever to do with computer security or financial regulation compliance. There are HUNDREDS of options like this in AD policies. The ability to, for example, turn off Skype conversation histories, is a perfect example of something that Microsoft enables in the name of "security" or "compliance," but which actually does NOTHING but inconvenience users. (There are open-source libraries to re-enable the functionality on GitHub. I know someone who wrote an application to do it. Or you can, you know, just copy-and-paste.) And it was the Microsoft-funded trade press which told all the CIO's of all the Fortune 500 companies that this was the sort of thing that had to be done in order to comply with SOX.
That's why a blame Microsoft, but that got long-winded. Sorry.
Most of these aren't proactively done by Microsoft - it's usually a customer who says "in order for us to purchase N licenses, we need features X, Y, and Z, where X/Y/Z are quite often "disable/customize this behavior"
When SOX came along, I saw the same thing happen to IT. The concept was the same: 1) document your separation of duties and authority, and 2) document how well you were working in regards to that. What we got was a complete, secondary industry of consultancy which demanded ridiculous things, which did nothing to improve security or compliance, and onerous documentation of all the things that were missing the point.
I blame Microsoft for being complicit in giving corporations the ability to, for instance, prevent a user from changing his desktop background, as though this had anything whatsoever to do with computer security or financial regulation compliance. There are HUNDREDS of options like this in AD policies. The ability to, for example, turn off Skype conversation histories, is a perfect example of something that Microsoft enables in the name of "security" or "compliance," but which actually does NOTHING but inconvenience users. (There are open-source libraries to re-enable the functionality on GitHub. I know someone who wrote an application to do it. Or you can, you know, just copy-and-paste.) And it was the Microsoft-funded trade press which told all the CIO's of all the Fortune 500 companies that this was the sort of thing that had to be done in order to comply with SOX.
That's why a blame Microsoft, but that got long-winded. Sorry.