IT Security Compliance Changes: Four Big Ones to Watch

By Ericka Chickowski

This week RSA released a new report produced in concert with its Security for Business Innovation Council (SBIC), a high-powered group of IT security decision-makers from organizations such as FedEx, eBay, T-Mobile and JPMorgan Chase. The consensus among the SBIC is that as many organizations are finally getting a handle on many of their compliance responsibilities, the regulatory environment is changing such that even the most mature organizations and their partners will need to make adjustments to keep up. This means balancing compliance and risk and creates a truly tricky situation for channel partners who use compliance as a selling point but still want to leave their customers more secure as a result of their purchases, rather than less.

"Compliance is the best and worst thing that ever happened to security," said Denise Wood, chief information security officer and corporate vice president for FedEx Corporation, in the report. "It’s a combination. It gives you awareness. It gives you real life justification for good security practices. But at the same time, especially when regulations get prescriptive, it can make it more difficult to have a truly risk-based program where your highest risk items always get your financial investment."

Channel Insider takes a look at four key changes highlighted by the report and some of the things that SBIC members are saying about these issues.

In the early days of SOX and HIPAA, many organizations felt they could skate by with no controls or the bare minimum due to the 'lack of teeth' within the main body of the day's regulations. But regulators are cracking down with real monetary fines and penalties that can truly affect the bottom line for organizations today.

"The regulators are moving away from light-touch to more interventionist regulation. That’s clear in all senses of society and economy so it’s not surprising regulation is tightening up in the data protection field," says  Stewart Room, partner at the Privacy and Information Law Group of Field Fisher Waterhouse LLP. "As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation."

Data breach notification laws have come a long way since California's landmark passing of SB 1386 in 2002. As lawmakers around the globe have faced increasing pressure from incensed citizens, global enterprises must navigate a maze of breach and privacy laws wherever they operate.

"It gets more and more complex. If you’re a public company, you’ve got SOX. If you take credit cards you’ve got PCI. Then there are the privacy laws," says  Dave Cullinane, chief information security officer and vice president for eBay. "A company like ours has operations in 37 countries around the world. Global organizations have to comply with all the variations of privacy laws in the US, the EU and Asia — and there are new laws and new requirements all the time."

As organizations continue to stumble and fall with security failures by the day, regulators are taking matters into their own hand, often implementing increasingly prescriptive regulations that may be at odds with an organization's risk management practices. This adds an increasing element of 'compliance tax' that organizations must throw more resources at--be they in-house or outsourced.

"The regulators in general seem to be heading towards more prescriptive regulations," says Professor Paul Dorey, founder of CSO Confidential and former chief information security officer for BP. "When standards get too prescriptive they can be a hindrance. They start to impose things that may not be relevant to an organization’s risk management. The organization may do things in a different way, yet manage risk well. But that wouldn’t be acceptable to the prescriptive regulator."

Perhaps one of the most relevant compliance trends to affect channel players, the growing requirements for organizations to ensure the security of their business partners' operations means that MSPs, consultants and even VARs better be ready to stand up to increased scrutiny if they want to land those larger accounts that are burdened by compliance issues.

"Companies are increasingly disqualifying business partners because they’re not able to meet the due diligence standards, based on data privacy and other regulatory requirements," says David Kent, vice president of global risk and business resources for Genzyme. " In a regulated environment, you essentially have to vouch for the fact that you’ve partnered with organizations which can handle the information in a secure fashion, consistent with regulation."


This article was originally published on 2010-10-12