Compliance and the IT security professional

It can be argued that IT security people don’t actually do security – we do risk management.

As IT security professionals, our job is to protect the organisation from risk, be it risk of data loss, hack attack and viruses or the ultimate risk we are trying to avoid, a damaged reputation. While it's easy to concentrate on the obvious attacks - hacks, scams and malware, it's important not to forget the risks of not meeting the legal requirements for security. To that end we need to help ensure our organisations are complying with the myriad of rules, laws and regulations emanating from national, regional and international bodies.

IT and the Law – US vs. EU

I find it interesting to compare the evolution of IT related laws in the US to those in Europe. One piece of legislation that has captured a lot of mind share in the US is that of security breach notification. These laws have been enacted in most US states since 2002 and were created in response to an escalating number of breaches of consumer databases containing personally identifiable information.

The first such law, the California data security breach notification law, was enacted in 2002 and became effective in July 2003. There are ongoing discussions across the EU, both nationally and at a European level, to determine if such legislation should be implemented in this region. A proposal was published in late 2007.

People have different views on this legislation. I am a fan, as reputational risk is often a better motivator for corporate governance than a modest fine that would hardly raise a small paragraph in a local paper. That said, it is interesting to see how Europeans are dragging their feet over a notification law. Is this a cultural issue maybe?

Compliance

Achieving compliance, in the broadest sense of the word, can be a good thing as it often instils good practices and procedures. On the other hand over-compliance can be detrimental as the business can be bogged down in achieving a goal that delivers little direct business benefit. Ultimately it is a balance that legislators need to achieve, with the help of IT practitioners.

I feel for medium sized businesses that are captured by the compliance net but have little or no resources to meet what can be seen as an onerous requirement. Fortunately, some compliance and regulations have planned for this and offer suitable break points so that small and medium sized business don’t fall foul of regulations whilst being able to run their day to day business.

As organisations switch onto the world of compliance they realise that it is far more cost effective to run compliant systems 24/7 rather than hastily scrabble to clean up prior to an audit. Those days should be long gone and organisations should ideally be “audit ready” at all times, or at least strive to be.

Undoubtedly adherence to compliance requirements can assist an organisation trying to achieve funding or a possible sale. In my experience of working in mergers and acquisitions during various due diligence investigations any non-compliance is often rapidly uncovered leading to increased suspicions concerning the overall management and health of the business. The knock on effect to corporate valuations and exit multiples can have a direct, profound affect on the principals especially in smaller businesses.
 
Next page: Basel II