I asked Victor what his impression was of compliance-related changes within various organizations, "I think what is important is the trend. If you go back six years, you could have given a talk titled ĎInformation security regulation is on its way.í Now, itís here, and itís expanding. You have it touching public companies under Sarbox, affecting the health-care industry with HIPPA and the financial industry with GLBA. You have anti-identity theft statutes such as SB1386, which is now primarily Californian, but is being looked at on a national level. The trend is to increase information security regulations, increase requirements for self-investigation and employ the ability to mitigate liability."
Compliance issues are not an American-only concern. John Weigelt, Strategic Security Advisor for Microsoft Canada states, "When I speak to clients about security-related issues, they are also very focused on compliance issues. While the Personal Information Protection Electronic Documents Act (PIPEDA) remains a primary concern for Canadian businesses, I have found that many clients are equally occupied trying to address U.S. legislation such as Sarbanes-Oxley."
"Companies are engaged in applying the "four Pís" to address compliance issues: Policy, Process, People and Products. They are reviewing existing policies to ensure their consistency with the legislation and addressing any gaps that they find. They are developing transparent processes to meet the obligations imposed. Company-wide training activities are generally underway to educate the workforce about the substantive impacts of the laws. Finally, companies are looking at technological/product solutions to streamline their compliance activities in support of implementation efforts as well as ongoing business activities."
From a client perspective, the risks are even more serious as they are often life-altering and financially devastating. The potential damage resulting from the lack of an effective incident response process runs the gamut from the theft of oneís identity to unauthorized financial transactions totaling millions of dollars. As a customer, I expect that the companies I do business with employ an effective incident response process. I expect that they will let me know my credit card data has gone missing. Unfortunately, as customers, we do not find out which companies take this seriously until itís too late. Personally, I donít want to open my credit card statement to find that Iíve apparently purchased one million boxes of latex gloves on eBay.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.