When it comes to compliance, security has a major role to play – but not everyone is sure they are applying the right technology and processes to meet all the requirements.
A recent survey by Computer Associates' identity management software division, Netegrity, asked 281 security and compliance decision makers in the UK about their regulatory pressures. The research found that almost half (46%) were ‘concerned' that they would not be able to meet the deadlines for the current wave of legislation.
At the top of most people's list was the Data Protection Act, but in cases where their organisation was a multinational affected by the Sarbanes-Oxley Act, the US legislation was identified as causing the most concern. Indeed, nearly 75% of those were ‘unsure' whether or not they would be in a position to meet the critical Section 404 compliance test of the Act (see ‘Wall Street enforcer').
A key element of this, as many analysts are keen to point out, is defining internal controls over who has access to financial documents. The Netegrity survey found that 35% of UK companies had yet to define a formal process that reviewed and confirmed users' access rights. While access management technology is not explicitly required by the legislation, such processes are if organisations have any hope of meeting the compliance requirements.
Security experts recommend the best way to approach compliance with the vast array of legislation is to start not with the rules themselves but with best-practice frameworks such as ISO17799 and COBIT. "A lot of organisations' security policies are out of date," says Malcolm Skinner of security tools and services vendor Cybertrust. "So they are taking this opportunity to do this from the ground up." Even Microsoft, for example, had to adjust its security policies to account for the EU Data Protection Act.
But pressures are coming from all sides. The state of California is putting best-practice advice into law by forcing the disclosure of security breaches. Changes to the state's Civil Code in 2003 mean that organisations based or doing online business there must notify Californian residents of breaches in the security of personal information they hold, such as credit card details and social security numbers.
The law is likely to have ramifications far beyond the state boundary for multinational companies, says Michael Colao, director of information management at Dresdner Kleinwort Wasserstein bank. "We're a global bank; we've got customers everywhere. Can I suffer the reputational risk, if there is a breach, of quickly calling my customers in California and nobody else? No way!"
He adds: "So we have what was designed as a local law that has become in effect a global law. And this is a pattern that we're going to see again and again."
He notes a similar problem in the European Union's policy of having states individually enact their own interpretation of EU legislation – giving rise to local idiosyncrasies such as Italy's unique insistence that personal data must be protected by an eight-character password.
Even without such regional variations, the vast amount of corporate legislation makes assessing whether a company is compliant very tricky. Vendors such as Watchfire and Consul provide compliance reporting tools which indicate if certain areas are at variance with governance rules.
"In the case of something like Basel II, a lot of the key metrics of compliance aren't defined," says Colao. Cybertrust's Skinner agrees: "With Sarbanes-Oxley, it is still subjective. It is not until someone falls foul of an audit that a line will be drawn in the sand."
Until then, organisations need to make pretty shrewd judgements about which security technologies are going to enable them to meet the compliance challenge.