Why Compliance is NOT the Answer

By | March 30, 2006

Since the late nineties, thousands of corporations have been poring over their financial documents, consulting legal experts, overhauling their IT infrastructure, hiring compliance chiefs, and doing everything else humanly possible to comply with regulations like Sarbanes Oxley (SOX), the Gramm Leach Blilely Act (GLBA) and HIPAA (the Healthcare Insurance Portability and Accountability Act). Add to these regulations SEC 17, Europe’s Basel II and complex regional laws such as California’s Security Breach Information Act, and it’s easy to see how the explosion in regulatory compliance requirements has bred its own cottage industry, replete with corporate consultants, IT solutions and revenues in the billions.

However, in spite of this significant pain and expense the push for compliance has provided several benefits. In the healthcare sector, organisations are now required by law to protect “portable” patient data and consumers can be more confident that their healthcare privacy will not be violated. SOX has greatly enhanced internal controls in many corporations – primarily public corporations but private ones as well – while also requiring C-level executives to pay much closer attention to what exactly is going on inside their organisation. And GLBA has helped to safeguard the financial data of millions of people doing business with credit card companies, banks, brokerages and other financial institutions. These changes represent a step in the right direction.

On the other side of the equation are the network and information security vendors, many of whom have been quick to tout their wares as magic bullets in the never-ending quest for “compliance.” At the center of this conversation are email and other messaging systems that distribute customer data, corporate financial information and other potentially sensitive data. The encryption and filtering of email messages, to use two popular examples, do indeed help companies achieve compliance with HIPAA. But this “point solution” approach – i.e. looking at information security and network integrity solely as a means to achieve “compliance” with HIPAA, GLBA, SOX or other specific regulations – provides a tactical solution to what is in reality a strategic challenge.

One country’s regulations may or may not have any relevance to another country’s regulations, not to mention the organisation’s broader corporate information policy (which should be the most restrictive set of rules anyway). Furthermore, regulations change over time – in some instances drastically. For an organisation to truly achieve its information security goals, a different, more global perspective is needed: compliance should be one of many byproducts of a global policy management initiative whose aim is to safeguard the entirety of the organisation’s intellectual property assets.

The New Global Information Security Policy

Until now, compliance has largely been a reactive and tactical campaign. However, if companies want to protect their intellectual property while effectively addressing a growing number of foreign and domestic compliance laws, they must focus on developing and enforcing a sound information security policy – especially as it relates to messaging.

The days of the one-size-fits-all information security policy are coming to a close. It isn’t enough for the healthcare organisation with a hospital in the US, a lab in the Philippines and customer service representatives in India to comply with HIPAA. Full protection from inbound and outbound threats for such a company requires a living, breathing policy that not only addresses regional regulations, but also adapts to new ones.

While US regulations receive a disproportionate amount of coverage, countries and supra-national bodies all over the world – including Britain, the EU, India and Japan – have either instituted new or tightened existing online privacy laws. These moves have occurred in tandem with U.S. compliance regulations, pointing to a global trend. The sheer complexity of these regulations challenges even for the most aggressive IT compliance department. And the trend does not appear likely to slow anytime soon.

Policy Goes Global

An effective policy lets an entity take the organisation’s rules they have on paper and translate them into messaging policies for the entire organisation. Consider these basic steps:

1. Analyse the online privacy regulations for the different countries in which you do business;

2. If you’re not in compliance, develop a targeted approach to compliance in each area and modify your current policy to reflect these adjustments;

3. Consider the cultural values and mores of each country in which you have operations and/or customers, then develop messaging policies accordingly;

4. Constantly audit each branch of the organisation to ensure consistent application of the policy.

Culture and policy management

A global policy written to simply comply with U.S. and global laws isn’t enough to cover all the bases. Subtler but equally dangerous insensitivities with respect to culture, race and gender resulting from inappropriate content on your network can insult employees and put your company at legal and financial risk. A flexible, globally focused policy will enable you to respect various cultures and comply with local laws.

Mirapoint Europe Ltd is exhibiting at Infosecurity Europe 2006 which is Europe´s number one information Security Event.

Leave a Reply