Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Preparing Organizations for a New Era of Compliance

Preparing Enterprises for a New Era of Compliance

Preparing Enterprises for a New Era of Compliance

Massive amounts of digital data is being created every day from business transactions and personal data being put online – data that needs to be protected and secured. A Recent report projected a nearly 45-fold increase in annual data growth by 2020 and noted that one-third of all digital information will live or pass through the cloud. This massive growth of digital information is occurring during a time of increasing requirements to protect such information, and more transparency when there are failures in keeping data secure.

Enterprise Compliance Requirements

Significant changes in the compliance landscape have marked the end of business as usual, and compliance is now a serious board level concern. Despite significant progress in compliance and security programs within organizations, a new era is upon us with heightened compliance obligations, and organizations that don’t have the proper security controls will have to catch up quickly to in order to compete in the increasingly globalized economy.

Today, RSA, the Security Division of EMC (NYSE: EMC) released the latest research report from the Security for Business Innovation Council, taking an in-depth look at the complex web of new information protection regulations, reporting requirements, and third-party responsibilities that are dramatically raising the stakes for organizations around the globe.

The report, “A New Era of Compliance: Raising the Bar for Organizations Worldwide,” describes the impact this new wave of legislation and legal obligations is having on business, sparking renewed board-level attention and forcing up-leveled strategies.

RSA and the Security for Business Innovation Council have highlighted the convergence of four significant new trends that are driving organizations to get much more serious about compliance.

Strengthened Enforcement – Although enforcement of information protection legislation has been weak in many jurisdictions worldwide, regulators are now strengthening it through expanded powers, higher penalties and harsh enforcement actions. Several states laws now mandate that encryption become effective within organizations that store certain types of customer information such as Personally Identifiable Information (PII), financial data or healthcare related data.

Advertisement. Scroll to continue reading.

Global spread of data breach notification laws – Regulators are not just looking at ways to tighten up existing laws, they are introducing new laws aimed at forcing more transparency. Data breach disclosure is becoming a global principle as jurisdictions worldwide adopt privacy and data protection laws that include a general obligation to notify government agencies, individuals, and/or other authorities such as law enforcement of unauthorized access or use of personal data.

Increasingly Prescriptive Regulations – Breach notification laws are spreading across the globe. Another emerging trend is the tendency for legislation to get more prescriptive. New state privacy laws from Massachusetts and Nevada, which became effective in 2010 are arguably two of the most prescriptive information protection regulations faced by enterprises to date Growing business partner requirements – Responsibilities to assume business partner’s security is growing. Many existing regulations and standards call for organizations to assure that any third-parties which handle protected data employ adequate security measures. A recent wave of regulatory activity goes even further in establishing legal requirements for enterprises as well as their business partners to ensure the security of information. (Related Reading: Attack Surface Expanded by the Extended Enterprise)

“In a regulated environment, you essentially have to vouch for the fact that you’ve partnered with organizations which can handle the information in a secure fashion, consistent with regulation.” David Kent, Vice President, Global Risk and Business Resources, Genzyme

Compliance isn’t cheap. The report notes that in this new era of compliance, costs are sure to rise. In a recent survey, 55 percent of IT and security executives indicated that regulatory compliance costs accounted for moderate to significant increases in their overall information security costs. As the compliance landscape gets more complex, demonstrating compliance gets more time consuming and costly. Enterprises must constantly update their compliance programs to account for new requirements.

“Heightened scrutiny of other people and by other people is going to cost you. Besides regulators, customers or partners who are working with you are going to demand more of you. That’s going to add cost.” Stewart Room, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLP.

Taking Action

The council report offers some “how to” recommendations to help organizations to align their programs to the heightened demands of today’s compliance landscape and prepare for tomorrow.

1.) Embrace Risk-Based Compliance: Build an effective enterprise program that provides everyone in the chain – from individual business process owners to the board of directors – with all of the multi-faceted information needed to make risk decisions.

2.) Establish an Enterprise Controls Framework: Create a consistent set of controls across your enterprise that is mapped to regulatory requirements and business needs.

3.) Set/Adjust Your Threshold for Controls: Determine the “right” level of security controls and gauge the prevailing industry standard to meet the legal requirement for “reasonable and appropriate” security measures.

4.) Streamline and Automate Compliance Processes: Establish an Enterprise Governance, Risk and Compliance (eGRC) strategy that consolidates all of the information necessary from across the organization to manage risk and compliance and provide visibility into controls.

5.) Fortify Third-Party Risk Management: Move away from “boilerplate” security agreements and toward comprehensive third-party strategies that focus on: diversification, due diligence, rigorous contractual requirements, consequence management and governance.

6.) Unify the Compliance and Business Agendas: “Operationalize” compliance and develop the organizational structure required to fully embed compliance into the business and align it with the organization’s highest-priority goals.

7.) Educate and Influence Regulators and Standards Bodies: Educate legislators and constructively affect regulation to avoid overly prescriptive rules that will cripple business.

The council was keen to point out that there is still a missing link – Though business innovation is powered by information; protecting information is typically not considered strategic; even as enterprises face mounting regulatory pressures and escalating threats. In fact, information security is often an afterthought, tacked on at the end of a project or – even worse – not addressed at all. But without the right security strategy, business innovation could easily be stifled or put the organization at great risk.

The full report is available at: http://www.rsa.com/innovation/docs/CISO_RPT_1010.pdf

Organized and sponsored by RSA, the Security for Business Innovation Council is a group of fifteen security leaders who are committed to sharing their own insights, tips, lessons learned and expert advice on winning security strategies to help move information security forward at organizations worldwide.

Be Informed. Subscribe to SecurityWeek’s Weekly Email Briefing >

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...