Laws Could Force Businesses To Rethink Compliance

[Christine Fulgham <christine () opensecurityfoundation org>]

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=227701206&cid=RSSfeed_DR_News

*New RSA, SBIC report provides guidelines for businesses in 'new era' of
compliance *
Oct 12, 2010 | 04:13 PM
*By Kelly Jackson Higgins*
*DarkReading*

[...]

"A New Era of Compliance: Raising the Bar for Organizations Worldwide,"
written by RSA and the Security for Business Innovation Council (SBIC),
analyzes how new legislation and more legal muscle behind regulations are
forcing businesses to change how they approach compliance. The report
highlights how tougher enforcement, more data breach notification laws
emerging around the globe, more prescriptive regulations, and increasing
requirements for making enterprises responsible for the security of their
data even when a business partner handles it are requiring businesses to
look at compliance as a strategy, not just a necessary evil.

[...]

In the report, the SBIC, which is made up of Global 1000 security executives
from JP Morgan Chase, T-Mobile USA, eBay, BP, FedEx, Time Warner, EMC,
Cigna, and other firms, offered several recommendations for enterprise
security teams in what it calls a new era of compliance.

"As more regulations are introduced, the rules are becoming increasingly
prescriptive," said Art Coviello, executive vice president at EMC president
of RSA, the security division of EMC, in a statement. "Regulators are making
it clear that you're on the hook for ensuring the protection of your data at
all times, even when it's being processed by a service provider. Going
forward, it will be impossible to hide information security failings as
legislators force transparency and data breach disclosure becomes a global
principle."

Among the recommendations by the SBIC:

1. Embrace risk-based compliance. Set up a program where everyone, from
business-process owners and the board of directors, get the information
needed to make risk decisions;

2. Establish an enterprise controls framework. Create a consistent set of
controls across the organization that maps to regulatory requirements and
business needs;

[...]

The report is available for download
here<http://www.rsa.com/innovation/docs/CISO_RPT_1010.pdf>.

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Take CREDANT Technologies short survey on cloud usage and security.
Take the survey: http://www.surveymonkey.com/s/TXDR7WT
Respond by October 12, 2010.
Enter to win a $500(US) Amazon Gift Card.