Is Compliance Mandatory?

Published 24th April 2007

Greg Day, security analyst McAfee...

“Compliancy” is a word bandied around increasingly vociferously over the last couple of years. The trouble with it is it covers such a multitude of sins, so when it is talked about at events, in the media, as part of sales pitches, it is often hard for the IT director, CIO, network manager or whoever to understand exactly what “it” means and why “it” (whatever “it” is) might be important to them. In order to give a degree of structure to this short article, let’s define “it” as legislation that deals with company-critical data. Stuff that, if you were responsible for its loss to your organisation, would land you is a deal of trouble. Think the people who are right now, in the UK, trembling in their boots at being found to be responsible for dumping HSBC customer account information into dustbins right outside bank branches at close of business, ready to be discovered by anyone, with malicious intent or not.

Taken up the chain within companies, responsibility for data integrity will involve IT at some point, since a big source of potential data loss comes from areas where IT can exert some kind of control; Trojans, spyware and the like. Right now, at least in Europe, though company auditing is increasingly exacting, it has not quite got to the point that it has in the US, where CIOs are increasingly coming into the gunsights of the law as a direct result of sensitive information being compromised (witness the resignation of AOL’s CTO in August this year for revealing AOL customers’ search query data to the world at large).

But what if it does? The precedent is there – legislation affecting big business often starts in the US and rolls out across the world over time (SarBox), and it is likely that, at some point in the not-too-distant future, European institutions will have to take action that will affect the roles and responsibilities of corporate CIOs. The question is – what to do right now? There are a lot of vendors making noise about data loss and integrity, but do you need it or not? What is the net effect of doing nothing? Can auditors pick up on how porous your organisation actually is. Do you even know yourself?

I would argue that there is a certain inevitability about legislation that more closely guards customer data. McAfee has just announced the purchase of Onigma, a firm that provides technology that tracks data through an organisation and guards against it falling into the wrong hands, whether accidentally or not. It has provoked a great deal of interest already, especially in industries where data integrity is all-important (banking, finance especially). These people see the writing on the wall. Finally, consider this anonymous quote, from a recent survey conducted by the London Scholl of Economics: “The gap between theory (compliance rules) and practice in information security management has never been greater”. If that is the case now, what will happen when the rules are tightened up?

McAfee is exhibiting at Infosecurity Europe 2007, Europe’s number one dedicated Information security event.