Electronic risk management in the commercial sector is no longer optional in many countries. According to the managed security leader, Counterpane Internet Security:
“The United States is witnessing increased regulation of business process-oriented laws including the Sarbanes-Oxley (SOX) Act of 2002, the California Senate Bill 1386, Database Protection Act (SB 1386) of 2001, the Gramm Leach Bliley (GLB) Act of 1999, and the Health Insurance Portability and Accountability Act (HIPAA) of 1996/2003.
Each of these laws imposes strict requirements on enterprises to establish or identify, document, test and monitor "internal control" processes. Most, if not all, of these processes are supported by increasingly sophisticated information technologies. Being unprepared can cost enterprises more than money - under Sarbanes-Oxley, jail time is possible for non-compliant executives.”
- www.counterpane.com/compliance.html
The United States is not alone in regulating commercial information security processes. The US, EU, Japan, Canada, Australia and the UK all have laws dealing with protecting the privacy of personal information, such as health or financial information. A list of over 25 different regulations can be found on the RSA Security web site.
“[The American] SOX, GLB, HIPAA and SB 1386 all have data privacy and protection in common. Each has varying requirements but all share the following common enterprise mandates:
- Security Policies: Well-defined policies for data privacy and protection discourage the government
from imposing their own standards-the least desirable of all situations.
- Security Processes: Demonstrating policy in action with people using technology in a predictable
manner to protect data from attackers.
- Robust Audit Trail: The foundation of evolved process, where regulators require evidence of what
happened to justify why events need not be reported.
- Preventative Measures: Encryption, digital signing and real-time detection of attacks all serve to
pre-empt attacks on data.”
- www.counterpane.com/compliance.html
According to RSA Security:
“Most organizations today know what regulations exist, but need to know more about the specific information security requirements. Regulations aren’t prescriptive however; instead they provide high-level requirements and expect organizations to implement 'reasonable and appropriate measures'—in other words, best practices.”
- http://www.rsasecurity.com/SolutionsTertiary.asp?id=2835
In at least one case, the level of protective measures is directly related to the burden of implementing the
security measures:
“Article 17. Security of processing
1. Member states shall provide that the controller (entities who process data) must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementations, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.”
Technologies such as VEST reduce the cost of developing new secured systems that can be then applied by commercial organizations to protect their business processes.
Beyond legislative directives for self-regulation, the commercial imperative to secure information systems and organizational processes is self-evident. Security problems are prolific. High profile breaches include global banking fraud and piracy but the issues affect all the global community including government, commercial and private.
