This article can also be found in the Premium Editorial Download "Information Security magazine: What's your biggest information security concern?."
Download it now to read this article plus other related content.
While organizations work to educate end users, regulatory compliance remains a chore for many.
|Ignore at your own risk|
|Click here for an overview showing that preventing virus and worm infections is still a priority (PDF).|
Nearly 34 percent of survey respondents say auditing user access and reviewing privileges will be their top compliance challenges in 2007. Readers also rank defining and enforcing security policies and encrypting the transmission of sensitive data as big regulatory issues for next year.
D&E's Martin, who estimates that roughly 20 percent of his time is spent on Sarbanes-Oxley and HIPAA compliance issues, says that database encryption is a challenge for his firm, and that external auditors don't provide much guidance on that front: "They ask for things that would be detrimental to our systems."
Having a good plan for notifying customers in the event of a breach that exposes their confidential data is another compliance-related task his firm is tackling. California's security breach law SB 1386 paved the way for similar requirements in other states. "We keep hearing there might be a federal law. Now there are 30 different state laws to comply with," Martin says. "It's just a mess."
The company also is looking into laptop encryption. Lost or stolen laptops containing private customer data can run a company into all sorts of regulatory trouble, not to mention reputational harm.
For USG, the segregation of duties required by Sarbanes-Oxley Section 404--for example, making sure an accounts-payable employee doesn't also have access to the general ledger--is a top compliance challenge, but one that the company has a grip on, Watson says.
This was first published in December 2006