Home > Security News > Compliance drives security investments
Security News:
EMAIL THIS LICENSING & REPRINTS

Compliance drives security investments

By Edward Hurley, News Writer
19 Dec 2003 | Security Wire Perspectives

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Few things besides regulations are making companies plunk down dollars for infosecurity. While compliance will surely help a company's security posture, it may not make it secure enough.

Regulations such as the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and California's SB 1386 all have requirements that touch upon security. Failure to comply will open companies up to fines, civil lawsuits and, in extreme cases, criminal charges.

In many ways, regulatory compliance acts as an ad hoc security standard. Companies can use the regulations as a roadmap for their security investments. "Without tools you are not going to know what good security is," said Pete Lindstrom, research director at Spire Security.

No regulation, however, explicitly lays out that a company should use 128-bit encryption or update antivirus signature files in a particular time frame. The laws are more focused on the planning and process needed for protecting certain classes of data.

For example, Sarbanes-Oxley isn't specifically about security -- or technology for that matter. The law was passed in the wake of corporate governance scandals in the United States. It requires CEOs and CFOs of publicly traded companies to sign off on their company's books. Security comes into play because the law requires the executives attest to company internal controls, which hits squarely upon security.

Now, few would argue regulations will create a security Shangri-La. For starters, the security requirements of the laws aren't necessarily that high. "If you have a great security program, then you should meet all the requirements," said Mark Doll, director of Ernst & Young's security and technology solutions practice for the Americas.

The opposite, however, isn't true. A company that complies with regulations doesn't necessarily have a great security program. "Regulations won't create the best security programs but none would fail greatly," Doll said.

Both Doll and Lindstrom warn companies need to look beyond the requirements for regulations if they want a great security program. "There is plenty of room to fall flat on your face," Lindstrom said. For example, HIPAA requires companies do risk assessments to justify their security measures. If a company decides to not do something because of its risk assessment, there is nothing to stop the government from coming back and saying, "That's wrong. You should have done it," he added.

"If companies only focus on regulations then they will be too caught up on the trees to see the forest," Doll said.



Sound Off! -   Be the first to post a message to Sound Off!


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts