Compliance: The legal landscape and how to navigate it

Every IT professional recognises the im­portance of securing the IT systems on which critical business processes now depend. It is even true to say that business users themselves are beginning to realise that while external drivers such as com­pliance with regulatory pressures, securing corporate data and protecting a company’s brand are essential aspects of what we might term “IT security”, the true importance is apparent in everyday operations.

This recognition places greater stress on the overall governance strategies that organisations need to ensure that data is secured effectively. It is also a fact that many organisations are looking continuously to deploy updated services, and to make use of an ever-growing range of tools and devices. Against this background, there is growing pressure to ensure that sensitive data is protected, wherever it is held or processed.

The question for many IT professionals is which laws, regulations and company compliance measures apply to the systems they run and the data they hold? The answer can be difficult to find unless you happen to be a legal professional specialising in this area.

While there are certain measures that apply to almost every organisation, such as the EU data protection requirements and its international equivalents, there can be subtle local differences in interpretation of how compliance should be achieved. At the same time, there is a plethora of laws and regulations that may apply geographically or by industry vertical. Organisations cannot pick and chose to comply with only the “most important” as the PR challenges caused by any breach can be calamitous. Ignorance of the law is never an excuse that works with judge, jury or the general court of public perception.

Perhaps the most obvious starting point is to raise the profile of the solutions at the heart of good systems management infrastructures. Among these are identity management, asset management and data classification solutions.

Of these, identity management is the tool with the most obvious direct connection to securing IT operations and services. But few organisations have implemented identity management policies and solutions that manage to span the entire infrastructure. Even fewer have policies or tools in place capable of working with identities of individuals outside the organisation who may require access to corporate information.

This raises the question of how organisations can work to secure data appropriately. We know that more and more sensitive corporate data is being held outside core central storage platforms, on laptops and a rapidly expanding range of devices such as smartphones and tablet systems. Unless the organisation has some means, be they manual or automated, of establishing the sensitivity of data held on such machines it is a difficult task to ensure that sensitive data is adequately secured, for example, by encryption and key management solutions.

With many nations already moving to increase the penalties for data loss and data breaches, organisations are going to have to take steps to protect sensitive information. This is an area where the solutions available are still developing, but with new disclosure legislation looking likely in various countries, and with organisations themselves slowly recognising the real value of the data they hold, this is an area where vendors are likely to invest heavily.

In fact, when starting out many organisations are adopting broad brush approaches to data protection as their first step. For example, rather than attempting to undertake sophisticated data classification projects they may decide to implement encryption across all mobile devices. If these go well then more limited file-based encryption and DRM may have roles to play.

But it is also essential to ensure that each and every user has access to only the data they need to do their job. It is even more important to ensure that every individual understands how important it is to look after sensitive data and the devices on which it is held. Our research and experience shows that proper and continuously refreshed training of users has the biggest impact in keeping sensitive information safe. This raises the challenge of how IT can establish which management tools can help to secure operational services. And indeed, to whom one can turn for advice.

This latter point is especially important when considering governance in relation to the increasing burden of compliance. Regulatory and external compliance requirements certainly have the potential to put extra pressure on IT professionals to use systems to help the organisation meet its obligations. Hence, the problem for many IT staff, who are not usually legal eagles, becomes one of trying to define the framework in which the governance regime must fit.

The next step is to translate the framework requirements into practical management policies. But getting to this stage needs input from those with knowledge of the compliance drivers and the business requirements, preferably translated into language that mere mortals can comprehend, and pointing the management tools at exactly what needs to be administered.

The obvious answer would be either specialist staff from a compliance monitoring role within the business or external consultants. Equally, there is a place for the IT vendors themselves and their channel partners to advise on how their solutions can address the challenges defined by the policymakers. There are also some independent forums and consultants who specialise in security solutions, of which the Jericho Forum is worthy of mention.

Whatever approach you take, one thing is clear: organisations cannot pick and choose when looking at compliance with regulatory requirements, national and international laws. It is about finding out which apply and then prioritising how to meet the requirements and obligations.


Click here for more posts from this author

Tony is an IT operations guru. As an ex-IT manager with an insatiable thirst for knowledge, his extensive vendor briefing agenda makes him one of the most well informed analysts in the industry, particularly on the diversity of solutions and approaches available to tackle key operational requirements. If you are a vendor talking about a new offering, be very careful about describing it to Tony as ‘unique’, because if it isn’t, he’ll probably know.