Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

10/12/2010
04:13 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Tougher Data Protection Laws Could Force Businesses To Rethink Compliance

New RSA, SBIC report provides guidelines for businesses in 'new era' of compliance

Say goodbye to the compliance-checkbox mentality: Data protection laws are expanding worldwide and cracking down on the way businesses protect electronic information, a new report published this week says.

"A New Era of Compliance: Raising the Bar for Organizations Worldwide," written by RSA and the Security for Business Innovation Council (SBIC), analyzes how new legislation and more legal muscle behind regulations are forcing businesses to change how they approach compliance. The report highlights how tougher enforcement, more data breach notification laws emerging around the globe, more prescriptive regulations, and increasing requirements for making enterprises responsible for the security of their data even when a business partner handles it are requiring businesses to look at compliance as a strategy, not just a necessary evil.

"Regulators are moving away from light-touch to more interventionist regulation," said Stewart Room, partner with the privacy and information law group at Field Fisher Waterhouse LLP and a data protection expert and guest contributor to the report. "That's clear in all senses of society and economy, so it's not surprising regulation is tightening up in the data protection field. As I see it, the trajectory of the law here is one way only, which is toward more frequent regulatory intervention, more disputes, more arguments, and more litigation."

In the report, the SBIC, which is made up of Global 1000 security executives from JP Morgan Chase, T-Mobile USA, eBay, BP, FedEx, Time Warner, EMC, Cigna, and other firms, offered several recommendations for enterprise security teams in what it calls a new era of compliance.

"As more regulations are introduced, the rules are becoming increasingly prescriptive," said Art Coviello, executive vice president at EMC president of RSA, the security division of EMC, in a statement. "Regulators are making it clear that you're on the hook for ensuring the protection of your data at all times, even when it's being processed by a service provider. Going forward, it will be impossible to hide information security failings as legislators force transparency and data breach disclosure becomes a global principle."

Among the recommendations by the SBIC:

1. Embrace risk-based compliance. Set up a program where everyone, from business-process owners and the board of directors, get the information needed to make risk decisions;

2. Establish an enterprise controls framework. Create a consistent set of controls across the organization that maps to regulatory requirements and business needs;

3. Set/adjust threshold for controls. Decide the proper level of security controls and ensure that you meet the legal requirement for "reasonable and appropriate" security;

4. Streamline and automate compliance processes. Formulate an enterprise governance, risk, and compliance strategy that manages risk and compliance and includes appropriate visibility into controls;

5. Fortify third-party risk management. Ditch "boilerplate" security agreements and adopt a strategy that covers "diversification, due diligence, rigorous contractual requirements, consequence management and governance";

6. Unify the compliance and business agendas. Incorporate compliance into the business and align it with the organization's main goals; and

7. Educate and influence regulators and standards bodies. That prevents overly prescriptive rules that can hurt businesses. "You need a broad perspective of all of the various legislation in the U.S. and elsewhere. Legislators and people in Congress don't often understand the nuances of things like identity theft. They might pass all sorts of legislation that's actually not going to reduce identity theft but just create a whole bunch of requirements," said Dave Cullinane, chief information security officer and vice president of eBay, in a statement in the report. "It's important for security officers to be participating in that conversation and provide insight into draft legislation."

The report is available for download here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...