|Eat your greens
If a sound compliance regime will test if your processes work and your controls are appropriate, then a reliable compliance regime will prove the performance of your operation, the effectiveness of its governance and its overall health.
Get it right and it’s like ‘like broccoli, peas and Brussels sprouts,’ writes Ashley Coover in the Sarbanes‐Oxley Compliance Journal. ‘Compliance is ultimately in a corporation’s best interest. Managing risk, streamlining processes and standardizing data management are just a few of the oft unsung benefits of compliance efforts.
Looks like most of us don’t eat enough greens: according to a recent Phenomena Institute survey of internal IT enterprise security and external auditors, more than half the companies audited either failed or had serious deficiencies in security compliance (What Auditors Are Saying About Compliance and Encryption; Dark Reading, Mar 15, 2011).
The British Information Commissioner's Office (ICO) found that some 2,565 cases of non-compliance with the Data Protection Act occurred in the 12 months between March 2010 and March 2011, well after the first lessons from the GFC.
Your organization’s duty to protect its information assets usually rests with (i) the business ‘owner’ of the data and (ii) the custodian of its IT systems, and that responsibility won’t change, even if you outsource your information‐processing activities, as Zurich did. You can’t transfer your legal obligations under the Privacy & Data Protection Laws, and no outsourcer will indemnify you against such commercial risks.
A new option is cyber insurance, but this comes at a staggering price and won’t keep your company’s good name out of the headlines in the event of a compliance breach (Hacking blitz drives cyber insurance demand; IT News, Jun 16, 2011). The onus of monitoring and managing the risk to your IT assets remains with you: it’s better to accept that the risk of losing organizational data has increased dramatically, due to more vulnerable technologies like VoIP, wireless networks and cloud‐based services being used to transfer information - and take steps to mitigate the risk.