Making sense of compliance and governance
- Article 22 of 33
- SC Magazine, June 2010
Whether it is one big Sarbanes-style law, or by many tiny amendments, compliance is here to stay. Don't let it faze you, says Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages
For information security professionals, overall the effects of the change in government on compliance and government regulations are likely to be minimal. Stuart Okin, managing director of Comsec UK, says that despite the proposals, the chances of anything happening in the short term are small. “I don't think they'll break up the banks – that's not something the UK can do on its own.” With ten per cent of GDP coming from financial services, he says the Government is also unlikely to jeopardise that.
Okin sees few changes in compliance coming through. Instead, the new FSA guidelines are most likely to affect businesses in the financial sector. “We've already put a new series of infosec guidelines out there. Hopefully, the auditors and regulators will be working to those.” But he does predict that retention laws for small and medium business will be getting “easier and lighter”.
Longer term, though, Okin doesn't rule out the possibility that the Government will propose more changes. “Infosec is not likely to be the top of the budget considerations. However, Baroness Neville-Jones (minister for security) understands the importance of this area, given her background. Longer term, assuming no further polls, then there could be support for further investment and additional leadership in the infosec arena.”
Setting borders to clouds
At first, putting your data in the cloud sounds like a great idea. You don't have to worry about infrastructure, security, maintenance or any of the other costs and issues that in-house data storage requires. However, since the data is in ‘the clouds' – that is, location unknown – this can cause problems from the point of view of compliance and regulation.
Ed Callacher, security and networking divisional leader at Bell Micro, says the biggest problem with the cloud is that someone else controls the data, and even though regulations such as PCI DSS apply, there are no standards for cloud providers. “The biggest challenge with any kind of cross-border work is finding out what data you have and where it is, and what security policies they have.”
Handing data over to a third party won't protect you if there is a breach or a failure to comply with legislation. Although there have been few test cases, compliance legislation applies to the organisation that owns the data, not who stores it.
So before moving data to the cloud, it's important to ask providers whether they secure to UK and other standards, such as PCI DSS, if personal data is being stored. Callacher says that ISO accreditation would be a definite selling-point in a cloud provider. If compliance legislation requires certain degrees of resilience and reliability, that also needs to be addressed before outsourcing to the cloud.
Something that will affect multinationals in particular is location. US government data cannot leave the US, so a cloud provider needs to have a data centre in the US. With different EU and US laws on personal data, even with the advent of the so-called ‘Safe Harbour' agreement, movement of data between the EU and US or to other countries needs to be considered carefully. Indeed, many advise even multinationals to silo data in the country in which it was obtained to avoid inadvertent breaches of the laws in both the country where the data was obtained and the country in which it is stored.
“People talk about the benefits of cloud,” says Craig Carpenter, VP of marketing for IRM firm Recommind, “because with the cloud, it becomes irrelevant which system you're running on or where the database sits. But that goes counter to US data and EU privacy laws: you must care where data is sitting and how it is handled. Even with email archiving, you need to have a different email archive in France from the one you have in Germany or the UK. You need to have Chinese walls – not even really walls, more like translucent curtains.”
Backups also need to be considered, since although a data centre might be in the US, a backup data centre might be in another country – and in the event of a disaster, the cloud provider might move the data to that centre, putting the customer in breach of compliance regulations. The converse – a backup data centre in the US – also presents another issue: the US Treasury department will have legal access to that data once it's inside the country's borders and the data will also be governed by the laws of the individual US states, provided personal data related to those states is contained in the data.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages