Trusted Computing

[awk]

Regulatory compliance


"….In 2006/7 Basel II comes into force, a European version of Sarbanes Oxley the US regulations that make firms responsible for all of the data they hold on individuals and the use to which it is put, with criminal sanctions for breaches. In theory in the US company executives can be gaoled if confidential data leaks and they fail to inform the people whose data gets out.

It is easy to exaggerate how draconian all of this is and in practice executives are not lead away in handcuffs every time a telesales clerk breaks the rules but the impact has still been dramatic. The potential penalties have served to focus attention. We can expect a similar galvanising effect in Europe...



Regulatory compliance

BY TOM ROWLAND

Jose Lopez is a senior analyst in network security at technology consultants Frost & Sullivan.

http://business.timesonline.co.uk/article/0,,26849-2038521,00.html


Companies have to innovate and compete but they cannot afford to cut corners or abuse their market position. For most it inevitably means appointing someone whose job it is to make sure that the regulatory sky never falls in.

Compliance has become a job with an expanding career path in front. But it can be a lonely posting. Managers can feel that the constant emphasis on complying with an increasingly lengthy set of rules risks more cautious decision making.


What are the limits of compliance inside a business?

Compliance covers everything the business does, ranging from a field engineer turning up to keep an appointment, to call centre staff, through to a senior manager who works at headquarters.


Senior executives often complain that they struggle to maintain a balance between sticking to all of the rules and keeping the vitality in their operations. How should they begin turning compliance into a science?

First of all they have to formulate a security policy. That means deciding what is important and what needs to be protected in your company and formulate the policy accordingly.


What should the policy cover?

Everything from data capture to e-mail security and the authentication of users. Work out what needs to be protected and then you can choose the technologies best suited to each purpose.

For example if you are trying to improve network privacy then perhaps you should make sure that the communication between users is regulated by a virtual private network (vpn).


In Britain a lot of the rules companies need to keep inside stem from the Data Protection Act and Privacy and Electronic Communications Regulations. How do you make sure you are inside the net?

The legislation in Europe is more obscure than it is in the US, or at least less indicative of what good companies need to do to tighten their security. In the US they have legislation that is specific for vertical markets.

For instance in the health care industry HIPPA governs much of the activity of an enterprise and sets out what it should and should not be doing. So if a firm is operating in the US then it needs to be aware of the whole of the regulatory environment that might affect it.


Are the UK and Europe becoming more like the US environment?

In the UK we have the Data Protection Act but it is true that things are about to change on this side of the Atlantic.

In 2006/7 Basel II comes into force, a European version of Sarbanes Oxley the US regulations that make firms responsible for all of the data they hold on individuals and the use to which it is put, with criminal sanctions for breaches. In theory in the US company executives can be gaoled if confidential data leaks and they fail to inform the people whose data gets out.

It is easy to exaggerate how draconian all of this is and in practice executives are not lead away in handcuffs every time a telesales clerk breaks the rules but the impact has still been dramatic. The potential penalties have served to focus attention. We can expect a similar galvanising effect in Europe.


How does an increasing regulatory burden change the way firms have to handle information?

It is hard for many to know the extent of their liability. Often it is best to have an outsider come and audit. Sometimes it is difficult for an individual inside a business to see all of the ramifications of a new piece of legislation.


Do both deal with making provision for things that you hope will never happen?

There are some similarities. If legislation says you are having to store data for 10 years, you need to know where it is and to make sure that it does not go astray. The key difference is that in disaster planning there is no legislative framework that the organisation is under an obligation to comply with.


If the US leads in the rigour of its legislative framework governing commercial activities how would you rank the Europeans?

Britain does quite well, but this is a league where right now the Germans are out in front.