If a sound compliance regime will test if your processes work and your controls are appropriate, then a reliable compliance regime will prove the performance of your operation, the effectiveness of its governance and its overall health.
Get it right and its like like broccoli, peas and Brussels sprouts, writes Ashley Coover in the SarbanesOxley Compliance Journal. Compliance is ultimately in a corporations best interest. Managing risk, streamlining processes and standardizing data management are just a few of the oft unsung benefits of compliance efforts.
Looks like most of us dont eat enough greens: according to a recent Phenomena Institute survey of internal
IT enterprise security and external auditors, more than half the companies audited either failed or had serious deficiencies in security compliance (What Auditors Are Saying About Compliance and Encryption; Dark Reading, Mar 15, 2011).
The British Information Commissioner's Office (ICO) found that some 2,565 cases of non-compliance with the Data Protection Act occurred in the 12 months between March 2010 and March 2011, well after the first lessons from the GFC.
Your organizations duty to protect its information assets usually rests with (i) the business owner of the data and (ii) the custodian of its IT systems, and that responsibility wont change, even if you outsource your informationprocessing activities, as Zurich did. You cant transfer your legal obligations under the Privacy & Data Protection Laws, and no outsourcer will indemnify you against such commercial risks.
A new option is cyber insurance, but this comes at a staggering price and wont keep your companys good name out of the headlines in the event of a compliance breach (Hacking blitz drives cyber insurance demand; IT News, Jun 16, 2011). The onus of monitoring and managing the risk to your IT assets remains with you: its better to accept that the risk of losing organizational data has increased dramatically, due to more vulnerable technologies like VoIP, wireless networks and cloudbased services being used to transfer information - and take steps to mitigate the risk.
