The Latest RSA News
Product and Solution Information, Press Releases, Announcements

Sweeping Changes in Compliance Landscape Mark End of Business as Usual; Top Security Officers Share Strategies for an Age of Escalating Scrutiny.

RSA, the Security Division of EMC released the latest research report from the Security for Business Innovation Council, a premier source of industry insight and advice from the world's top security officers. The research takes an in-depth look at the complex web of new information protection regulations, reporting requirements, and third-party responsibilities that are dramatically raising the stakes for organizations around the globe. Arming leaders to act on these shifts, the council outlines strategies for helping to align compliance programs to this new era.

The report, "A New Era of Compliance: Raising the Bar for Organizations Worldwide," describes the huge impact this new wave of legislation and legal obligations is having on business, sparking renewed board-level attention and forcing up-leveled strategies. Council members spotlight the convergence of four significant new trends that are driving organizations to get much more serious about compliance: 1) Strengthened enforcement, 2) Global spread of data breach notification laws, 3) Increasingly prescriptive regulations, and 4) Growing business partner requirements.

"Regulators are moving away from light-touch to more interventionist regulation," said Stewart Room, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLP, a data protection expert and guest contributor to the report. "That's clear in all senses of society and economy, so it's not surprising regulation is tightening up in the data protection field. As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation."

Changing Landscape Forces Compliance Programs to Next Level

"A New Era of Compliance: Raising the Bar for Organizations Worldwide" outlines a landscape in which highly-motivated legislators are escalating information protection mandates due to a steady stream of massive data breaches and the resulting public outrage. Enforcement of existing regulations is being tightened through expanded powers, higher penalties and harsh enforcement actions. Organizations operating in Europe are facing the upcoming overhaul to the EU Data Protection Directive, which is expected to include not only increased enforcement but also breach notification.

"As more regulations are introduced, the rules are becoming increasingly prescriptive," said Art Coviello, executive vice president, EMC Corporation and president, RSA, The Security Division of EMC. "Regulators are making it clear that you're on the hook for ensuring the protection of your data at all times, even when it's being processed by a service provider. Going forward, it will be impossible to hide information security failings as legislators force transparency and data breach disclosure becomes a global principle."

This new era of compliance ratchets up the challenges facing information security teams. The council report offers recommendations to help organizations align their programs to the heightened demands of the new compliance landscape. Specific guidance and "how to" strategies include:

* 1.) Embrace Risk-Based Compliance: Build an effective enterprise program that provides everyone in the chain - from individual business process owners to the board of directors - with all of the multi-faceted information needed to make risk decisions.

* 2.) Establish an Enterprise Controls Framework: Create a consistent set of controls across your enterprise that is mapped to regulatory requirements and business needs.

* 3.) Set/Adjust Your Threshold for Controls: Determine the "right" level of security controls and gauge the prevailing industry standard to meet the legal requirement for "reasonable and appropriate" security measures.

* 4.) Streamline and Automate Compliance Processes: Establish an Enterprise Governance, Risk and Compliance (eGRC) strategy that consolidates all of the information necessary from across the organization to manage risk and compliance and provide visibility into controls.

* 5.) Fortify Third-Party Risk Management: Move away from "boilerplate" security agreements and toward comprehensive third-party strategies that focus on: diversification, due diligence, rigorous contractual requirements, consequence management and governance.

* 6.) Unify the Compliance and Business Agendas: "Operationalize" compliance and develop the organizational structure required to fully embed compliance into the business and align it with the organization's highest-priority goals.

* 7.) Educate and Influence Regulators and Standards Bodies: Educate legislators and constructively affect regulation to avoid overly prescriptive rules that will cripple business.