In the last few years, governments the world over have taken up the job of protecting consumers and companies against poor management of sensitive information. Unfortunately, this has led to a steady stream of confusing laws and regulations coming from all directions. In this column I’ll look at these laws, go into depth on a few of them, and discuss how you, as an IT pro charged with making your company compliant, can approach the issue.
Depending on the industry you’re in, your organization may be used to regulations or completely new to them. The late 1990s and early 2000s ushered in the era of laws governing information security, privacy, and accountability, thanks in part to companies like Enron and in part due to the sheer volume of personal and sensitive information stored in and transmitted though vulnerable channels.
At the heart of most regulations is the intention of protecting the confidentiality, integrity, and availability of information that impacts a corporation’s stakeholders. These laws can be distilled down to their essential goals:
- Establish and implement controls
- Maintain, protect, and assess compliance issues
- Identify and remediate vulnerabilities and deviations
- Provide reporting that can prove your organization’s compliance