The Best Defense is a Good Offense
The United States is witnessing increased regulation of business process-oriented
laws including the Sarbanes-Oxley (SOX) Act of 2002, the California Senate Bill
1386, Database Protection Act (SB 1386) of 2001, the Gramm Leach Bliley (GLB)
Act of 1999, and the Health Insurance Portability and Accountability Act (HIPAA)
of 1996/2003.
Each of these laws imposes strict requirements on enterprises to establish
or identify, document, test and monitor "internal control" processes.
Most, if not all, of these processes are supported by increasingly sophisticated
information technologies. Being unprepared can cost enterprises more than money
- under Sarbanes-Oxley, jail time is possible for non-compliant executives.
SOX, GLB, HIPAA and SB 1386 all have data privacy and protection in common.
Each has varying requirements but all share the following common enterprise
mandates:
- Security Policies: Well-defined policies for data
privacy and protection discourage the government from imposing their own standards-the
least desirable of all situations.
- Security Processes: Demonstrating policy in action
with people using technology in a predictable manner to protect data from
attackers.
- Robust Audit Trail: The foundation of evolved
process, where regulators require evidence of what happened to justify why
events need not be reported.
- Preventative Measures: Encryption, digital signing
and real-time detection of attacks all serve to pre-empt attacks on data.