Navigating the minefield of
data protection laws is one of the biggest challenges facing
chief information security officers (CISOs) in the UK and the rest
of Europe.
The difficulty lies in the fact that the laws that govern the
authorised movement of data differ from country to country within
the European Union.
Data security is about making sure information does not get into
the wrong hands, but data protection requires meeting complex
European laws restricting the movement of data, says Mark Surguy,
senior associate at law firm Pinsent Masons.
The problem of keeping track of the different data protection
laws is particularly challenging for multinational organisations
with sites across Europe and the US.
This is compounded by an
http://www.computerweekly.com/Articles/2008/10/16/232701/regulatory-action-is-biggest-data-protection-fear-for-financial.htm
increase in the number of investigations aimed at
http://www.computerweekly.com/Articles/2008/06/19/231115/fsa-fines-stockbroking-firm-77000-for-weak-data-security.htm
rooting out poor practice by regulatory bodies such as the
Financial Services Authority (FSA), says Surguy.
CISOs are now more than ever called upon to provide information
to such bodies that has to be drawn together quickly from multiple
sites within the organisation.
The challenge for the CISO is to
http://www.computerweekly.com/blogs/when-IT-meets-politics/2008/01/the-fount-of-good-data-protection-wisdom-.html
understand the data protection requirements and manage data
accordingly, says Alessandro Moretti, (ISC)2 European advisory
board member.
Providing data in a timely fashion to any regulatory
investigation becomes increasingly problematic the larger the
organisation is because that means there are more borders to cross,
he says.
The CISO particularly needs to understand the requirements
related to where the data should reside and how it can it can be
distributed within an organisation as well as to external third
parties.
Moretti, who fulfils a CISO-like role for investment bank UBS as
executive director for IT security risk management, says the
challenge extends beyond the banking sector to all global
companies.
The best way to tackle the problem, he says, is to work
collaboratively with external legal professionals well versed in
the details of all the various European data protection rules.
"Gone are the days a CISO can safely rely on an IT security
function to provide a firewall and that is the end of cross border
data control," says Moretti.
The data environment is now much more complicated, fluid and
dynamic, which makes it difficult for the IT function to understand
where data flows to and where it needs to be protected, he
says.
According to Moretti, the complexity makes it unwise for
multinational organisations to go it alone and risk exposure for
non-compliance.
"Making sure that the professional expertise of IT security
individuals takes into account their duty to understand the problem
and engage the right expertise is part of my role at (ISC)2," he
says.
While CISOs typically choose the technologies and processes to
manage data securely, legal teams will check whether or not these
meet regulatory requirements, says Moretti.
"That is risk analysis, which is typically done better by
organisations in the financial and government sectors," he
says.
These sectors have been ahead of other disciplines for many
years, says Moretti, which is why
http://www.computerweekly.com/Articles/2008/09/25/232445/isc2-launches-security-certification-to-reduce-application.htm
(ISC)2 is trying to enhance the competencies of IT professionals in
other sectors to help bring them up to speed with an increasingly
challenging regulatory environment.