Navigating the minefield of data protection laws is one of the biggest challenges facing chief information security officers (CISOs) in the UK and the rest of Europe.
The difficulty lies in the fact that the laws that govern the authorised movement of data differ from country to country within the European Union.
Data security is about making sure information does not get into the wrong hands, but data protection requires meeting complex European laws restricting the movement of data, says Mark Surguy, senior associate at law firm Pinsent Masons.
The problem of keeping track of the different data protection laws is particularly challenging for multinational organisations with sites across Europe and the US.
This is compounded by an http://www.computerweekly.com/Articles/2008/10/16/232701/regulatory-action-is-biggest-data-protection-fear-for-financial.htm increase in the number of investigations aimed at http://www.computerweekly.com/Articles/2008/06/19/231115/fsa-fines-stockbroking-firm-77000-for-weak-data-security.htm rooting out poor practice by regulatory bodies such as the Financial Services Authority (FSA), says Surguy.
CISOs are now more than ever called upon to provide information to such bodies that has to be drawn together quickly from multiple sites within the organisation.
The challenge for the CISO is to http://www.computerweekly.com/blogs/when-IT-meets-politics/2008/01/the-fount-of-good-data-protection-wisdom-.html understand the data protection requirements and manage data accordingly, says Alessandro Moretti, (ISC)2 European advisory board member.
Providing data in a timely fashion to any regulatory investigation becomes increasingly problematic the larger the organisation is because that means there are more borders to cross, he says.
The CISO particularly needs to understand the requirements related to where the data should reside and how it can it can be distributed within an organisation as well as to external third parties.
Moretti, who fulfils a CISO-like role for investment bank UBS as executive director for IT security risk management, says the challenge extends beyond the banking sector to all global companies.
The best way to tackle the problem, he says, is to work collaboratively with external legal professionals well versed in the details of all the various European data protection rules.
"Gone are the days a CISO can safely rely on an IT security function to provide a firewall and that is the end of cross border data control," says Moretti.
The data environment is now much more complicated, fluid and dynamic, which makes it difficult for the IT function to understand where data flows to and where it needs to be protected, he says.
According to Moretti, the complexity makes it unwise for multinational organisations to go it alone and risk exposure for non-compliance.
"Making sure that the professional expertise of IT security individuals takes into account their duty to understand the problem and engage the right expertise is part of my role at (ISC)2," he says.
While CISOs typically choose the technologies and processes to manage data securely, legal teams will check whether or not these meet regulatory requirements, says Moretti.
"That is risk analysis, which is typically done better by organisations in the financial and government sectors," he says.
These sectors have been ahead of other disciplines for many years, says Moretti, which is why http://www.computerweekly.com/Articles/2008/09/25/232445/isc2-launches-security-certification-to-reduce-application.htm (ISC)2 is trying to enhance the competencies of IT professionals in other sectors to help bring them up to speed with an increasingly challenging regulatory environment.