Firms worry over clash between policies and compliance

News Analysis

Firms worry over clash between policies and compliance

Company security specialists are struggling to manage the demands of meeting regulatory accountability for data security while at the same time keeping businesses running with the help of numerous business partners.


According to an American Express security executive who addressed the Interop conference and exhibition in New York , as more data is housed at least temporarily outside corporate datacentres, it becomes more difficult to comply with industry and government regulations.


Steven Suther, director of information security management for American Express, said regulators want to know where corporate data is and how it is being secured, forcing companies to define what information is outside the corporate domain and how is it being protected.


Yet, he added, businesses have very little control over how the partners they share data with protect that data. American Express asks its suppliers to self-assess their security and if dissatisfied, it conducts its own on-site visits to assess the security.


The company has even designated vendor-relations managers who are responsible for ensuring that data controls are in place for a specific list of firms that American Express has hired to perform financial services jobs.


It’s clear that while well meaning in its conception, legislation such as Sarbanes-Oxley is in danger of getting out of hand in its demands on organisations, rather like bindweed in a garden, choking everything in its path.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy