Company security specialists are struggling to manage the demands of meeting regulatory accountability for data security while at the same time keeping businesses running with the help of numerous business partners.
According to an American Express security executive who addressed the Interop conference and exhibition in
Steven Suther, director of information security management for American Express, said regulators want to know where corporate data is and how it is being secured, forcing companies to define what information is outside the corporate domain and how is it being protected.
Yet, he added, businesses have very little control over how the partners they share data with protect that data. American Express asks its suppliers to self-assess their security and if dissatisfied, it conducts its own on-site visits to assess the security.
The company has even designated vendor-relations managers who are responsible for ensuring that data controls are in place for a specific list of firms that American Express has hired to perform financial services jobs.
It’s clear that while well meaning in its conception, legislation such as Sarbanes-Oxley is in danger of getting out of hand in its demands on organisations, rather like bindweed in a garden, choking everything in its path.