Ultimately, the challenge starts with something very fundamental—knowing where critical data lives—then leads to a myriad of additional questions and potential obstacles. How should the data be protected? What's the risk to the business if it's lost, stolen or disclosed? What are the regulatory implications of a breach? Who controls the most recent version of the data? How are business partners protecting the data?

This is the world of data governance. In its simplest form, data governance is an umbrella term referring to the various views in a data protection strategy. Under this umbrella are a number of different facets: data inventory and data classification—where critical data live and what expectations there are with respect to how and by whom data can be accessed, handled, stored, transmitted, processed and disposed; vendor risk management—how data is shared and subsequently protected by business partners; and data leakage—what data is leaving the organization by unforeseen or inappropriate ways. There is also the question of authoritativeness, that is, where the copies or replicas of data may exist within the environment, where the most recent version resides, who controls it and how changes are propagated throughout the organization to aid in decision support. Additionally, there are the issues of privacy and compliance—whether privacy expectations and regulatory requirements around both are being met across the enterprise and with outside third parties. Last but not least, there is e-discovery and litigation support, particularly with respect to the accessibility of tools and processes for responding to ad hoc enterprisewide demands and legal or regulatory substantiation.

Does better information security lead to better compliance? Is the reverse true?

While data protection may be the most difficult challenge for the information security organization in 2008, achieving internal and external compliance goals will be the most measured part of the program. According to the 10th Annual Ernst & Young Global Information Security Survey, 60 percent of respondents cited their compliance efforts as the most important activities to their organization, with over half stating that a majority of their team's time is being spent on compliance activities. Roughly 80 percent of respondents noted that tying compliance goals to their information security initiatives helped them justify and obtain resources and budgets for those initiatives. They also said that by having to address regulatory and compliance requirements, they've improved their organization's information security posture.

Whether it's a question of complying with Sarbanes-Oxley or with the regulatory requirements of the payment card (PCI) or healthcare (HIPAA) industries, compliance initiatives will continue to be a significant driver for and component of the 2008 information security agenda.