IT DRILLDOWN
Virtualization
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 Advice and Opinion
 CIO Consumer IT
 CIO Leader
 CIO Enterprise
 CIO Insider
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
LEADERSHIP
 
CIO Executive Programs
The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 
CIO Executive Council
A Peer-Advisory Service and Professional Association for CIOs

Public Teleconferences
Join CIO Executive Council members and participate in the following live teleconferences:

* Planning for Succession:
Models for IT Leadership Development, June 23
 * Change Leadership at General Growth Properties: A
Pathways Leadership Development Seminar, June 25
 * Managing Change: Centralizing Your IT Organization
 July 29

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 
 

Feature

 

The Global State of Information Security 2006

 

By Allan Holmes

PAGE 5

IV. Compliance—Time to Get Tough

As was the case last year, a surprising portion of survey respondents admitted that they’re not in compliance with the information security laws and regulations that govern their industries.

That includes high-profile laws that have been on the books for years. More than one-quarter of U.S. security execs who said their organizations need to be compliant with HIPAA, the eight-year-old law that requires health-care organizations to protect patient information, admitted that they are not.

Rules? What Rules?

U.S. organizations still ignoring security and privacy laws...

Percentage of U.S. organizations admitting they need to be in compliance with a specific law, but are not

Regulation 2005 2006
California database breach notification act 15 15
Sarbanes-Oxley 38 28
HIPAA (healthcare respondents only) 38 40
GLBA (financial services respondents only) 17 14
Other state/local privacy regulations 10 32

...but international colleagues are negligent as well.

Percentage of non-U.S. organizations admitting they need to be in compliance with a specific law, but are not

Regulation 2005 2006
Australian Privacy Legislation (Australia respondents) 48 50
CNIL (France respondents) 35 42
Data Protection Act of 1998 (U.K. respondents) 24 31
European Union Data Privacy Directive (Europe residents) 45 45
Canadian Privacy Act (Canada respondents) 38 30

Noncompliance runs broad and deep in all industries, and ignorance of applicable law is a big factor. Nearly one in five U.S. survey respondents said they should be but are not in compliance with California’s 2002 security breach law, which requires companies to notify individuals if an unauthorized person obtains access to their private information (such as credit card numbers). But only 22 percent of all U.S. respondents said the law applies to them. However, given that the law applies to any organization that has even one California resident as a customer, student or client—more than one in 10 Americans—a good portion of the 78 percent of enterprises that think the law does not apply to them are likely wrong.

Similarly, it would have been hard over the past four years to miss the requirements of such laws as Sarbanes-Oxley and Gramm-Leach-Bliley. Still, more than one-third of all U.S. respondents said they are not in compliance with Sarbanes-Oxley even though they should be, and more than one out of seven said they were not compliant with Gramm-Leach-Bliley. That’s a slight improvement from last year, but considering the stiff criminal penalties of not complying, many executives seem to be leaving themselves open to lawsuits and possible prison terms and exposing their enterprise to fines.

And this is not simply an American phenomenon. Half of Australian organizations surveyed admitted to not complying with their country’s privacy legislation. Almost a third of U.K. respondents said they do not comply with their country’s eight-year-old Data Protection Act, and nearly one-third of stereotypically law-abiding Canadian organizations do not comply with their nation’s privacy act.

At the root of this may be a lack of enforcement. To date, the cost of noncompliance is not as high as the expense of complying—the price of labor, hardware and software. In the absence of penalties, security executives have not been able to mount a business case for compliance. Add to that the fact that despite high-profile security breaches and lost laptops over the past year, the actual damages and ID thefts that can be directly tied to the incidents are small, says Jim Lewis, director of the Technology and Public Policy program at the Center for Strategic & International Studies in Washington, D.C. "People may have a sense that they are not as vulnerable as they used to be," he says, and so not complying with laws is perceived as less risky.

If security is to improve, security laws need more teeth. And that applies to an organization’s own rules as well. Survey respondents reported that more than two-thirds of users are compliant with their organization’s security policies, a statistic that has remained unchanged over the past three "Global State of Information Security" surveys. One of the most critical factors for reducing network downtime is compliance with an organization’s security rules, Lobel points out, but that requirement isn’t even in control objectives for information and related technology, or Cobit, the bible for IT governance.

Lobel suggests organizations assign penalties for not complying with their own security policies. But make sure, he adds, that the penalty matches the infraction. "You may not want to terminate someone who puts passwords on yellow sticky notes," Lobel says, "but there have to be some consequences."

 
 
 
 
 
 
Loading...
 
 
ABCs
 

How To Do Nearly Anything

Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.

Over 25 tutorials on everything from business intelligence to virtualization.

 
 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Choose a mobile device platform with familiar programs and simplified management

How to Manage the Mobile Work Environment

How to simplify mobility and reduce the cost of supporting mobile workers

Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response

Webcast: Best practices in application security: How do you stack up?

White Paper: Juniper Networks Ethernet Switching Solutions Reduce Operational IT Expenses

Webcast: Learn why companies must invest in an agile network infrastructure

White Paper: Businesses Thrive by Unifying Business Communications

Efficient by design: Watch this flash demo of the Quad-Core AMD Opteron Processor

Renowned Engineering Institution Chooses AMD Processor-Based Servers

High-Definition: The Evolution of Video Conferencing

Managing Mobility: An IT Perspective

Unify and Conquer: The Benefits of Unified Communications.

Webcast: Increase traditional notebook computing ROI

Sheriff's Office Uses PocketCop to Access Police Databases from BlackBerry® Smartphones

The BlackBerry Solution Adds Significant Benefit to Toshiba

The New Foundation of Storage: Xiotech's Intelligent Storage Element

Green IT: Reducing Your Carbon Footprint with Citrix

The Universal Wireless Client: Simplify mobility and reduce the cost of supporting mobile workers

Top 10 Reasons to Go Green in IT

Transforming Virtualization into a Competitive Advantage

Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management

Network Immunity Manager Video

Cost-Effective Data Center 1U Server Solutions

Automate Business Processes - Try a Free Mashup Composer

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get Control of Mobile Data (and More)

Mitigating Risk with Security Assessments

Top 10 Questions to Ask when Choosing a Secure File Transfer Solution

Webcast: Building an Optimized Infrastructure

Juniper Networks is changing the economics of networking with a no-compromise, highperformance and service-oriented approach

Research about the efficiencies created by different operating systems.

Unified Communications Software: The Death of VoIP?

HP and Oracle deploy unbreakable computing infrastructure at Replacements, Ltd.

Seeing is Believing: The Value of Video Collaboration

Getting Network Management Right: A Gartner IT briefing

Demonstrating the Business Value of Mobile Device Management

Oracle Database 11g: Real Application Testing & Manageability

Key challenges facing today's IT service and support

Heinz Uses a Wireless, Automated, Auditing process on BlackBerry® devices

Webcast: Solutions to the Toughest IT Challenges in Remote Offices

Extending PCI Compliance to the Mobile Workforce

Webcast: Why standardizing your ECM platform is so critical to your success

White Paper: WebMethods Business Process Management Suite

Gaining Transparency in IT Outsourcing

Top 10 Misconceptions about Performance and Availability Monitoring

Write an RFP for Master Data Management: 10 Common Mistakes to Avoid

HP Puts Its Disaster-tolerant Capabilities to the Test

Microsoft System Center - Designed For Big

Read Forrester's advice for deploying an enterprise mobile solution