Back in June, we looked at the top regulatory compliance trends that would affect IT in 2009. As the year draws to a close, it's a natural time to look back at the IT compliance
Cybersecurity is a national priority
As the year ended, risks, regulations and (finally) the appointment of a cybersecurity coordinator all moved through the headlines. Back on April 1, Sens. John D. Rockefeller IV (D-W. Va.) and Olympia Snowe (R-Maine) introduced the Cybersecurity Act of 2009, which received widespread attention as the "kill-switch bill," although the cybersecurity certification and licensing burdens might have been the bigger story.
More regulatory compliance resources
Later that month, Sen. Thomas Carper (D-Del.) introduced the Information and Communications Enhancement Act. Also known as the ICE Act, it would restructure cybersecurity authority and create a White House "cyber office" to coordinate between government agencies and the private sector. At year's end, however, both bills were tied up in the Senate's Homeland Security Committee, with some form of legislative action expected in 2010.
Whether eventual regulations include licensing for cybersecurity professionals or new Federal Information Security Management Act (FISMA) compliance measures isn't an academic exercise. Growing cybersecurity threats and risks to critical infrastructure have put a new focus on North American Reliability Corp. regulations, as well as FISMA, warned NERC's chief security officer.
Cloud computing created IT compliance management headaches
One of the year's biggest technology trends will continue to present IT professionals with new compliance challenges in 2010 as well. As cloud computing vendors promote standards like ISO 27001 or SAS 70, experts urged users to delve deeper, claiming ISO 27001 certification wasn't enough for verifying the security of Software as a Service applications or the cloud. Experts acknowledge that cloud compliance may be difficult, but addressing compliance requirements in cloud computing contracts is essential. That said, the nation's top CIO is still betting on cloud computing for delivering improved government IT services. The District of Columbia found both compliance benefits and cost savings in cloud computing. Expect cloud computing to continue to make IT compliance management news headlines.
For more on the top 10 cloud computing news stories of 2009, visit our sister site, SearchCloudComputing.com.
State data protection laws
The patchwork of state data protection continued to be a sore spot for IT compliance professionals. One of the stories we covered closely was the Massachussetts data protection law, which drew national attention due to its strict prescriptive requirements. When the Massachusetts Senate sought to amend and weaken the data breach notification law, we were there. By the end of the year, the data protection law's requirements IT compliance management and its deadline extended, once again. Along the way, we recorded a podcast, wrote about the risks of noncompliance and explained how to implement compliance with the Massachusetts data protection act.
FAQ: IT operations and regulations
This index links to compliance resources about the relationship between IT operations and regulations.
Massachusetts wasn't the only state to step up: Nevada toughened its data protection laws with cryptography and PCI requirements. It was one of the first states to pass a comprehensive data protection law. After this year, its strictures should make cybercrime more difficult and compliance more complex for IT professionals.
Executive Editor Scot Petersen interviewed California State Sen. Joe Simitian about what his SB 20 amendment meant for privacy and whether state laws should give way to a federal law. Despite Simitian's assertion that SB 20 struck the right balance, however Gov. Arnold Schwarzenegger vetoed the California data breach notification bill.
Compliance software has positive secondary effects
Whether it's log management driving business process efficiency or governance, risk and compliance software revealing inefficiencies, achieving compliance unexpectedly allowed another benefit: an improved bottom line. SAP AG saw green in sustainability software for carbon compliance. Hara Software Inc. helped turn carbon footprint management into cost savings for Palo Alto, Calif.
National data breach requirements
Heightened action by the Federal Trade Commission and Department of Health and Human Services added new force behind data breach notification laws. New HIPAA data breach notification rules put the health industry on notice, sending health care organizations scrambling to get their privacy practices and those of their partners in shape.
At the end of 2009, a federal data breach notification law passed in the U.S. House of Representatives. The Data Accountability and Trust Act is the first step toward a comprehensive national data breach notification law. By the time 2010 ends, expect President Barack Obama's signature on a finalized version to make next year's review.