What can IT professionals expect for regulatory compliance in 2010? More regulations, risk management and returns...
on their investment in time and technology. As we reported last year about the top regulatory compliance trends of 2009, increased federal regulation and enforcement, changes to state data protection laws and major cybersecurity policy initiatives are on the way. Here is part one of SearchCompliance.com's top regulatory compliance trends that will affect IT in 2010.
Automation of compliance processes
Given the growing burden of meeting regulations, enterprises will look to increased automation as a way of leveraging existing IT investments. "There is a brass ring that represents being able to see your compliance in the light of these longstanding models (PCI/SOX/FISMA) at any moment in time," said Chris Ensey, IBM Federal's principal security strategist focused on the defense and intelligence communities. "Look for near-real-time reporting through process automation, and data aggregation is the future. For federal agencies and organizations, if they aren't already preparing, they must start. To accomplish this, protocols like SCAP (Security Content Automation Protocol) must be expanded to support data collection across the rest of IT, physical security and business process areas."
More regulation en route
Healthcare, cybersecurity policy and privacy were on the legislative agendas of the 111th Congress. By the end of 2009, health care reform and the creation of a systemic risk regulator had moved through Capitol Hill. Expect both to cross the president's desk in 2010. The bill may not represent the precise financial services reform that the Securities and Exchange Commission (SEC) called for in June but, if signed into law, the Wall Street Reform and Consumer Protection Act could introduce uncertainty into any number of areas that affect compliance officers. There would be a new Consumer Financial Protection Agency, for which enforcement power and jurisdiction would still need to be defined.
"I suspect that we will see increased regulation, especially in the financial space and health care vertical," said Daniel P. Wallace, an information security consultant at Detroit-based Grow Forward LLC. "There will also be increased costs, as CISOs will likely be asked to get more out of a flat year-over-year budget."
FISMA compliance reform
"In 2010, FISMA will change and the entire industry will spend a lot of money and time struggling to determine what FISMA compliance was, is, and shall be evermore," said Peter Hesse, president of Gemini Security Solutions Inc. in Chantilly, Va. "Ultimately, in the years ahead, some minor improvements in security will be seen, but at a cost much higher than necessary."
Cloud computing vendors looking for contracts with the biggest enterprise around -- the U.S. government -- are also angling for certification for Federal Information Security Management Act (FISMA) compliance. New security metrics from the Office of Management and Budget aren't hazy on potential requirements, either.
More enforcement for noncompliance
"I also expect increased enforcement across the board," Wallace added. "The energy industry is going to see the worst of it, with stepped-up NERC enforcement." Wallace's expectations for enforcement reflect last year's trends. Expect more, especially under an increasingly active Federal Trade Commission (FTC).
More compliance resources
The top regulatory compliance trends that affected IT in 2009
Back in June, Deputy Attorney General Dave Ogden said at Compliance Week's annual conference that there would be a renewed emphasis on "prosecuting financial crimes aggressively" in the months ahead. CVS Caremark Corp. was held accountable for HIPAA violations last year. New breach notification rules from the Department of Health and Human Services (HHS) and the FTC are in effect, though too late to address the significant health care data breaches of the past decade. Whether action comes from the FTC, HHS, SEC, Department of Justice or other agencies, expect more enforcement in the year ahead.
This year may also see the introduction of revenue-specific fines. "Many businesses write off fines for noncompliance as a cost of doing business," said Jennifer Jabbusch, chief information security officer (CISO) and network security specialist at Carolina Advanced Digital Inc. in Cary, N.C. "If consumers put enough pressure on regulating bodies to do more, I think it's likely we'll see a revenue-proportional fine structure, that's tiered to impact big business more than current flat fines."
Federal data breach and privacy laws emerge
"The HITECH Act security breach notification requirement is having a similar impact to CA SB1386," said Dan Kennedy, CISO of Praetorian Security Group LLC. "The small flood that has started with state data breach notifications will cause companies involved with health care that maintain data considered PHI to reconsider whether they are truly meeting the requirements of the HIPAA Privacy and Security acts."
Consumer privacy will be on the docket next year as well. "2010 will be the first time there will be serious consideration of privacy legislation in many years," said Leslie Harris, president and CEO of the Center for Democracy & Technology (CDT).
Added Ari Schwartz, chief operating officer at CDT, "It's unlikely we'll see a bill that passes both House and Senate by the end of the 111th Congress, but the path will be set." Expect to see action on a national data privacy law as well.
Cloud computing complicates compliance
The nation's top CIO has bet on cloud computing for delivering improved government IT services. The District of Columbia found both compliance and cost savings benefits in cloud computing. Will business follow? Cloud computing vendors will promote standards like ISO 27001 certification or successful SAS 70 audits as evidence of security. Experts acknowledge that cloud compliance may be difficult, but they say addressing security is essential.
As the hype around cloud computing recedes, it will be replaced by substantive questions about how to maintain compliance in 2010. "Catch phrases and poorly understood technology continue to drive cloud computing uptake," said Martin McKeay, host of the Network Security Podcast. "Christopher Hoff and other cloud computing gurus will define and refine definitions that add security." Keep an eye on the Cloud Security Alliance for further guidance on addressing compliance concerns in the cloud.
SOX compliance for small companies
In 2009, the U.S. Supreme Court heard a case that challenged the authority of the Public Company Accounting Oversight Board (PCAOB), which oversees public company auditors. Until the Supreme Court rules, it won't be clear what the PCAOB case will mean for compliance with the Sarbanes-Oxley Act (SOX). Regardless of the case's outcome, however, don't expect SOX compliance to go away for big public companies. Small companies, however, may get relief. As part of its landmark financial reform bill, the U.S. House passed an amendment that would remove SOX compliance requirements from companies valued at $75 million or less.
Last year's trend, however, is still relevant. "If I was a betting person -- and I do go to Las Vegas once in a while -- I would say companies need to be more familiar with 404(b) than they are now," said SEC Commissioner Luis Aguilar at the Compliance Week conference. This may be the year that the best compliance strategy is to become your own internal IT auditor.
Migration to risk management
So-called "check-box compliance" is no longer sufficient in assessing an organization's actual security or vulnerabilities. Auditors examining whether a compliance department has done due diligence will look at IT controls, policies and procedures that take into account how much risk exists and what has been done to address it.
One such tool is Risk IT, the new IT risk management framework based on COBIT and published by ISACA. Understanding what governance, risk and compliance mean to IT strategy is also going to be important.
FAQs about IT operations, regulations and standards
This index links to compliance resources about the relationship between IT operations and regulations and standards.
This trend is also showing up in state data protection and privacy law. The Massachusetts data protection law requirements were amended last summer. 201 CMR 17.00, originally hailed as the nation's most comprehensive data protection law, was refocused on risk by the commonwealth's legislators after strong resistance to prescriptive controls and the costs of encryption from the business community. "I expect that the Massachusetts data protection law will be followed by other similar requirements in other states and industries," said Hesse. "Ultimately, there may be a usable data protection standard, perhaps developed by NIST, with components from SP 800-122, PCI DSS and others. That would provide overarching risk-based guidance for protecting data."
Read more: Risk management and compliance
In Part 2 of the top regulatory compliance trends of 2010, we will take a look at XBRL, PCI DSS, disaster recovery, vendor security management, carbon compliance and the risks presented by the growth of social networking.