The last section from our Reshaping Information Security MarketInsight report.  This section covers the myriad of regulatory and legal issues that come with taking a proactive stance around corporate messaging. 

Legal & Regulatory Climate

There was a significant amount off discussion about legal and regulatory requirements and constraints across all industries and geographies.  Rather than get confused or seek out interpretation of all current and future regulations, start with “Common Security 101.”  Doing the basics will cover most areas and, when complete, then look to see what additional things might be warranted based on known regulations with clear policies.  Focus on starting with good practices versus chasing statutes.

As for what to do about an incident or event once it is detected, there were two main points.  The first was that monitoring has huge legal and cultural implications and “if I know, I have to do something about it.”  Secondly, IT does not want to take the lead on this issue, rather the business needs to lead IT and identify the operational requirements that must be met.  There is even a definitional difference between what is an “event” versus an “incident” with the latter being more formal/serious.  Unfortunately, executives and legal personnel don’t understand the technology enough in terms of tools and capabilities to know what is realistic and IT needs guidance from legal on what system controls to implement.

Defining what is appropriate versus inappropriate has proven very difficult.  There are certainly black and white scenarios, but what about the gray area in between?  There is not a list of what is appropriate to balance details around what is inappropriate and when you try to define what is appropriate, you are trying to define the world.  It is easier to define what not to do than what to do leading several participants to ask – what is meant by “authorized?”

As for conflicting rules and regulations based on country, take the least risk policy globally and implement it organization-wide because different countries have different rules.  You can’t get 100% coverage, but you can get a good program of governance.