How far should compliance feature in IT risk management?
One of the key drivers for IT risk assessment in business is to ensure that processes remain compliant with regulation. But, with technology advancing at a pace that means regulation could struggle to keep up, should this be the main reason that these measures are taken?
Technology analysts at Gartner seem to think not. In fact, Gartner suggested that compliance is built on the results from successful risk management programmes.
To build on compliance measures, Gartner suggests chief information officers (CIOs) should focus on addressing areas where company data or processes could be at risk and implement measures to better manage these.
Research director at Gartner John A. Wheeler said: “CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their enterprises.”
An example of how compliance has changed alongside advances in risk management is with information security regulations. Under the Data Protection Act businesses are required to keep particular information confidential, such as that regarding their customers.
With companies moving into the digital age, how they could ensure that data was kept confidential and how the Information Commissioner’s Office (ICO) could regulate this was brought into question. But with varied approaches in business, a number of measures have been included in the Act that cover confidential data stored digitally.
For example, when confidential data is stored on a disc or another device, businesses are now required to ensure that it is encrypted so that if information is lost then nobody can access it.
Previously, the ICO has fined organisations for failing to encrypt information stored digitally. Most recently, it fined Glasgow City Council £150,000 when two unencrypted laptops went missing. One of these contained personal information on 20,143 people.
However, less and less data is being stored in house as companies discover that technology such as cloud computing offers a more efficient and effective method of storing data. Additionally, with companies implementing BYOD, the safety of data comes into question when employees use the same devices at work that they do at home.
These are areas of IT risk management that companies should be looking closest at.
All the latest risk jobs can be found at Barclay Simpson, leaders in risk recruitment