Legislation and regulations are good drivers for risk management best practices, according to Brian Shorten, a security and risk manager for Cancer Research UK. In a ComputerWeekly.com piece, he describes his effort in a prior position at a publicly traded company to improve access processes and policies by creating
an automated process whereby a leaver's notification would be matched against a user name on the database and the relevant administrator advised by e-mail that one of the users on his application may be leaving.
Though most everyone agreed that the idea was a good one and should be simple to implement, he said, none of the administrators would take the time to add their user lists to the database. No one was paying for that time, after all. So the project "floundered" for a bit.
Then came Sarbanes-Oxley, and along with it the real and perceived costs of non-compliance. Suddenly, Shorten said, everyone was happy to participate.
Sarbanes-Oxley doesn't apply to his current position, but since his employer receives donations via debit and credit cards, the payment card industry data security standard (PCI DSS) does apply. It has served much the same purpose as Sarbanes-Oxley did. Shorten says it, too, is a great motivator for implementing best practices with regard to data security.