Good Data Governance Is the Root of Compliance

Michael Vizard
Slide Show

Seven Recommendations for a New Era of Compliance

Take a more proactive approach to managing the complexity of compliance.

There's a lot of focus on compliance issues such as the Payment Card Industry Data Security Standard (PCI DSS) 2.0 specification. But at the end of the day, every example of a compliance requirement facing any IT department these days is directly related to how effective their governance policies actually are.

As it relates specifically to PCI DSS 2.0, EMC today expanded its consulting services to walk companies through what, exactly, they need to master the requirements of a specification that is still open to interpretation. For example, the specification says companies should take a "risk-based" approach to securing credit card data, but it doesn't say anything about how to define that risk.

According to Branden Williams, director at RSA, the security division of EMC, the services EMC will provide consist of first helping to define a PCI DSS 2.0 strategy, helping to determine an organization's PCI DSS 2.0 readiness and, finally, helping to perform a forensics exam in the event of an actual breach.

But when you peel it all back, Williams says EMC really wants companies to focus on creating data governance strategies that are based on policies. Once those are in place, the ability to handle any number of compliance requirements becomes an inherent part of the system.

That means that instead of thinking in terms of complying with any given specification by working their way up from a specific set of controls that need to be implemented, companies are far better off creating a true governance process that would create a series of controls that could be reused to meet multiple compliance requirements.

In the case of PCI DSS 2.0, Williams says EMC is trying to give companies not only confidence in their ability to meet with base requirements, but in their data governance strategy as a whole.

In some cases, Williams adds, it may make more sense for some companies to outsource the handling of credit card transactions to companies such as First Data altogether given the ongoing costs associated with PCI DSS 2.0. But in either instance, the most important thing is to have a consistent set of data governance policies that benefit the organization well beyond simply meeting the basic requirements of the latest compliance specification to come down the pike.

More from Our Network
Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.