Regulatory compliance is influencing security practices. Of the 2,540 U.S. business-technology and security professionals who recently participated in our 2005 Global Information Security Survey, an editorial research product of InformationWeek and management-consulting and technology-services company Accenture, more than half report that government regulations have pressured their company to adopt a more-structured approach to information security.
"Implementing integrated security technology--such as a centralized identity- and access-management system--can significantly improve controls to prevent unauthorized access to electronic data and makes it easier for companies to comply with stringent regulatory requirements and other recently enacted laws," says Alastair MacWillson, partner in charge of Accenture's global security practice.
Approximately 30% of sites we surveyed report that their compliance efforts have resulted in positive change, including documentation of internal controls over financial reporting, establishment of a records-retention schedule, and reengineering of existing applications to support compliance efforts. At the same time, more than half of survey participants say regulatory compliance has made their company more cautious in its use of security tools, products, and services. Only 5% of sites report that regulatory compliance expenses are allocated to their security budget.
How has becoming compliant changed your company's security procedures or policies?
Senior Editor, Research
Which regulation created adoption of or change in security policies and practices?
Sarbanes-Oxley remains the most-expensive initiative, accounting for 39% of all compliance dollars spent, based on AMR estimates; it's also having the widest impact on security practices.
Two in five companies attribute changes in security practices to Sarbanes-Oxley, while HIPAA has spurred security changes at 30% of sites.
What three steps in the past 12 months have proven most beneficial in your company's efforts to achieve regulatory compliance?
Regulatory mandates tend to be data-centric, so it's logical that the most beneficial steps taken in the past 12 months to become compliant are related to data. Nearly half of the 2,540 companies surveyed by InformationWeek and Accenture about their security practices and experiences report that regulatory efforts have resulted in improved document management, while 44% report better storage management.
Is regulatory compliance a main catalyst for your company's security-related purchases?
While AMR Research estimates that a typical company will spend approximately $500,000 yearly on compliance-related activities, and a substantial portion will go toward IT initiatives, regulatory compliance has yet to become a major force behind security-related purchases. Only a third of U.S. companies in the 2005 Global Information Security Survey say that achieving compliance is a main catalyst for security-related purchases.
Which budget at your company covers regulatory compliance expenses?
Technology spending is a major part of compliance investment, ranging from 28% of overall Sarbanes-Oxley spending to 42% of overall Health Insurance Portability and Accountability Act spending, according to AMR Research. "Security and compliance need to be viewed as key components of the overall IT strategy," says Accenture's Alastair MacWillson. "Doing so will spur business improvement and technology innovation." For most businesses surveyed--40%--the type of expense dictates to which budget compliance costs are applied.