The U.S. holiday weekend marks the approximate half-year point for 2009.  To date, we all know how volatile and unusual this year has been compared to many past years — especially for the IT departments of our companies.  The year is not yet finished and there are some definite trends that we believe possible in the area of regulatory compliance for IT and need to stated because of the potential impact those trends may have on those IT departments.

Alexander B. Howard, Associate Editor of SearchCompliance.com has organized a great resource and summary of the top regulatory compliance trends happening now and certain to have an effect on IT for the remaining months of 2009.

Please comment and add any trends you believe have not been mentioned in this article.

Click here to view this article.

Noncompliance is a fact of life as the list of security and privacy regulations grows. The key is knowing how to comply just enough so that you don’t waste your time or bankrupt your company.

By Allan Holmes | CIO.com

 In November 2005, Jason Spaltro, executive director of information security at Sony Pictures Entertainment, sat down in a conference room with an auditor who had just completed a review of his security practices.

The auditor told Spaltro that Sony had several security weaknesses, including insufficiently strong access controls, which is a key Sarbanes-Oxley requirement.

Furthermore, the auditor told Spaltro, the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols. Sony employees were using proper nouns. (Sox does not dictate how secure passwords need to be, but it does insist that public companies protect and monitor access to networks, which many auditors and consultants interpret as requiring complex password-naming conventions.)

Summing up, the auditor told Spaltro, “If you were a bank, you’d be out of business.”

Frustrated, Spaltro responded, “If a bank was a Hollywood studio, it would be out of business.”

Spaltro argued that if his people had to remember those nonintuitive passwords, they’d most likely write them down on sticky notes and post them on their monitors. And how secure would that be?

After some debate, the auditor agreed not to note “weak passwords” as a Sox failure.

Doing the Right Thing
Spaltro’s experience illuminates a transaction that’s rarely discussed outside corporate walls. Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation. How to (or, for some CIOs, even whether to) follow regulations is neither a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing the right thing means doing what’s right for the bottom line, not necessarily what’s right in terms of the regulation or even what’s right for the customer.

“There are decisions that have to be made,” Spaltro explains. “We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions: What’re the most important things that are absolutely required by law?” Spaltro does those, noting that “Sony is over-compliant in many areas,” and he says that Sony takes “the protection of personal information very seriously and invests heavily in controls to protect it.”

He adds that “Legislative requirements are mandatory, but going the extra step is a business decision” based on what makes business sense.

We peruse the Internet headlines so you don’t have to. Here are the recent SOX and GRC headlines (and links) we felt are newsworthy:

Economic Downturn Calls for Increased Vigilance - Although there’s intense pressure to make across-the-board budgetary cuts during an economic downturn, a good case can be made for surgical precision. Using IT to achieve strategic goals, focusing on areas that improve the bottom line, and investing in capital projects that will advantageously position a company during economic recovery are all worthy efforts. And, because motivation for fraud increases in bad times, don’t skimp on risk management initiatives.

Getting Rid of Silos Supports Business Goals - High-performing companies use IT to drive growth and build competitive advantage. One of the best ways to do this is through Business Intelligence (BI) initiatives that break down the silos between business units and leverage data to support business objectives.

South Korea Positioned for GRC Initiatives - South Korea has an unenviable reputation for poor governance and corporate corruption, but signs point to a significant turnaround. Although big corporations overshadow the country’s economy, recent scandals are empowering shareholders and good governance advocates to demand reform.

Accelerated to Non-Accelerated: Repercussions - When a company moves from accelerated filing status to non-accelerated filing status, is it required to comply with Section 404(b)? A 2006 CAQ SEC document finds that the auditor’s attestation is not required for a fiscal year ending prior to December 15, 2009.

SEC Chief Accountant Tenders Resignation - Come January 2009, Conrad Hewitt will step down from his position as the SEC’s Chief Accountant. Hewitt played an integral role in guiding SOX Section 404 compliance and improving auditor requirements, as well as championing international financial reporting standards.