Philippine firms view compliance as complicated maze

MANILA--While the global market, thanks to the Internet, has undoubtedly been a boon to the Philippine outsourcing industry, ensuring compliance to various regulations is proving to be a headache for local companies in the borderless business era.

With reports of security breaches and data leaks making headlines around the world, the Philippines is in the midst of implementing a host of measures that can benefit, or constrict, local businesses.

Recently, in the Senate deliberations for the proposed Data Privacy Act, a top-ranking senator cautioned the chamber against enacting an excessively strict law that could hamper the ease of access that companies need to operate efficiently.

IT companies, such as software maker ECCI Group, also have to consider the data privacy policies in the markets they target. "Each country has a different Data Protection Act that we need to be in compliance to," said Chenthil Kumar, sales director of the ECCI. "The other thing that needs to be considered is how we are protecting critical customer transactions."

Local companies have acknowledged that compliance is a necessary task, but also agree that applying numerous regulations remains an enormous challenge to most.

In the case of government-run Land Bank of the Philippines (Landbank), new IT-related privacy and security policies have added another layer of compliance to the highly regulated banking industry.

"As a bank, and considering the large number of laws and regulation, many companies are challenged in determining which of these are applicable to them, and trying to disseminate and enforce all of these applicable laws and regulations to a very large organization," said Alan Bornas, vice president for Landbank's technology management group.

In order to conform to compliance rules, Philippine companies also have another requirement to hurdle: proper training of its personnel.

Rene Canlas, head of ISMS (information security management system) compliance at local software maker, Pointwest Technologies, ranked security training and awareness as a key concern. ISMS is an internationally recognized security standard.

Lauro Vives, founding president and chief analyst of research firm XMG, noted that many of the problems in the area of compliance fall under the three categories: lack of regulatory knowledge; business acceptance of risks; and under-investment in acquiring the necessary IT controls.

Both Canlas and Vives noted that local organizations would do well to allocate significant resources to support training initiatives.

Cloud complicates issues
The advent of cloud computing, which often puts data beyond the territorial jurisdiction of local companies, has also changed the approach in securing data and regulatory compliance.

According to Vives, emerging technologies such as cloud computing will initially complicate compliance but will be beneficial in the long run.

"As best actions and best practices emerge, audit practices will develop 'blood hound' methods to be able to track where and what part of the network the client's data passes through," he said.

ECCI's Kumar suggested clients should implement a clause in their agreement with their cloud providers to allow them to audit the server environment at any point of time.

Landbank has shunned cloud services altogether due to concerns over data confidentiality, Bornas said. However, he noted that other associated technologies such as virtualization have made its IT infrastructure more flexible and resilient in addressing compliance issues.

Although compliance presented a formidable obstacle for Philippine businesses, market observers said there were ways to lower the cost of staying in compliance.

Among the suggested options included automation of process and controls, continuous revision of policies to ensure tighter compliance, risk assessment, and conducting surprise audits.

Vives also urged companies to establish legal and privacy offices. A privacy officer, the XMG analyst said, must first review all policies, standards, procedures and guidelines to ensure linkage between the policy and actual security implementation.

"Fewer than 10 percent of organizations we know designated this as a full-time position," he said.

Melvin G. Calimag is a freelance IT writer based in the Philippines.