Asia CIOs urged to act on compliance

CIOs in the Asia-Pacific region cannot afford to adopt a wait-and-see attitude toward regulatory compliance, says security expert.

Regulatory compliance will hit Asia "really hard soon", and CIOs who have not laid a proper foundation to address the requirements risk expensive consequences, warns a security expert.

Henry Ng, Verizon Business' Asia manager of professional services, told ZDNet Asia in an interview: "In addition to Sarbanes-Oxley compliance for the U.S.-listed companies, we'll see increasing pressure to be compliant with other regulations such as Basel II and HIPAA.

"Compliance issues are not a concern for the distant future. They are happening now," said Ng, referring to Japan's J-SOX, which is set to go into effect next year. Other Asian countries are also developing their regulations which are expected to affect the region over the next two years.

According to Ng, the problem lies in companies' "box-checking attitude", where their goal is to fulfill the "surface basic regulatory requirements", rather than integrate their business processes with the data collected.

Ng recalled a recent example of a customer which had diligently consolidated its security intrusion logs. "The customer bought the tool to collect all this information identifying attacks on its system. But they could not take action, because they did not have the processes in place to execute reactions--what conditions trigger alarms, what does the service level agreement (SLA) state, and so on," he explained.

Many Asian companies still view regulatory compliance as a "list" with items to cross-off--something that "comes with" working with U.S. companies, Ng said. As a result, those who see it that way end up waiting for compliance regulations to hit. "But it'll be too late when it does," he added.

The foundations of proper IT governance involve laying security controls and implementing best practices such as ITIL.

"You need to ensure transparency and communication between departments, so that you can overlap controls," said Ng, referring to the example of ID management between IT and the human resources department. An employee's ID ought to have the corresponding levels of authority as he moves within the organization, or completely terminated when he leaves.

"We had a client which suffered a malicious attack from an ex-employee, who breached the system after he was terminated, simply because he still had remote access," said Ng. "You need to have the controls in place--installing a product won't address a situation like that."