Standards to underpin international compliance

Without standards, there can be no compliance

Experts have argued that multinational firms need to make a bigger effort to follow agreed industry standards if they are to comply with a wide variety of national regulations.

Speaking at the Information Security Solutions Europe event in Budapest, experts said that process and security standards such as Itil, Cobit and ISO 17799 could help IT managers ensure compliance with regulations in multiple territories.

Yves Le Roux, security technology strategist at Computer Associates (CA) in France, said that reporting regulations to protect shareholders and data protection laws covering consumers vary from country to country, making it difficult for organisations to develop a single compliance strategy.

CA is currently tackling the problem by mapping Cobit to ISO 17799 and Itil, in a project set to be completed by the end of the year. The three IT standards can help firms improve processes and controls when used together, making it easier to comply with multiple regulations, said Le Roux.

"Cobit is important for companies because it adds value while balancing risk versus return," Le Roux added. "[It] complements Itil, [which is] more detailed and process-oriented."

But while Cobit and Itil recognise the need for IT security, they do not give in-depth guidance - therefore ISO 17799 is also needed as it provides "detailed guidelines and principles for initiating, implementing and improving information security", Le Roux said.

Separately, there were calls for IT vendors to standardise IT security terminology. "There should be a common terminology for vulnerabilities," argued former White House IT security advisor Howard Schmidt. "Even firms that specialise in [protecting against] the same threats use different terminology [for them]."