Security threats are evolving rapidly and the solutions that organizations implement to thwart such threats, play a major role in the success or failure of the organization's overall security strategy. The loss of data, threats to national security and protection for the same are receiving significant attention in Asia-Pacific (excluding Japan) (APEJ) countries.
As we mentioned in our security predictions earlier this year, the local regulatory compliance is receiving significant attention in APEJ. Many APEJ governments and enforcement institutions have initiated and are now regulating information flow and ownership issues by enacting laws and regulations or modifying to existing laws. These changes mandate the protection of data and industry-led cyber security standards. Our research shows that increased attention to sound IT-governance policies and compliance with regulatory requirements are driving overall IT security.
A few of these laws which have been implemented or proposed in various countries of APEJ are listed below (note - this is not a comprehensive list):
- Korea: Personal Information Protection Act (PIPA)
- Taiwan: Personal Data Protection Act which was just implemented from 1 October 2012
RBI's 2-Factor Authentication
- Hong Kong: amendment to Personal Data Privacy Act
- Singapore: Personal Data Protection Act (PDPA) 2012
- Philippines: Data Privacy Act
Chinese information security laws and regulations
The Regulations of PRC on Safety Protection of Computer Information Systems
Regulations for the Protection of Information Network Transmission Right
Regulations on the Commercial Passwords
Communications and Multimedia Act (CMA) 1998
The Personal Data Protection Act 2010 (PDPA)
The new law forces a number of organizations to make assessments, to take security seriously, and to make some positive changes in their security posture. It is certain that the security-solution providers, service providers, and end-users among others, will be engaged in the tedious job of interpreting regulatory compliance requirements. At the same time the sheer number of laws and regulations, conflicting requirements, cross-border applicability issues, unexpected additional regulations and the challenge of determining which compliances are applicable are tough decisions that organizations must make.
IDC believes that the starting point for any compliance exercise is to carry out a risk assessment to understand what information the business holds what its vulnerabilities are and what elements of the IT systems can be locked down.
As specified in a previous article on risk assessment, it is an aspect of security management that organizations can take up as a cost-effective security measure. This allows organizations to estimate potential damages and set a budget to fix these loopholes and avoid any major catastrophes in future. This process is advantageous because once these security loopholes are identified, companies can proactively determine and allocate necessary budget toward fixing the issues related to security. They can also realign their security policies to meet the required security goals. This approach also gives an organization sufficient time to educate its employees on the changes in its existing policies. In other words, it helps minimize the risks and maximizes return on investments. Further, the compliance mandate is now moving out from government agencies to large corporations. Many industries have their own codes of practice or other sets of rules. Organizations that have their security organized are demanding that those they do business with also comply or no longer willing to do business with those organizations that don't meet the standards.
As cyber-criminal activities continue to thrive and rise, the need for stricter compliance and regulatory acts will continue to grow. Many Asian countries seek to enact new laws or amendments, which supplement the Personal Data Privacy with specific focus on technological advancements and greater penalties for breaches. However, organizations need to realize that having a policy or being compliant is not enough to make an organization secure. It just means that they are following certain best practices while trying to be one step ahead of those who seek to attack them. It is important to carry out regular risk-assessment exercises and seek continuous improvements on their position on security.