...about what you need to do in order to comply from legal counsel, not from salespeople who have a commission at stake.
One problem is that the statutes tend to be somewhat vague in terms of exactly what you're required to do. For example, in the US the Safeguards rule of the Gramm-Leach-Bliley (GLB) Act requires financial institutions to "identify risks to customer information and assess existing safeguards, implement safeguards that are needed to fill any gaps, and monitor the effectiveness of all safeguards".
It would be far simpler if requirements spelled out exactly what technological safeguards are to be implemented (for example, that all customer information stored on systems that are accessible via the network must be encrypted). However, you can see why that's not possible: technology changes at a rapid pace and new methods of intrusion and attack are developed on a daily basis. Even a simple requirement that data "be encrypted" doesn't ensure that it's secure if the encryption is a type that's easily cracked. For example, sending customer information across a wireless network could still subject it to interception and disclosure even if WEP encryption is used, because of WEP's known vulnerabilities.
Some regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), are so complex that they've spawned fat books and certification courses. Others, such as Sarbanes-Oxley (SOX) are relatively new and compliance can be extremely expensive, especially for smaller companies.
In most cases, regulations require that the company appoint a person or team to be responsible for compliance. Even when that's not the case you should do so and ensure that the selected person or people get the proper training in the specific regulations that apply to your firm.
Selecting a solution
The first step in planning your solution is to recognise that
compliance involves more than a software; compliance can significantly
affect the way you do business. Any security plan, whether it's
implemented because of government regulations or not, starts with the
development of policies.
Next, you need to assess...
For more, click here...
Talkback
Rule of thumb. The best solutions are often those that, 1, work well, 2, can easily be ripped out or replaced with something else, 3, comply to your environment. The worse solutions are often those that, 1, somewhat work as promised, 2, must be amputated to get rid off, 3, force your environment to comply to theirs.
You might want to reflect such mentality into various clauses that are part of the legal contract between you and others. Along with fines and all that. Sort of: put your money where your mouth is.
As for compliancy in general. It's good to be compliant (usually cheaper, more profiting or less risky) but keep in mind that compliancy requirements do change over time. And they might impact the overall organization in ways most project leaders won't be equipped to handle or even oversee in the shorter and longer run. Or even top brass for that matter. So keep that in mind. Maybe it's best to not appoint a project team (tactical) but rather a program team (strategic) that keeps focus on the overall and longer term picture.