If your organization does business in China (including Hong Kong) or with Chinese companies, a new U.S. regulatory regime should already be on your risk register: the Department of Justice Data Security Program (DSP). Much like Sarbanes-Oxley reshaped financial controls for public companies, DSP introduces a prescriptive control framework that will significantly impact how in-scope systems, identities, and access are designed, governed, and audited. Fun bonus: your CISO can go to actual federal prison if you fail!

In this session, we will translate DOJ DSP requirements into plain English, map them to familiar compliance and security frameworks, and explain why identity—authentication, authorization, privilege, and auditability—is central to meeting DSP obligations. We will examine where existing IAM and PAM programs may be on course to fall short and what regulators are implicitly and explicitly expecting organizations to demonstrate.

Attendees will leave with a practical, identity-centric readiness checklist: how to assess exposure, prioritize control gaps, and adapt identity architectures without excessive disruption or cost. Whether you are an IAM architect, security leader, or compliance stakeholder, this session will help you understand why DSP may be identity’s “SOX moment”—and how to prepare before regulators, auditors, or prosecutors force the issue.