Legal compliance and corporate governance are among the biggest
challenges facing IT departments today. Danny Bradbury finds out
what you can do to protect your organisation
Security has always been one of those things that you don't want
until you need it. A survey by PricewaterhouseCoopers published
late last month suggests that IT directors who spend more money on
security have not necessarily been converted to the security cause.
Instead, they are simply worried about complying with an increasing
number of guidelines and regulations that render them vulnerable to
legal action if they do not take the proper precautions.
According to the worldwide study, 62% of professionals will spend
more on IT security this year, up 12% on last year. But the top
reason for increased spending was legislation, not security for its
own sake.
Richard Martin, IT director of Morgan Cole, a solicitor
specialising in employment, energy, insurance and technology law,
says he has to consider legislation when thinking about security.
Although he does not have a full-time chief security officer, he is
beginning to think that he needs one, not just for technical
challenges but legal ones too. "The constant requirement to install
new patches almost creates a full-time job. Then there is the
legislation that you have to comply with and the conflicts between,
say, the right to privacy and our need to know what is being done
in our network," he says.
Relative to the US, the UK is tougher on security governance thanks
to the Data Protection Act, which originally appeared in 1984 and
was redefined in 1998. Addressing all industry sectors, the Act
imposes guidelines for the proper protection of personal data, and
contains several principles of good data protection that companies
should follow, including a clause about data security. Conversely,
companies in the US have always been relatively liberal with
customer data.
Clifford May, a principal consultant with IT security integrator
Integralis, says the tide may be turning. An increasing amount of
legislation has appeared in the US in the past two years, calling
on companies to pay more attention to internal controls, including
security. The Sarbanes-Oxley Act, introduced to avoid corporate
accounting debacles following scandals such as Enron and WorldCom,
complements sector-specific legislation such as HIPPA, an act which
addresses the health-care sector. The state of California has even
prepared its own data protection legislation in the form of the
California Database Security Breach Information Act. IT directors
working for subsidiaries of UScompanies could be affected by those
laws.
But in the UK many companies have done little more than pay
lip-service to security laws, says May. He recalls one seminar at
which he discussed the Data Protection Act where one director said
he would do nothing about addressing it because "the information
commissioner never prosecutes anybody".
David Naylor, a partner in the technology transactions group at
solicitors Morrison and Foerster, warns that UK businesses should
not be so quick to dismiss the Act. "One issue that has been missed
for too long by everyone is that the legislation already contains
provisions for immediate criminal sanctions in the case of certain
breaches of the Data Protection Act," he says, adding that
directors would be personally liable. "I have not seen the police
looking to enforce criminal sanctions yet, but it is certainly a
possibility."
Other regulations are increasing the pressure on UK companies. The
Turnbull report, a study completed in 1999 by the Institute of
Chartered Accountants in England and Wales, originally made
recommendations for internal controls in corporate governance. It
was then adopted by the London Stock Exchange as an official set of
guidelines for publicly listed companies.
Since then, the Financial Reporting Council, the independent
regulator of accountants, has amalgamated elements of the Turnbull
report, along with other reports on issues such as audit committees
and best practice for non-executive directors. It was all rolled
into the Combined Code on Corporate Governance, issued in July,
which applies to companies with reporting years beginning after 1
November this year. This, combined with potential vulnerability to
US law for UK branches of US companies, should give UK firms cause
for concern.
One of the problems for companies wanting to comply with these
various regulations is that the guidelines within them are
relatively broad. Understanding how they relate to your own
business and adjusting your security and other operational controls
to fit them can be a daunting task, as Vicky Peacock, head of
intelligent customer information at high street bank Abbey, has
found. She has been supporting the company in its project to comply
with another set of governance regulations - the Basel II
accord.
The Basel rules on risk management for international financial
organisations were originally defined in 1998 and are now being
revamped to include guidelines on internal controls. They require
close interpretation. "This is where it gets a little difficult
because every organisation has had to interpret those guidelines,"
says Peacock. "We had to turn the guidelines into 'Abbey-speak' but
also to understand, practically, what they mean."
The company employed legal professionals to interpret the
guidelines and is also using Discovery, a data profiling and
analysis tool from Avelino, to help it to understand the data it
holds and its underlying business processes. This will help the
company to tweak its operational controls to bring them in line
with the Basel II specifications.
Some organisations are attempting to supply more generic
methodologies that can cover the lion's share of security
regulations. A good example is the IT Governance Institute (ITGI),
established by the Information Systems Audit and Control
Association in 1998 to create international governance standards.
The association has just released an online version of its Control
Objectives for Information and Related Technology (Cobit), a set of
standards for good practice in IT governance security, and
control.
"Standards and guidelines like Cobit are beginning to be mapped to
some of the key legislation," says Marios Damianides, president of
the association. "We are looking for bridging standards that have
more universal applicability than some of the legislation that is
focused on particular countries and sectors." The ITGI has just
completed a study of how closely Cobit maps to Sarbanes-Oxley, and
will soon release that into the public domain. It is also
evaluating how closely the framework will follow the Basel II
standard. The Business Software Alliance (BSA) Information Security
Governance Task Force has reviewed Cobit, along with a number of
other security documents, and has the concluded that there is no
suitable information security governance framework for private
industry to use as a baseline for compliance with legislation. It
has released an embryonic framework of its own, drawn from various
industry initiatives, in an attempt to produce a universally
acceptable solution.
This framework primarily draws on two specifications: the Federal
Information Security Management Act (Fisma), designed specifically
for the US federal government; and ISO17799, the international
standards organisation's framework for corporate security. The BSA
taskforce says Fisma is too detailed and government-specific to be
applied uniformly across organisations and ISO17799 is too detailed
for chief executives to digest. It hopes to take appropriate
elements from both to create what it believes will be a workable
document.
Jeremy Ward, a Symantec executive who sits on the UK
government-industry forum on encryption and law enforcement and the
CBI Information Security Working Group, thinks ISO17799 is
perfectly adequate. He has found a correlation between the Basel II
operational risk management principles and the ISO standard's
management code of practice.
"If you are going to sort out security then you need to pick on a
good practice standard and I would say that you might as well pick
on ISO17799," he says. "If you do that, it will inevitably enable
you to read across to such things as Basel II and the OECD's IS
security guidelines - and hence to all the other things like
Sarbanes-Oxley." The British Standards Institute's equivalent to
ISO17799 is BS7799. N o matter which framework you choose, there is
a marked difference between paying lip-service to it and making it
a part of your everyday culture. That difference could spell
success or failure when it comes to compliance. Martin called on
Morgan Cole's legal professionals to help draft security policies
that would help it comply with the Data Protection Act. "It is a
whole ongoing programme, educating people about it and making them
aware of it," he says.
Martin uses Policymatter, a software program designed to enforce
policies within organisations. The product enables policies to be
written and coded using an XML format. These policies can then be
applied to specific groups contained in the product database.
End-users are alerted when they log on to the network that a new
policy has been created or an existing one has been changed. They
are then required to read through the policies and answer
multiple-choice questions to show they understand, before finally
approving the policy electronically.
This is designed to cover employees legally, and also to show an
audit trial proving that Morgan Cole is pushing policies throughout
the organisation.
Legal compliance as an aspect of security should not only be about
technical solutions. It should cover management issues too. It
should be pushed throughout the organisation and regularly
evaluated - the Turnbull section of the Combined Code on Corporate
Governance suggests an annual assessment.
As more companies get wise to the need for compliance, security
spending is likely to increase. Let us hope that the money is spent
wisely.
Legislation
Combined Code of Good Practice Issued by the
Financial Reporting Council, this amalgamation of guidance
documents includes elements from the Turnbull report on internal
controls
Basel II In July this year the Basel Committee
released new rules for risk management in banking, replacing the
existing rules originally released in 1988 and covering IT
operations. They come into effect in 2006
Data Protection Act Originally introduced in
1984 and updated in 1998, the Data Protection Act outlines eight
principles of data protection. From a security perspective the
seventh principle is particularly important as it enforces measures
against the "unauthorised or unlawful processing of personal data
and against accidental loss or destruction of, or damage to,
personal data"
Sarbanes-Oxley Act Introduced in 2002 in the
US to prevent corporate accounting scandals, it also imposes
internal controls that affect security. It affects all public
companies subject to US security laws, and imposes criminal
penalties on directors who contravene its guidelines
Health Insurance Privacy and Accountability
Act This US act imposes data controls on health care
providers and comes into full effect in 2005.
The road to compliance - top tips for UK
companies
After reading the legislation and guidelines, establish which
ones are applicable to you
Take legal advice, if necessary, to interpret vague legislative
guidelines for your business and sector
Push your security policy into your organisation's culture using
employee training, publications and enforcement by line
management
Conduct a gap analysis to assess the state of your security
infrastructure and find out what you need to do to achieve your
compliance
Consider ISO17799 or another security framework as a starting
point to bolster your compliance position
Continually reassess your security policy's effectiveness. Do
not let it stagnate and fall out of phase with your business
operations as they evolve.