The test of regulatory compliance is business process
change and ensuring employees are not your biggest
threat
Complying with the law has always been an issue for big
business. US companies have operated compliance programmes for many
years to ensure they stay on the right side of anti-trust
legislation. Invariably, these programmes are controlled by the
legal department and represent a mixture of internal education,
reporting and incident response.
The collapse of companies such as Enron has led to tighter
financial regulation which, in turn, has spilled over into other
operational areas. Increasing emphasis is being placed on
compliance and the role of management in ensuring an ethical and
effective approach to trading. Thus compliance extends beyond
financial issues into reporting generally; for example, ShellÕs
concerns about its oil reserves.
Into this increasingly complex compliance jungle has come
another player Ð IT security. As interconnected, often web-enabled,
systems are used for the storage, collection and dissemination of
data, businesses are more exposed to security risks. These extend
from concerns about the rights of individuals to privacy and data
protection, through to computer misuse and third-party unauthorised
access into IT systems.
The various laws affecting security compliance fall into broad
categories which demonstrate the breadth of risk. The EU has a
comprehensive regime for the protection of personal data held on a
computer (or an organised filing system) from which an individual
may be identified. The broad aim is to protect people from the
exploitation of this data in the information age. The law contains
specific requirements for organisations to take appropriate
technical and organisational measures to secure this data.
The US Sarbanes-Oxley Act of 2002 is aimed at the reform of
accounting practices, financial disclosure and corporate
governance. Information security is an important part of ensuring
accuracy and reliability of financial reporting and this is
recognised in section 404 of the act. The Securities and Exchange
Commission and Nasdaq have rules for securing IT record compliance.
The UK Combined Code on Corporate Governance refers to a system of
internal control which is relevant to security compliance.
The Basel 2 rules on risk management (new rules will come into
effect in 2006) and the Financial Services Authority sourcebook
rules for UK companies are relevant to security compliance in the
UK financial services sector. These are generally aimed at ensuring
the ability of financial organisations to maintain adequate capital
and reserves to meet their obligations to their customers and guard
against operational risk.
The extent to which a business is lawfully entitled to monitor
and access e-mails coming into and going out of the organisation is
governed in the UK by the Regulation of Investigatory Powers Act,
the Lawful Business Practice Regulations and the Data Protection
Act.
Employees may pose an additional threat by carrying out
activities that are criminal under the Obscene Publications Act or
the ChildrenÕs Act or are a breach of money laundering rules.
Should these be detected and blocked? Is this a security issue or a
wider HR problem?
The most sinister security risks may affect the viability and
integrity of IT systems. They are increasingly vulnerable to
viruses, denial of service attacks and manipulation of data as part
of online fraud.
The reason these laws and activities give rise to such serious
compliance concerns is because failure to deal with them exposes
companies to law suits from customers and employees, to material
loss of business and damage to reputation and share price.
But too much of compliance activity pays lip service to the real
problem Ð signing a piece of paper which states that a company
complies with IT security and sending it to a regulatory body
should be the outward sign of a compliance culture. Too often it is
just another administrative task.
So what does a company have to do to develop real compliance
best practice in IT security? The issue is not that these laws
exist, nor that there is a need to understand them Ð there are lots
of law firms and various consultancy organisations that will
explain them. The real test for businesses is how they introduce
internal processes that provide for IT security.
It is not sufficient for such a task to reside solely within the
IT department. The chief information officer may recognise all the
issues, but cannot necessarily be responsible for dealing with all
of them. Nor is it entirely an HR function, as the technical issues
around security will only really be understood by the CIO.
Equally, the legal function, which is increasingly seen as the
owner of compliance, needs extensive contributions from the rest of
the business.
IT security is so vital to a business it needs to be recognised
as a function of the companyÕs board of management, albeit that
compliance tasks will be delegated.
There needs to be, it is suggested, a chief security officer
whose sole task is to make sure the company abides with IT security
issues and can support the CIO and the legal department in carrying
out their compliance role and, in particular, developing an IT
security policy.
This should not just be a purely technical policy setting out
rules about monitoring e-mails or configuring firewalls. Rather, it
should lead to a general raising of the awareness of all employees
of the risks personally and to the corporation of security
breaches.
Compliance with the spirit rather than just the letter of a
security policy must be a part of the ingrained behaviour of
individual employees. Contracts of employment should make it clear
that breaches of this policy will result in disciplinary
action.
A properly implemented IT policy does not just have a policing
role: there are positive benefits because awareness of IT security
reduces the risk of lapses and the organisationÕs exposure.
Organisations such as the Jericho Forum are showing that the
boundaries of IT security are very hard to delineate. Access to the
internet is not solely through PCs on desks. Laptops, personal
digital assistants and 3G phones all present security risks.
The security policy and related process should not be seen as
simply a hurdle to ensure regulatory compliance, but a catalyst for
disseminating effective compliance awareness. This can be done
through training and workshops but has to come as part of a culture
of compliance. It has to be led from the top with the chief
executive and board of management setting an example that others
will follow.
IT security threats move fast, change frequently and will
continue to be challenging. However, a companyÕs armoury will be
enhanced by a collective awareness developed through an effectively
created and distributed policy. This is the first step to true, as
opposed to reporting, compliance.
Clive Davies is a partner at law firm Olswang
www.olswang.com