Confusing regulatory requirements mean that some
companies may be overlooking perils elsewhere in their drive for
compliance.
Compliance with laws and industry regulations has become the
main reason for having information security, but perversely this
could be putting that security at risk. This is the view of a
growing number of user and supplier organisations, as companies get
to grips with more and more laws and regulations that demand fully
secure IT and data, but give few clues about what this means.
“Our latest annual survey shows that for the first time
complying with regulatory initiatives is the primary driver of
information security – overtaking the traditional concerns about
viruses and worms,” said Jan Babiak, head of information security
advisory services at consultancy Ernst & Young.
“IT-related compliance regulations are extensive and complex,
and cross-border differences compound the difficulties. Just
knowing what a business has to comply with is often a huge task in
itself, and achieving sustainable compliance presents an even
greater challenge.”
This is putting it mildly, according to user organisation the
Information Security Forum. “We are compiling a database of laws,
initially across four areas and six countries – and there are
probably 400 laws to include,” said project leader Andy Jones. The
project is initially covering data protection, encryption,
electronic communications and electronic contracts in the UK,
France, the US, India, China and South Africa.
Jones said, “Big multinationals are subject pretty much to all
laws and regulations. There are so many laws across so many
countries that companies cannot know about all of them. The ISF has
a framework to follow. Simplified, it has three main points:
understand why you are worried – for example are you offshoring,
understand where you are doing business, and then understand which
laws are relevant.”
Laws surrounding IT date back to the earliest days of computing:
software copyright was being discussed in the 1950s, when there
were fewer than 100 computers in the entire UK. Concerns about the
growth of databases of personal information in the early 1970s
sparked the first moves towards data protection legislation.
But recent developments have brought fast growth: the rise of
the internet and the start of e-commerce have resulted in
legislation on issues ranging from identity verification for
contracts, to data theft or destruction. Even more recently some
highly publicised cases of business fraud and leaks of personal
banking information have led to national and international laws and
regulations which often make individual company directors
personally liable.
But these attempts to counter some of the threats to business IT
and the surrounding processes with legislation and regulation risk
diverting IT specialists’ attention from arguably more important
work – and even directing their security activities towards the
wrong priorities, according to Jones.
“Our research shows people are getting driven increasingly by
compliance, especially compliance with the US Sarbanes-Oxley
financial reporting legislation,” Jones said. “Financial
information is naturally important to a manufacturing company, say,
but its manufacturing and sales and inventory information is
critical to its business.”
He warned that for organisations whose business was not
primarily financial, the diversion of information security
attention from other risk areas to Sarbanes-Oxley compliance, for
example, may mean important business risks get neglected – which
may compromise security.
“It is important that organisations do not get pushed into
following a compliance-based approach rather than a risk-based
approach.”
This danger is laid out starkly by Philippe Courtot, chief
executive of risk management systems specialist Qualys. “Compliance
and security do not necessarily go hand-in-hand. One company might
be 100% compliant and not secure, while another company could be
100% secure and not compliant,” said Courtot.
“With IT budgets under pressure, IT directors constantly have to
balance security needs against compliance requirements.”
The trouble, according to Jones, is that it is far from clear
what those compliance requirements are in terms of IT security.
More than half the members of the ISF expect to spend more than
£5.3m on security controls for the Sarbanes-Oxley legislation alone
– even though the act never mentions “information security”, he
said.
This point is underlined by Usha Jagessar, a partner in the
technology, media and communications practice at law firm DLA Piper
Rudnick. “The UK Data Protection Act, for example, calls for
appropriate technical and organisational measures, but it does not
define ‘appropriate’ or really prescribe what the measures might
be,” said Jagessar.
Jagessar points to formal standards as an answer, notably the
British Standards Institution's BS 7799 security management
standard, suggested by the UK Information Commissioner, and its
international equivalent, ISO 17799.
Some experts also point to the IT Infrastructure Library,
originally developed for UK government computing and covering
various aspects of IT. In addition, many companies affected by the
Sarbanes-Oxley legislation are using the Control Objectives for
Information and Related Technology (Cobit) from the IT Governance
Institute.
“Standards have no legal status, but it is a good idea to comply
with them anyway,” said Mark O'Conor, partner at DLA Piper Rudnick.
“Complying with a standard can also get you cheaper insurance.”
Cheaper insurance might not be top of IT directors’ lists of
reasons to follow standards, but there can be benefits apart from
keeping company directors out of prison or the company clear of
hefty fines.
“Good practice in IT has been proved to reduce costs, improve
efficiency and increase productivity,” said John Redeyoff, director
of information security at specialist consultancy NCC Group.
“Procter & Gamble, the household products firm, claims to have
saved more than £300m over four years through implementing the IT
Infrastructure Library. And a recent report by the government and
the British Standards Institution said that in IT, standards are
often seen as arcane and dry, but they actually create
innovation.”
Attention to standards, brought on by the legislation, is
overdue anyway, said Ian Cole, professional services manager at
Internet Security Solutions. He said, “From an information security
specialist’s point of view, the controls that organisations are now
putting in place should have been there as a part of sound business
management in any event.”
UK companies are mixed in their views here, according to new
research by BT: 43% say regulations and associated guidelines are
beneficial, although 52% see regulations as too restrictive.
Separate research for data management software specialist
Embarcadero shows that compliance is fourth out of 13 priority
issues for UK IT directors at present. It was mentioned by 51%, and
came in after the related issues of security (75%), infrastructure
(67%) and data management (67%).
When asked for their greatest fear about compliance, 34% put
falling foul of the law top – almost the same as the number who put
the risk to sensitive information top of the list.
If companies do adopt standards they have to impose them, in
effect, on any service companies they use, too, especially if those
companies are doing their financial processing or personal data
management.
“It is not always possible to abdicate responsibility,” said
O’Conor. “This means mandating by contract that your contractor
will have equivalent standards – but commercial reality can come
down to the relative sizes of the negotiating companies. In
addition, the ultimate responsibility still rests with the
client.”
If standards and regulation guidelines are hailed as the overall
answer to the compliance issue, farther down suppliers are
highlighting products to handle the detail.
“We are seeing growing demand in a lot of areas,” said Simon
Perry, head of security strategy in Europe at software company CA.
Perry has seen users looking for better access management control
policies on sensitive information, especially financial
information.
Users are also looking at improving applications so that access
control can be enforced and audit trails generated. “Historically a
lot of companies have had home-grown and packaged applications that
generated no audit trail whatsoever,” Perry said.
There is also a need for improved provisioning policy, with
software to automate provisioning – again, a lot of problems and
failed audits have resulted from lack of controls around who gets
access to what, according to Perry. CA has also seen users asking
for automated collection of audit records and reporting.
Perry said, “The emphasis on auditing here has arisen as
companies have had to move beyond having to comply, to the second
and longer-term phase of ‘continue to comply, prove you comply, and
do it cost effectively’. Manual auditing is clearly not cost
effective in anything but the short term.”
Other big issues highlighted by suppliers include e-mail
archiving and management – certain e-mails have to be kept for five
years or more under some legislation – and data management in
general. It takes UK companies between one and three months to
compile the information needed in compliance investigations,
according to a study by security specialist nCircle.
UK IT directors are certainly concerned about this last issue,
according to the Embarcadero research: 69% have data management
software top of their shopping lists in the compliance area. In all
this, IT is only part of the picture – and some say compliance
offers companies a great opportunity to bring IT and the business
closer together at last.
“The purpose of much compliance legislation is to make senior
management fully accountable and responsible for the actions of
their business,” said Redeyoff. “No longer can chairmen and
directors hide behind the mantra of ‘we did not know it was
happening’. Lawmakers have been keen to target the entire business
process as the basis of corporate responsibility.”
Many agree with this last point – and also that it means
business directors must wake up to reality.
“A lot of the focus has been on IT, because that is the easiest
bit to sort out,” said Jones. “In some companies the security
people have even found no one is taking notice of the compliance
requirements, so they are getting on with it. But ultimately it is
a business issue.”
O’Conor agrees, “Previously all the issues were seen as IT
systems and security concerns and conveniently forgotten about,
with IT told just to sort it out. But IT is central to business and
business processes, and that is making IT become a business
issue.”
He added, “Personal liability certainly concentrates the mind
for company directors – and it is that potential for personal
liability that is getting the head of IT into the boardroom at
last.”
Read:
Security special report: The changing threat
Read:
Security special report: The internal threat
Read:
Security special report: Who sees your data?
Read:
Security special report: Accessing all areas
Read:
Security special report: Fingertip security