Legal compliance and corporate governance are among the biggest challenges facing IT departments today. Danny Bradbury finds out what you can do to protect your organisation
Security has always been one of those things that you don't want until you need it. A survey by PricewaterhouseCoopers published late last month suggests that IT directors who spend more money on security have not necessarily been converted to the security cause. Instead, they are simply worried about complying with an increasing number of guidelines and regulations that render them vulnerable to legal action if they do not take the proper precautions.
According to the worldwide study, 62% of professionals will spend more on IT security this year, up 12% on last year. But the top reason for increased spending was legislation, not security for its own sake.
Richard Martin, IT director of Morgan Cole, a solicitor specialising in employment, energy, insurance and technology law, says he has to consider legislation when thinking about security. Although he does not have a full-time chief security officer, he is beginning to think that he needs one, not just for technical challenges but legal ones too. "The constant requirement to install new patches almost creates a full-time job. Then there is the legislation that you have to comply with and the conflicts between, say, the right to privacy and our need to know what is being done in our network," he says.
Relative to the US, the UK is tougher on security governance thanks to the Data Protection Act, which originally appeared in 1984 and was redefined in 1998. Addressing all industry sectors, the Act imposes guidelines for the proper protection of personal data, and contains several principles of good data protection that companies should follow, including a clause about data security. Conversely, companies in the US have always been relatively liberal with customer data.
Clifford May, a principal consultant with IT security integrator Integralis, says the tide may be turning. An increasing amount of legislation has appeared in the US in the past two years, calling on companies to pay more attention to internal controls, including security. The Sarbanes-Oxley Act, introduced to avoid corporate accounting debacles following scandals such as Enron and WorldCom, complements sector-specific legislation such as HIPPA, an act which addresses the health-care sector. The state of California has even prepared its own data protection legislation in the form of the California Database Security Breach Information Act. IT directors working for subsidiaries of UScompanies could be affected by those laws.
But in the UK many companies have done little more than pay lip-service to security laws, says May. He recalls one seminar at which he discussed the Data Protection Act where one director said he would do nothing about addressing it because "the information commissioner never prosecutes anybody".
David Naylor, a partner in the technology transactions group at solicitors Morrison and Foerster, warns that UK businesses should not be so quick to dismiss the Act. "One issue that has been missed for too long by everyone is that the legislation already contains provisions for immediate criminal sanctions in the case of certain breaches of the Data Protection Act," he says, adding that directors would be personally liable. "I have not seen the police looking to enforce criminal sanctions yet, but it is certainly a possibility."
Other regulations are increasing the pressure on UK companies. The Turnbull report, a study completed in 1999 by the Institute of Chartered Accountants in England and Wales, originally made recommendations for internal controls in corporate governance. It was then adopted by the London Stock Exchange as an official set of guidelines for publicly listed companies.
Since then, the Financial Reporting Council, the independent regulator of accountants, has amalgamated elements of the Turnbull report, along with other reports on issues such as audit committees and best practice for non-executive directors. It was all rolled into the Combined Code on Corporate Governance, issued in July, which applies to companies with reporting years beginning after 1 November this year. This, combined with potential vulnerability to US law for UK branches of US companies, should give UK firms cause for concern.
One of the problems for companies wanting to comply with these various regulations is that the guidelines within them are relatively broad. Understanding how they relate to your own business and adjusting your security and other operational controls to fit them can be a daunting task, as Vicky Peacock, head of intelligent customer information at high street bank Abbey, has found. She has been supporting the company in its project to comply with another set of governance regulations - the Basel II accord.
The Basel rules on risk management for international financial organisations were originally defined in 1998 and are now being revamped to include guidelines on internal controls. They require close interpretation. "This is where it gets a little difficult because every organisation has had to interpret those guidelines," says Peacock. "We had to turn the guidelines into 'Abbey-speak' but also to understand, practically, what they mean."
The company employed legal professionals to interpret the guidelines and is also using Discovery, a data profiling and analysis tool from Avelino, to help it to understand the data it holds and its underlying business processes. This will help the company to tweak its operational controls to bring them in line with the Basel II specifications.
Some organisations are attempting to supply more generic methodologies that can cover the lion's share of security regulations. A good example is the IT Governance Institute (ITGI), established by the Information Systems Audit and Control Association in 1998 to create international governance standards. The association has just released an online version of its Control Objectives for Information and Related Technology (Cobit), a set of standards for good practice in IT governance security, and control.
"Standards and guidelines like Cobit are beginning to be mapped to some of the key legislation," says Marios Damianides, president of the association. "We are looking for bridging standards that have more universal applicability than some of the legislation that is focused on particular countries and sectors." The ITGI has just completed a study of how closely Cobit maps to Sarbanes-Oxley, and will soon release that into the public domain. It is also evaluating how closely the framework will follow the Basel II standard. The Business Software Alliance (BSA) Information Security Governance Task Force has reviewed Cobit, along with a number of other security documents, and has the concluded that there is no suitable information security governance framework for private industry to use as a baseline for compliance with legislation. It has released an embryonic framework of its own, drawn from various industry initiatives, in an attempt to produce a universally acceptable solution.
This framework primarily draws on two specifications: the Federal Information Security Management Act (Fisma), designed specifically for the US federal government; and ISO17799, the international standards organisation's framework for corporate security. The BSA taskforce says Fisma is too detailed and government-specific to be applied uniformly across organisations and ISO17799 is too detailed for chief executives to digest. It hopes to take appropriate elements from both to create what it believes will be a workable document.
Jeremy Ward, a Symantec executive who sits on the UK government-industry forum on encryption and law enforcement and the CBI Information Security Working Group, thinks ISO17799 is perfectly adequate. He has found a correlation between the Basel II operational risk management principles and the ISO standard's management code of practice.
"If you are going to sort out security then you need to pick on a good practice standard and I would say that you might as well pick on ISO17799," he says. "If you do that, it will inevitably enable you to read across to such things as Basel II and the OECD's IS security guidelines - and hence to all the other things like Sarbanes-Oxley." The British Standards Institute's equivalent to ISO17799 is BS7799. N o matter which framework you choose, there is a marked difference between paying lip-service to it and making it a part of your everyday culture. That difference could spell success or failure when it comes to compliance. Martin called on Morgan Cole's legal professionals to help draft security policies that would help it comply with the Data Protection Act. "It is a whole ongoing programme, educating people about it and making them aware of it," he says.
Martin uses Policymatter, a software program designed to enforce policies within organisations. The product enables policies to be written and coded using an XML format. These policies can then be applied to specific groups contained in the product database. End-users are alerted when they log on to the network that a new policy has been created or an existing one has been changed. They are then required to read through the policies and answer multiple-choice questions to show they understand, before finally approving the policy electronically.
This is designed to cover employees legally, and also to show an audit trial proving that Morgan Cole is pushing policies throughout the organisation.
Legal compliance as an aspect of security should not only be about technical solutions. It should cover management issues too. It should be pushed throughout the organisation and regularly evaluated - the Turnbull section of the Combined Code on Corporate Governance suggests an annual assessment.
As more companies get wise to the need for compliance, security spending is likely to increase. Let us hope that the money is spent wisely.
Combined Code of Good Practice Issued by the Financial Reporting Council, this amalgamation of guidance documents includes elements from the Turnbull report on internal controls
Basel II In July this year the Basel Committee released new rules for risk management in banking, replacing the existing rules originally released in 1988 and covering IT operations. They come into effect in 2006
Data Protection Act Originally introduced in 1984 and updated in 1998, the Data Protection Act outlines eight principles of data protection. From a security perspective the seventh principle is particularly important as it enforces measures against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data"
Sarbanes-Oxley Act Introduced in 2002 in the US to prevent corporate accounting scandals, it also imposes internal controls that affect security. It affects all public companies subject to US security laws, and imposes criminal penalties on directors who contravene its guidelines
Health Insurance Privacy and Accountability Act This US act imposes data controls on health care providers and comes into full effect in 2005.
The road to compliance - top tips for UK companies
After reading the legislation and guidelines, establish which ones are applicable to you
Take legal advice, if necessary, to interpret vague legislative guidelines for your business and sector
Push your security policy into your organisation's culture using employee training, publications and enforcement by line management
Conduct a gap analysis to assess the state of your security infrastructure and find out what you need to do to achieve your compliance
Consider ISO17799 or another security framework as a starting point to bolster your compliance position
Continually reassess your security policy's effectiveness. Do not let it stagnate and fall out of phase with your business operations as they evolve.