Security: Play by the rules

Complying with the current raft of legislation could not only minimise business risk, it could also save money. Lindsay Clark finds out how regulation affects network security

Complying with the current raft of legislation could not only minimise business risk, it could also save money. Lindsay Clark finds out how regulation affects network security

When it comes to generating interest in IT investment at board level, regulatory compliance may not at first seem the most stimulating topic. Maybe it is something for the lawyers; a must do, but not a competitive issue. But look again and it turns out effective corporate governance to meet the needs of seemingly endless business legislation can translate directly into profitability.

In financial services, companies must comply with Basel 2: a regulation that dictates internal controls to offset business risks. It was introduced following high-profile financial scandals such as the collapse of Barings Bank in the 1990s.

Companies that cannot show they have appropriate controls - which include information security - have to put aside 15% of their capital to offset financial risks. "That can hit the bottom line," said Rupert Beeby, vice-president strategy services at GlassHouse, an independent IT security and storage consultancy.

"If a firm is compliant though, the regulator will allow it to release the capital [for the bank to invest]. That could be billions of pounds."

Because networks have become such a powerful tool for businesses to manage and distribute corporate data, network security is subject to a whole range of legislation. As well as Basel 2, legislation includes the Data Protection Act, the Human Rights Act and the rule of regulatory bodies such as the FSA. Meanwhile, businesses operating in the US must comply with the Sarbanes-Oxley Act.

The Sarbanes-Oxley Act was named after the senator and congressman who introduced it to address the shortcomings in corporate governance revealed by the Enron and WorldCom scandals. The act states that a company must provide information that will enable an assessment of the "internal control structure and procedures for financial reporting".

Non-compliance is a risk to business. The authorities that police business legislation across the world, such as the Information Commission in the UK, are able to impose hefty fines and create unwanted publicity for companies found in breach of the legislation.

Knowing how to express this in business terms can secure IT funding to ensure compliance, Beeby said. "When justifying spending, there is nothing that makes people get their cheque books out more quickly than risk. Compliance is a risk like anything else. If we do not have a mitigating strategy in place then we have an exposure. Like any of these things you have to do a risk assessment."

The Data Protection Act states that businesses must make sure any personal data stored or sent over networks about their customers or employees must be properly secure. The Information Commission is taking an increasing interest in aspects of the legislation relating to IT security, according to Robert Bond, partner with law firm Faegre & Benson. "We are starting to see more fines and naming and shaming," he said.

However, businesses that want to make sure their computer networks comply with the legislation are faced with a conundrum. IT managers like to apply consistent rules to network security so networks are easier to administer across geographic boundaries. The problem is, the law can differ from country to country, and in some cases conflict.

"If business wants to manage information assets and data security then it needs to monitor what staff are doing in the work place, and say what staff cannot do, but this can contravene human rights legislation," Bond said.

Although the Data Protection Act was created so the UK complied with the European Data Protection Directive, the law is still not consistent across Europe. "Businesses want to have consistency, but you might not be able to have one size fits all," said Bond.

Kit Burden, partner at law firm DLA Piper agreed. "In this country there is no legal requirement for passwords [in the Data Protection Act], you just infer from the legislation. But in Italy, the law is more detailed and you must have an eight-digit password."

So a business setting up a Europe-wide network which used a seven-digit password as standard policy could fall foul of the law in Italy. "If you have seven it could be punishable by two years in prison," said Burden.

Similarly, the regulatory bodies have taken different approaches to policing the law in different states. "In the UK, the commission has not used its powers to fine heavily or revoke the ability to use personal data - which could close a business down," Burden said. "But in Spain there have been a lot of fines, partly, a cynic might say, because the regulatory body is funded by fines."

Another problem is that the legislation presents something of a moving target for IT security. "The Data Protection Act, at the top level, says 'take appropriate technology measures'. That's pretty wide ranging and there is not much guidance," said Burden.

The act states that businesses need to consider the state of technology at the time - not just the protection software, but also the type of threat, Burden said. This includes new resources available to hackers such as the "drive-by" hacking of wireless networks.

"Within your organisation you have to keep track of new technology and also how it changes your legal responsibility. You need to make sure you keep pace with new risks."

There is, however, some guidance on the security measures required to meet the needs of the Data Protection Act. In the late 1990s, Elizabeth France, then data protection registrar, said that any business implementing BS7799, an IT security protocol developed by the British Standards Institute, would be likely to comply with the act too.

"The closest you're going to get to a silver bullet [for IT security and compliance] is BS7799," Burden said. The standard also has an international version, ISO17799.

Beeby said that process-based framework, known as the IT Infrastructure Library (ITIL) can also help businesses meet compliance requirements. From an ITIL perspective, security management is not about the technical aspects of the security of information and infrastructure components. Rather it is about the management processes required to make it an integral part of the services provided to an organisation's customers and end-users and to minimise risk. Each of the ITIL processes focused on service support and service delivery can help security.

Those in charge of network security are burdened with the task of complying with a range of legislation while still creating a policy that is appropriate to the risks presented to the business. It is a balancing act that can require a range of skills not all IT professionals have had the training for.

But they should not face the problem alone. "Compliance sits to the left of the IT team. They only think about it on trading systems and that must change. The audit people must be brought into this now and made to talk to the network guy on a regular basis. Regulation does not stay still. You need to keep on looking ahead," Beeby said.

Regulatory requirement also affects other areas of IT managers' work, such as negotiating contracts with suppliers, Burden said. "With Basel 2, for example, the regulated entity always has accountability, but can transfer responsibility in a contract and can seek damages if the regulator finds a bank is not compliant."

It is also possible to indemnify contracts against regulatory problems with insurance policies, Burden said.

The problem of marrying IT security with a range of sometimes conflicting legislation is so complex it cannot be dealt with by any professional group alone, Burden said. "Some legal people do one IT deal and think they know about IT. Likewise some IT people do a contract, so think they know about the law, but there really needs to be much greater understanding between these groups."

A critical test of whether companies have been effective at putting these skills together and meeting the compliance challenge will come in a few months, as Basel 2 is introduced at the beginning of 2006.


Legislation: don't get caught out

A huge range of legislation can affect the way IT systems are managed. Some can be very specific to particular industries. Here are the more common ones:

Sarbanes-Oxley Act
This applies to companies trading in the US, although they need not be based there to have to comply. It states that chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. IT systems, such as ERP, are inextricably linked to the overall financial reporting process and need to be assessed.

Basel 2
This European banking legislation requires financial institutions to measure their exposure to risk and make provisions for that risk. Included in the legislation definition of operation risk is technology failure, which can result from hacking or virus attacks to banking systems.

Data Protection Act
All companies storing personal data of any kind must comply with this act. Among a host of other requirements it says companies must ensure data is held securely, and that security measures must keep pace with the technology available, both to business and to hackers.


Case study: Barclays locks down back-up devices

During a branch technology refresh, Barclays Bank had to make sure that branches could continue to process transactions if the bank's network communications were disrupted.

Although allowing staff to back up data locally using portable memory sticks would have been a good solution, allowing staff to connect devices to each PC could have opened the network to viruses or hacking attacks. The Financial Services Authority, which governs UK banking, has strict rules on information security.

Barclays used software from SecureWave to lock down the terminals, so that staff could only use the memory devices under highly controlled conditions. The software prevented other memory devices being plugged into the desktops, enabling the bank to meet FSA compliance requirements.

Barclays appointed QinetiQ, an independent security company to carry out extensive testing of SecureWave before deploying the software. Barclays and QinetiQ agreed upon Device Control as the best product to fulfil Barclays' USB security requirements and the technology is now the standard security for desktop refresh.


Read more on IT risk management