Confusing regulatory requirements mean that some companies may be overlooking perils elsewhere in their drive for compliance.
Compliance with laws and industry regulations has become the main reason for having information security, but perversely this could be putting that security at risk. This is the view of a growing number of user and supplier organisations, as companies get to grips with more and more laws and regulations that demand fully secure IT and data, but give few clues about what this means.
“Our latest annual survey shows that for the first time complying with regulatory initiatives is the primary driver of information security – overtaking the traditional concerns about viruses and worms,” said Jan Babiak, head of information security advisory services at consultancy Ernst & Young.
“IT-related compliance regulations are extensive and complex, and cross-border differences compound the difficulties. Just knowing what a business has to comply with is often a huge task in itself, and achieving sustainable compliance presents an even greater challenge.”
This is putting it mildly, according to user organisation the Information Security Forum. “We are compiling a database of laws, initially across four areas and six countries – and there are probably 400 laws to include,” said project leader Andy Jones. The project is initially covering data protection, encryption, electronic communications and electronic contracts in the UK, France, the US, India, China and South Africa.
Jones said, “Big multinationals are subject pretty much to all laws and regulations. There are so many laws across so many countries that companies cannot know about all of them. The ISF has a framework to follow. Simplified, it has three main points: understand why you are worried – for example are you offshoring, understand where you are doing business, and then understand which laws are relevant.”
Laws surrounding IT date back to the earliest days of computing: software copyright was being discussed in the 1950s, when there were fewer than 100 computers in the entire UK. Concerns about the growth of databases of personal information in the early 1970s sparked the first moves towards data protection legislation.
But recent developments have brought fast growth: the rise of the internet and the start of e-commerce have resulted in legislation on issues ranging from identity verification for contracts, to data theft or destruction. Even more recently some highly publicised cases of business fraud and leaks of personal banking information have led to national and international laws and regulations which often make individual company directors personally liable.
But these attempts to counter some of the threats to business IT and the surrounding processes with legislation and regulation risk diverting IT specialists’ attention from arguably more important work – and even directing their security activities towards the wrong priorities, according to Jones.
“Our research shows people are getting driven increasingly by compliance, especially compliance with the US Sarbanes-Oxley financial reporting legislation,” Jones said. “Financial information is naturally important to a manufacturing company, say, but its manufacturing and sales and inventory information is critical to its business.”
He warned that for organisations whose business was not primarily financial, the diversion of information security attention from other risk areas to Sarbanes-Oxley compliance, for example, may mean important business risks get neglected – which may compromise security.
“It is important that organisations do not get pushed into following a compliance-based approach rather than a risk-based approach.”
This danger is laid out starkly by Philippe Courtot, chief executive of risk management systems specialist Qualys. “Compliance and security do not necessarily go hand-in-hand. One company might be 100% compliant and not secure, while another company could be 100% secure and not compliant,” said Courtot.
“With IT budgets under pressure, IT directors constantly have to balance security needs against compliance requirements.”
The trouble, according to Jones, is that it is far from clear what those compliance requirements are in terms of IT security. More than half the members of the ISF expect to spend more than £5.3m on security controls for the Sarbanes-Oxley legislation alone – even though the act never mentions “information security”, he said.
This point is underlined by Usha Jagessar, a partner in the technology, media and communications practice at law firm DLA Piper Rudnick. “The UK Data Protection Act, for example, calls for appropriate technical and organisational measures, but it does not define ‘appropriate’ or really prescribe what the measures might be,” said Jagessar.
Jagessar points to formal standards as an answer, notably the British Standards Institution's BS 7799 security management standard, suggested by the UK Information Commissioner, and its international equivalent, ISO 17799.
Some experts also point to the IT Infrastructure Library, originally developed for UK government computing and covering various aspects of IT. In addition, many companies affected by the Sarbanes-Oxley legislation are using the Control Objectives for Information and Related Technology (Cobit) from the IT Governance Institute.
“Standards have no legal status, but it is a good idea to comply with them anyway,” said Mark O'Conor, partner at DLA Piper Rudnick. “Complying with a standard can also get you cheaper insurance.”
Cheaper insurance might not be top of IT directors’ lists of reasons to follow standards, but there can be benefits apart from keeping company directors out of prison or the company clear of hefty fines.
“Good practice in IT has been proved to reduce costs, improve efficiency and increase productivity,” said John Redeyoff, director of information security at specialist consultancy NCC Group. “Procter & Gamble, the household products firm, claims to have saved more than £300m over four years through implementing the IT Infrastructure Library. And a recent report by the government and the British Standards Institution said that in IT, standards are often seen as arcane and dry, but they actually create innovation.”
Attention to standards, brought on by the legislation, is overdue anyway, said Ian Cole, professional services manager at Internet Security Solutions. He said, “From an information security specialist’s point of view, the controls that organisations are now putting in place should have been there as a part of sound business management in any event.”
UK companies are mixed in their views here, according to new research by BT: 43% say regulations and associated guidelines are beneficial, although 52% see regulations as too restrictive.
Separate research for data management software specialist Embarcadero shows that compliance is fourth out of 13 priority issues for UK IT directors at present. It was mentioned by 51%, and came in after the related issues of security (75%), infrastructure (67%) and data management (67%).
When asked for their greatest fear about compliance, 34% put falling foul of the law top – almost the same as the number who put the risk to sensitive information top of the list.
If companies do adopt standards they have to impose them, in effect, on any service companies they use, too, especially if those companies are doing their financial processing or personal data management.
“It is not always possible to abdicate responsibility,” said O’Conor. “This means mandating by contract that your contractor will have equivalent standards – but commercial reality can come down to the relative sizes of the negotiating companies. In addition, the ultimate responsibility still rests with the client.”
If standards and regulation guidelines are hailed as the overall answer to the compliance issue, farther down suppliers are highlighting products to handle the detail.
“We are seeing growing demand in a lot of areas,” said Simon Perry, head of security strategy in Europe at software company CA. Perry has seen users looking for better access management control policies on sensitive information, especially financial information.
Users are also looking at improving applications so that access control can be enforced and audit trails generated. “Historically a lot of companies have had home-grown and packaged applications that generated no audit trail whatsoever,” Perry said.
There is also a need for improved provisioning policy, with software to automate provisioning – again, a lot of problems and failed audits have resulted from lack of controls around who gets access to what, according to Perry. CA has also seen users asking for automated collection of audit records and reporting.
Perry said, “The emphasis on auditing here has arisen as companies have had to move beyond having to comply, to the second and longer-term phase of ‘continue to comply, prove you comply, and do it cost effectively’. Manual auditing is clearly not cost effective in anything but the short term.”
Other big issues highlighted by suppliers include e-mail archiving and management – certain e-mails have to be kept for five years or more under some legislation – and data management in general. It takes UK companies between one and three months to compile the information needed in compliance investigations, according to a study by security specialist nCircle.
UK IT directors are certainly concerned about this last issue, according to the Embarcadero research: 69% have data management software top of their shopping lists in the compliance area. In all this, IT is only part of the picture – and some say compliance offers companies a great opportunity to bring IT and the business closer together at last.
“The purpose of much compliance legislation is to make senior management fully accountable and responsible for the actions of their business,” said Redeyoff. “No longer can chairmen and directors hide behind the mantra of ‘we did not know it was happening’. Lawmakers have been keen to target the entire business process as the basis of corporate responsibility.”
Many agree with this last point – and also that it means business directors must wake up to reality.
“A lot of the focus has been on IT, because that is the easiest bit to sort out,” said Jones. “In some companies the security people have even found no one is taking notice of the compliance requirements, so they are getting on with it. But ultimately it is a business issue.”
O’Conor agrees, “Previously all the issues were seen as IT systems and security concerns and conveniently forgotten about, with IT told just to sort it out. But IT is central to business and business processes, and that is making IT become a business issue.”
He added, “Personal liability certainly concentrates the mind for company directors – and it is that potential for personal liability that is getting the head of IT into the boardroom at last.”