Building regulations for IT

Did poorly-functioning IT systems contribute to the recent financial crisis? We must ask the question: was the Basel II regulatory framework properly implemented in banks' IT systems? That set of regulations was supposed to provide improved information on exposure to risk.

BCS

Did poorly-functioning IT systems contribute to the recent financial crisis? We must ask the question: was the Basel II regulatory framework properly implemented in banks' IT systems? That set of regulations was supposed to provide improved information on exposure to risk.

To ensure regulation is implemented properly in the future, why not have an "IT development" set of "building regulations"? These regulations would be monitored externally, by approved inspectors, possibly provided by the BCS or other organisations, on behalf of the Financial Services Authority (FSA). Self-regulation clearly has not worked.

Building regulations set standards for the design and construction of buildings. Firstly, you have to apply for planning permission, which is a lengthy process. Most people, however, understand that such regulations are there to protect us all. With every stage of the build you have to have site inspections. The building regulations ensure the works meet the relevant technical requirements, such as ensuring there are proper foundations.

IT developments are potentially very risky. They could cause financial loss in a company, cause instability, damage the reputation of customer and financial services in the UK, endanger investments and jobs, or cause information security breaches. Such developments, it could be argued, should be subject to external scrutiny.

It is true, however, that the government's policing of its own IT projects has not been very good so far. This discrepancy will, somehow, have to be improved to protect us all. This is because internal, "self-policing", within commercial organisations is obviously not working. Some quality functions within such organisations are genuinely trying to promote good practice. However, this is rare, in my experience. "Bogus" quality functions predominate in most organisations. These functions are subordinate to development and they compromise quality to enable systems to go live. The tester's work is compromised and any defects raised are closed down by the management regardless of the risk.

Perhaps in future any major development, such as a new customer billing system for a significantly sized company, would come under the radar of the FSA. It would require FSA certification before live running, using live customer data. To run such a system in a live environment without FSA certification would be illegal and would result in heavy fines.

The stages would be:

  • Register the development with the FSA with timescales and details (eg, business justification).
  • FSA would then request requirements and system design specifications and project plans, assess them, and then do a site inspection, which would allow a degree of control over any unjustified "offshoring" of work.
  • Once given the go-ahead, the development could commence and it would be monitored stage by stage.
  • When the system was ready to go into test the FSA would have to be notified of any faults and given progress reports. They would have the power to do a site visit and it would be able to impose fines if any defect information was withheld.
  • During User Acceptance Testing (UAT), the FSA would have to be notified of any significant defects.
  • The final certification for live running could only be given by the FSA.

Obviously, the company could try to pull the wool over the eyes of the FSA. However, the FSA would have visibility of what was going on, and it would be a good discipline for the organisation to know that by withholding or falsifying information it could suffer a heavy fine.

Do you think this idea is far-fetched? In the US, the Senate has recently proposed a bill to control IT failures. The bill would amend federal law regarding the oversight of project planning for IT systems. This is a highly significant development. It represents a state-of-the-art effort to control IT failures, and we would benefit from something similar over here. Look, for example, at the UK's multi-billion pound health service IT project, which, according to the BCS, needs a fundamental rethink.

Tim Hunter is an IT Consultant for Yorview and a BCS member

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close