The test of regulatory compliance is business process change and ensuring employees are not your biggest threat
Complying with the law has always been an issue for big business. US companies have operated compliance programmes for many years to ensure they stay on the right side of anti-trust legislation. Invariably, these programmes are controlled by the legal department and represent a mixture of internal education, reporting and incident response.
The collapse of companies such as Enron has led to tighter financial regulation which, in turn, has spilled over into other operational areas. Increasing emphasis is being placed on compliance and the role of management in ensuring an ethical and effective approach to trading. Thus compliance extends beyond financial issues into reporting generally; for example, ShellÕs concerns about its oil reserves.
Into this increasingly complex compliance jungle has come another player Ð IT security. As interconnected, often web-enabled, systems are used for the storage, collection and dissemination of data, businesses are more exposed to security risks. These extend from concerns about the rights of individuals to privacy and data protection, through to computer misuse and third-party unauthorised access into IT systems.
The various laws affecting security compliance fall into broad categories which demonstrate the breadth of risk. The EU has a comprehensive regime for the protection of personal data held on a computer (or an organised filing system) from which an individual may be identified. The broad aim is to protect people from the exploitation of this data in the information age. The law contains specific requirements for organisations to take appropriate technical and organisational measures to secure this data.
The US Sarbanes-Oxley Act of 2002 is aimed at the reform of accounting practices, financial disclosure and corporate governance. Information security is an important part of ensuring accuracy and reliability of financial reporting and this is recognised in section 404 of the act. The Securities and Exchange Commission and Nasdaq have rules for securing IT record compliance. The UK Combined Code on Corporate Governance refers to a system of internal control which is relevant to security compliance.
The Basel 2 rules on risk management (new rules will come into effect in 2006) and the Financial Services Authority sourcebook rules for UK companies are relevant to security compliance in the UK financial services sector. These are generally aimed at ensuring the ability of financial organisations to maintain adequate capital and reserves to meet their obligations to their customers and guard against operational risk.
The extent to which a business is lawfully entitled to monitor and access e-mails coming into and going out of the organisation is governed in the UK by the Regulation of Investigatory Powers Act, the Lawful Business Practice Regulations and the Data Protection Act.
Employees may pose an additional threat by carrying out activities that are criminal under the Obscene Publications Act or the ChildrenÕs Act or are a breach of money laundering rules. Should these be detected and blocked? Is this a security issue or a wider HR problem?
The most sinister security risks may affect the viability and integrity of IT systems. They are increasingly vulnerable to viruses, denial of service attacks and manipulation of data as part of online fraud.
The reason these laws and activities give rise to such serious compliance concerns is because failure to deal with them exposes companies to law suits from customers and employees, to material loss of business and damage to reputation and share price.
But too much of compliance activity pays lip service to the real problem Ð signing a piece of paper which states that a company complies with IT security and sending it to a regulatory body should be the outward sign of a compliance culture. Too often it is just another administrative task.
So what does a company have to do to develop real compliance best practice in IT security? The issue is not that these laws exist, nor that there is a need to understand them Ð there are lots of law firms and various consultancy organisations that will explain them. The real test for businesses is how they introduce internal processes that provide for IT security.
It is not sufficient for such a task to reside solely within the IT department. The chief information officer may recognise all the issues, but cannot necessarily be responsible for dealing with all of them. Nor is it entirely an HR function, as the technical issues around security will only really be understood by the CIO.
Equally, the legal function, which is increasingly seen as the owner of compliance, needs extensive contributions from the rest of the business.
IT security is so vital to a business it needs to be recognised as a function of the companyÕs board of management, albeit that compliance tasks will be delegated.
There needs to be, it is suggested, a chief security officer whose sole task is to make sure the company abides with IT security issues and can support the CIO and the legal department in carrying out their compliance role and, in particular, developing an IT security policy.
This should not just be a purely technical policy setting out rules about monitoring e-mails or configuring firewalls. Rather, it should lead to a general raising of the awareness of all employees of the risks personally and to the corporation of security breaches.
Compliance with the spirit rather than just the letter of a security policy must be a part of the ingrained behaviour of individual employees. Contracts of employment should make it clear that breaches of this policy will result in disciplinary action.
A properly implemented IT policy does not just have a policing role: there are positive benefits because awareness of IT security reduces the risk of lapses and the organisationÕs exposure.
Organisations such as the Jericho Forum are showing that the boundaries of IT security are very hard to delineate. Access to the internet is not solely through PCs on desks. Laptops, personal digital assistants and 3G phones all present security risks.
The security policy and related process should not be seen as simply a hurdle to ensure regulatory compliance, but a catalyst for disseminating effective compliance awareness. This can be done through training and workshops but has to come as part of a culture of compliance. It has to be led from the top with the chief executive and board of management setting an example that others will follow.
IT security threats move fast, change frequently and will continue to be challenging. However, a companyÕs armoury will be enhanced by a collective awareness developed through an effectively created and distributed policy. This is the first step to true, as opposed to reporting, compliance.
Clive Davies is a partner at law firm Olswang