Information Security Compliance: Still on the Agenda?

21 Aug 11:55

British businesses must refuse to be left behind by UK Government complacency regarding Information Security compliance. With no set date for a UK equivalent to Sarbanes-Oxley, compliance seems to be slipping down the list of priorities for IT Directors trying to juggle multiple and often conflicting priorities, argues Lorraine Cousins, Managing Director of Halcyon Software - a provider of systems monitoring and security compliance solutions.

Information security across the globe is being driven by compliance requirements in the form of new legislation and tighter industry regulations. Companies are starting to grapple with the increasing amount of such laws and policies that demand fully secure IT and data - yet fail to specify exactly what is meant by "secure IT and data" - and the measures that should be put in place. These confusing regulatory requirements mean that some companies may be overlooking dangers elsewhere in their drive for compliance. A company could be totally compliant, but not secure, or it may be totally secure and yet still not compliant. The problem is that it is far from clear what these IT compliance requirements mean in terms of IT security. Part of the motivation it seems, following the Enron and WorldCom scandals, is in keeping company directors out of prison and avoiding hefty fines being levied on companies.

In the UK we appear to be more complacent regarding legislation, with our government noticeably lagging behind its USA counterparts. Admittedly, so far we have been spared the high profile scandals that have prompted legislation such as Sarbanes-Oxley, but that doesnt prevent our government from taking action. I believe that we do need legislation in order to force people to take security seriously. Although we have good guidelines, such as ISO 27001, organisations in the UK must understand that they need to invest more in information security management. And that this is not an isolated one-off exercise that happens under the auspices of the IT department, but an ongoing activity that needs the full backing of the management and board.

Security isnt just about achieving compliance or demonstrating best practice - it can have a monumental impact on the business. In our information economy, the availability, integrity and confidentiality of data are fundamental to long-term corporate survival. Technology systems today are increasingly sophisticated and complex, with the result that they are potentially vulnerable to a fast-changing range of threats and tracking and remediation of security breaches is expensive and highly labour intensive. These problems are not restricted to internet or e-commerce based business - all organisations, across all industries, whether public or private, have highly confidential, sensitive information that has to be kept safe. Some examples are: customer credit card numbers, health records, intellectual property for new products or for established secret recipes and product formulations, financial transactions, customer lists, accountancy records and databases. In fact any information which if leaked could cause embarrassment, bad press, litigation or could severely damage your reputation within your market and/or allow your competitors to gain a serious advantage.

Strategic responsibility for ensuring that an organisation defends its assets in an appropriate manner can no longer be delegated to the IT Director. Information security is now a senior management, corporate governance responsibility and has to be taken seriously, regardless of what legislation may or may not be in place. Your company doesnt want to be hitting the headlines for all the wrong reasons.

Information security is not just about protecting your business from fraud and hackers - its also about human error. The simple act of making a mistake can lead to bad data or inadvertent data deletion and the consequences of these errors can be just as devastating as those of a deliberate attack. In many cases management are unaware of the risks they face through their IT systems. And these are risks that could be considerably minimised by implementing the correct privileges and access rights. According to a recent survey, larger businesses in the UK suffer nearly 20 information security incidents each year, at an average cost of GBP12,000. And, as the worst security incident can cost a company around GBP130,000, this all adds up to a considerable amount of money that has to be explained to shareholders. Security is no longer an IT problem, its a corporate issue that needs total management support, and for which the whole company has to take responsibility. Its about having professional business rules for everybody to follow.

Best practice guidance for information security already exists in the form of ISO 27001 - an international standard for the development, deployment and ongoing management of an information security management system that is vendor-neutral, technology agnostic and sector independent. Sarbanes-Oxley is good practice forced on companies and is great for organisations whose business is primarily financial, ISO 27001 makes easier reading and its guidelines are more appropriate for all industries reducing risk in all areas.

A recent independent survey of UK companies that had undergone ISO 27001 (BS 7799) certification, highlighted the benefits gained which included, increased customer confidence and improved internal discipline. At the same time many of these companies were now proactively promoting the fact that their data is safe to both suppliers and customers and this in turn helped build trust. The most unexpected effect of certification reported by managing directors was a significant increase in business, at the expense of non-certified competitors, so ISO 27001 had inferred a significant competitive advantage.

In order to achieve information security compliance the first essential step is to carry out a risk assessment to understand the scope of the problem that may exist within the organisation. How many software applications have backdoors for ease of management written into them, how many ex-employees still have active network user accounts, and how many people in the organisation actually need to have the highest level of access privileges? These are the type of issues that a risk assessment will throw up - nothing yet to do with hackers and malicious attacks.

The next step is to close these open doors, determining exactly which data users really need access to, and putting in place access templates based on job function. Its also important to run regular reports against your defined security policy to see that it remains compliant and to present as proof to the auditors that you are following your own procedures and have a tight control on security. A good security policy doesnt exist to hinder people in their jobs - its there to protect the company and its data.

Managing compliance can be a labour intensive process, for instance, a recent Fortune 500 CEO working party estimated that on average, 20,000 staff hours, the equivalent of 10 people working full time for a year will be required to ensure security compliance for large corporations. Therefore running regular risk assessment reports for internal and external audits and carrying out frequent security policy checks and fixes is best provided by automated software tools than by manual procedures. And finally, real time monitoring and alerting is essential so that should anything untoward occur then you really will be the first to know.

Good practice in IT has been proven to increase productivity, improve efficiency and reduce costs. Compliance is long overdue in the UK and the controls that organisations are now putting in place should already have been there as part of sound business management. Those companies who now start to look seriously at compliance issues are going to reap the benefits those that delay and leave it too long will find that appropriate resources will be more scarce and expensive. And those that wait for the government to legislate will probably go out of business.

About Halcyon Software:
Halcyon Software Limited is an established software company with over 17 years experience in systems management. Halcyon writes software for IBM midrange computers as well as Windows, Linux, Unix, AIX and Netware platforms. Large multinational companies, corporate data centres, as well as small to medium-sized businesses use Halcyon Software products to proactively manage and automate their IT operations.

The Head Office is based in Peterborough, Cambridgeshire, and their software is used throughout the world with distributors in Europe, Australia and the USA. Customers include Cap Gemini, Avon Cosmetics, Honda, Raleigh, Burberry, Early Learning Centre, Arcadia and Budget Insurance.

[Lorraine Cousins' article raises some interesting and pertinent issues. As a matter of principle whether to comply with legislation or not, should not be included as a risk management subject. In practice it often is because the external pressure through enforcement is seen to be missing, so non-compliance is often not seen as an insurmountable risk.

The other factor is whether this type of legislation is really needed in the UK. In many ways the UK is a halfway house between the over-regulated European countries and very liberal places such as the Channel Islands and the Isle of Man, the US being somewhere in between these days. One of the few things governments are good at, is cracking peanuts with steam-hammers. Unfortunately they don't often hit the nut they are aiming at, or they hit a few extra accidentally. This is a good property of government - government micro-management leads to European conditions, nothing to strive for!

The US legislation and some EU directives have been useful in that they have led to increased research in secure enterprise architectures. This again has caused a much higher level of integration of IT into corporate business practices - IT is no longer in a silo in the organisation but the actual blood vessels making it run and coordinate, finally leading to the efficiency gains we have been hoping for over the last 45 years. I would argue that infosec has been instrumental in this, and systems supporting secure architectures are starting to roll off the shelves from companies like Cisco.

My point is that nothing can stop this tendency - it is rolling, and it is business-driven. Hence, whereas the US legislation has acted as a catalyst in this process it is not necessary to imitate it in the UK. --Ed].

Related links: (Open in a new window.)
www.halcyonsoftware.com

Taken from Information Security Bulletin.