| LSOX,
Files and Backup Tape Making
compliance work for you.
This newsletter is aimed primarily at IT Security Managers and
IT Managers – i.e. those who are usually tasked with implementing
information security controls for compliance.
Basel II, Sarbanes-Oxley, HIPAA…MiFID1 –
the list keeps growing.
Whilst the administrative burden involved in achieving compliance
is probably the main complaint of those affected, the other is the
sheer cost. Estimates for complying with Sarbanes-Oxley range from
$2m to $10m per company. For banks complying with Basel II, figures
of up €60m have been given.
For some companies, the costs seem overwhelming: last year several
European companies threatened to de-list from US stock exchanges
rather than meet the cost of complying with Sarbanes-Oxley2, a move
which may not have exempted them anyway.
From an IT Security Manager’s perspective however, it may
not be all bad news. One consequence of this tide of regulation
is that information security has started to become much more of
a concern for board and senior management, rather than merely “an
IT problem” – in fact, under Sarbanes-Oxley, board-level
executives are held directly responsible for the accuracy of financial
reports (Section 302 – Corporate Responsibility for Financial
Reports) and further, perhaps more pertinently for IT Security Managers,
“the signing officers are responsible for establishing and
maintaining internal controls” (Section 302 (a)(4)A). Basel
II mandates similar board-level responsibilities (Part 3 II.1 Board
and Senior Management Oversight).
As we all know, senior management support is essential if a comprehensive
information security strategy is to succeed. With senior management
now being held accountable, for ensuring the security and performance
of their internal systems, IT Security Managers may find it easier
to secure the finances necessary for improving information security
within their companies.
Traditionally, obtaining funding for security has been difficult,
with management reluctant to spend on anything that doesn’t
appear to make a visible difference to the bottom line. However,
security breaches definitely impact the bottom line and the cost
is increasing - the average cost of a security breach is £12,000
and last year, security breaches cost businesses in the UK £10
billion3. With the growing involvement of organised crime in information
security attacks (such as the recent Shell chip and PIN fraud4)
and the heightened sophistication of the attacks themselves, those
figures are certain to climb. Often security breaches are considered
something that happens to other people, but we cannot afford to
think that way. Cynics may suggest that it is the threat of jail
stipulated in compliance regulations rather than a fear of security
breaches that has brought information security sharply into focus
for senior management, but either way, the result is the same: information
security now has a higher profile.
Given the number of different regulations involved, it is important
to think strategically. The first action to take is to find out
which laws and regulations apply to you (ideally your company will
have compliance officers and/or a legal department to tell you,
if you don’t already know). Once that has been established,
determine which sections are relevant – e.g. Section 404 “Management
Assessment of Internal Controls” is the most relevant section
of Sarbanes-Oxley for IT Security Managers (if applicable, of course)
– and then compare them, looking for the bigger picture and
areas of overlap. You should include future regulations in your
planning too, particularly MiFID (implementation date 1st November
2007). Complying with each regulation in isolation, one at a time,
is not a good idea…
This may represent an opportunity to implement security controls
and procedures that you’ve been wanting to implement for some
time. In particular, this would be the ideal time to implement a
formal information security management system (ISMS) using ISO 27001
and ISO 17799, since they provide solutions to many of the problems
raised by compliance regulations. Also, it should be emphasised
that ISO 27001 is a management standard and can be used for assessment
and certification (ISO 17799 provides guidance only) – reinforcing
the point that information security is a management process, not
a technological one.
Section 404 of Sarbanes-Oxley is only four paragraphs long and
doesn’t provide any guidance on how to achieve compliance.
Another compliance document, the Payment Card Industry (PCI) Data
Security Standard, lists twelve requirements for information security
– requirement 9 “Restrict Physical Access to Cardholder
Data” has several subsections that will look familiar to anyone
with a reasonable knowledge of ISO 27001 Annex A – for instance,
compare PCI 9.1 “Develop procedures to help all personnel
easily distinguish between employees and visitors, especially in
areas where cardholder information is accessible” with ISO
27001 clause A 9.1.2 “Secure areas shall be protected by appropriate
entry controls to ensure that only authorized personnel are allowed
access,” and the implementation detail given in the corresponding
section 9.1.2 in ISO 17799:2005.
Similarly, one section of MiFID will deal with outsourcing of “critical
and important” functions and services, which ISO 27001 covers
(at least to some extent) in clause A.6.2 “External Parties”
of Annex A.
Of course it should be stressed that one size does not fit all,
and the requirements of one regulation may not map neatly onto the
requirements of another. Equally, there may be areas (particularly
with Sarbanes-Oxley) where you will have to look to Control Objectives
for Information and related Technology (COBIT)5 or the IT Infrastructure
Library (ITIL)6, as well as ISO 27001. However, in the end, an ISMS
based on ISO 27001 will give you a firm foundation for successful
compliance.
References and links
1. http://www.fsa.gov.uk/Pages/About/What/International/EU/fsap/mifid/index.shtml
2. http://www.theregister.co.uk/2005/01/11/europeans_slam_sarbox/
3. DTI Information Security Breaches Survey 2006, conducted by PriceWaterhouseCoopers
4. http://software.silicon.com/security/0,39024655,39158743,00.htm
5. http://www.isaca.org/cobit
6. http://www.itil.co.uk/
• Archive of major US Acts and Legislation: http://www.legalarchiver.org/
• Compliance solutions for financial services industry: http://www.complinet.com
• Full Basel II document: http://www.bis.org/publ/bcbs118.pdf
(1.1 Mb)
• MiFID: http://ec.europa.eu/internal_market/securities/isd/index_en.htm#isd
|
