Summary by Marina…
What is IT compliance?
IT compliance is a key element of a business’ risk management and a crucial aspect of good governance. Corporate governance is about the need for businesses to identify, understand, and comply with a number of laws, regulations, and standards which affect how a company operates. IT compliance focuses on
- electronic data processing,
- networks, and
- IT infrastructure.
A compliant company has adopted best practice procedures including internal controls to protect IT systems, processes and ultimately the value of corporate assets. The main objective of laws and regulatory requirements is to ensure that risk are made transparent and that sufficient controls are implemented so that problems may be identified and dealt with as early as possible.
Statutory and supervisory regulations for risk management include
- Sarbanes-Oxley Act (SOX) in the US of 2002 – response to a number of major corporate and accounting scandals, e.g. Enron, WorldCom; besides financial reporting it also includes IT controls like security, incident management, and disaster recovery.
- Basel II
Why is IT compliance necessary?
- Non-compliant companies risk criminal and/or civil sanctions.
- In recent years, especially senior management is facing penalties (they are attributed personal responsibility) > higher senior management attention towards IT compliance.
Examples of IT compliance
- IT requirements for risk management
- e.g. in Germany, minimum binding requirements for risk management for financial service providers are set.
- These requirements include amongst others that financial service providers must follow the ISO 17799 international security standard.
- User and access administration
- Identity management is important in IT compliance to track which user accessed systems and what systems each is permitted to access.
- To avoid conflicts with data protection laws, standards like ISO 17799, COBIT or ITIL can be implemented.
- IT security for data
- To be compliant, organizations must be able to produce and retain secure data for audit, accounting and legal purposes, they must be able to prove the authenticity of data, the correct running of systems and to demonstrate that access rights are tightly controlled and operate in accordance.
- e.g. SOX requires companies to retain information for several years > back up relevant data and possibility to access & search when required.
- Some laws require strong authentication controls such as encryption and user level logging of access and data amendment.
- ISO 17799 also includes key elements for IT security (business continuity planning, system access controls, system development & maintenance, physical & environmental security, controls & security policy etc.).
How can IT compliance be achieved?
- Impact assessment
- What are applicable laws and regulations?
- What do they require an organization to do to its existing IT system in order to be compliant?
- System due diligence
- Prepare and verify an inventory of existing IT systems.
- Understand the specific purpose of each system.
- Identify and assess existing compliance programs.
- Analysis of competing regulatory requirements
- Analyse and identify overlapping or complementary rules.
- Contract audit
- Carry out an audit of existing contracts (e.g. for system procurement, maintenance, outsourcing etc.) relevant tot the IT system to make sure they exist, that their terms are consistent with what is required by the supervisory framework and that any onerous terms are identified and their risks mitigated where possible.
- Service providers get contractually obliged to assist the organization in meeting its security objectives and regulator obligations > important feature of vendor-customer.
What is information security?
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize ROI and business opportunities. It can be achieved by implementing a set of controls, including policies, processes, procedures, organizational structures and software and hardware functions.
Information security management requires, as a minimum, participation by all employees in the organization. It requires also participation from shareholders, suppliers, third parties, and customers, in order to be successful.
What is the interrelationship with data protection?
Through implemented security practices, also the requirements of the data protection laws may be satisfied. According to these laws, information held about people, both customers and employees, should be adequately protected and security maintained.
IT management frameworks
- COSO(Committee of Sponsoring Organizations of the Treadway Commission)
- Addresses the broader management.
- Internal control is established by the business’ board of directors and management through internal procedures.
- To ensure the predefined goals are achieved within the organization.
- Focus is on the efficiency of operations, financial reporting, and compliance with laws.
- COBIT(Control Objectives for Information and Related Technology)
- Addresses management, users, and auditors alike.
- Focus is on information that could be used to fulfill the business needs and enable IT resources and procedures to function properly.
- Takes also security and quality management requirements into account.
- Goals of COBIT: To fulfill the minimum quality, fiduciary, and security requirements in relation to information assets; Management is expected to optimize the use of available resources, including data, application systems, technology, facilities, and people.
ITIL (Information technology infrastructure library) is generally used for service support. It presents a set of management procedures for IT systems, and operations, including security management. Organizations are enabled to structure all of their IT systems and operations in a way that allows them to achieve a high level of security.
The international standard for IT security is ISO/IEC 17799:2005. It provides best practice recommendations on information security management for businesses that want to implement and information security management system. It describes information security as “the preservation of confidentiality, integrity, and availability”. Each ISO/IEC 17799 section specifies information security controls and their objectives, and guidance on implementation. The sections include:
- Risk assessment and treatment.
- Security policy.
- Organization of information security.
- Communications and operations management.
- Access control.
- IS acquisition, development, and maintenance.
- Information security incident management.
Framework for IT service providers
External certification can be used control third-party and outsourcing suppliers and to ensure a certain level of compliance. Statement of Auditing Standard No. 70 Type II reports (Type II SAS 70) can be used for this. This certification shows that the service provider’s control activities have been audited, including controls of IT and related processes like IT security.
It is recommended that critical IT suppliers adopt international standards like ISO 9001 (Quality management standard), ISO 15000 (IT service management standard) and ISO 17799 (IT security standard).
How to implement an Information Security Management System (ISMS)?
- Design & Layout of the ISMS
- Determine a company’s policies and objectives regarding information security.
- Assess security risks.
- Evaluate various ways of handling risks.
- Select controls from the international security standards.
- Implementation of the ISMS
- Setup procedures and instructions for management and for compliance/IT department.
- Raise awareness through training.
- Assigned roles and responsibilities.
- Implementing new systems.
- Review of the ISMS
- Monitor how effective the IT controls are in reducing risks.
- Reassess risks.
- Review policies and procedures.
- Certification of the ISMS
- Only if available and useful in a commercial sense.
- Improvement of the ISMS
- Maintenance through improvement of existing controls.
- Introducing new controls if new threats or changes in the IT infrastructure occur.
European policy on IT security
In Europe, risk management in IT security is a business process that should be linked to the corporate mission and strategy. It is based on the participation and awareness of the whole enterprise. In addition, full incorporation and implementation of all sub-processes such as evaluation and audit of IT security are crucial to successful IT security projects.
European policy recognizes that networks and IT systems have become an essential factor for organizations in terms of economic growth.
- 1992: Council decision in the field of security of information systems resulting in the IT security evaluation criteria (ITSEC) and the IT security manual (ITSEM)
- 2002: Council resolution imposes obligations on the Member State and the European Commission; e.g. best practices and international standards like ISO 17799 have to be promoted by Member States.
- 2004: The European Network Information Security Agency (ENISA) was established; its goal is to enhance the capability of the Community, Member States and businesses to prevent, address and respond to network and IT security problems.
- 2007: A working group of ENISA issued a report that provides an overview of European regulatory activities in the area of network and IT security
Network & information security
Network and information security means the “ability of a network or an IS to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems“.
Risk is the probability that a vulnerability in the system affects this data.
Risk assessment is a process including the four steps of (1) threat identification, (2) threat characterization, (3) exposure assessment, and (4) risk characterization.
Risk management is the process of weighing policy alternatives considering risk and other factors and selecting appropriate prevention and control options.
Attacks against information systems
Attacks against IS are sanctioned in all Member States by criminal penalties. Criminal offences include
- illegal, intentional access without right to IS,
- illegal, intentional system interference, e.g. serious hindering or interruption of the functioning of an IS, and
- illegal, intentional data interference, e.g. damaging, deleting, altering data.
Data protection & data security
Data controllers must implement “appropriate technical and organizational measures to protect personal data” against loss, alteration, and unauthorized disclosure or access. Measures are only required if the effort involved is reasonable in relation to the required level of protection.
- Access control – to prevent unauthorized access to personal data.
- Transmission control – to ensure that personal data cannot be read, copied, modified or removed without authorization during transmission.
- Input control – to ensure that one can check and establish whether why and by whom data have been input.
- Job control – to ensure that data only processed based on the principal’s instructions.
- Availability control – to ensure that data are protected from accidental destruction or loss.
Self-regulation and security policy
Businesses can address IT security themselves for setting up frameworks including policies and agreements. International standards like ISO 17799 support such policies on a practical level.
An IT security policy includes elements like:
- Clearly defined scope of the policy.
- Purpose of the document, especially to whom it applies by linking it to other critical policies, e.g. HR or accounting.
- Definition to clearly and concisely outline the well-defined security concept for the organization; include also why the security policy is implemented.
- Responsibility is assigned to persons for design, implementation and review of the IT security policy.
- Formal inventory of all system software, hardware, networking and application software are prepared and maintained.
- Human resource section refers to the HR policy highlighting the need to recruit suitable experienced staff and to establish a performance measurement process of the staff.
- Management: the security of the network parameters and the operation of the business network and central IT facilities are defined.
- Access control procedures are defined.
- Procedures for system development and maintenance are outlined.
- enforcement: the policy should include how it will be enforced and how a security breach or misconduct is handled.
Hladjik, J. (2007): IT Compliance and IT security. Privacy & Data Protection 7(4/5/8).