So what has happened to change this view and why is the management of risk creeping up the agenda of senior management meetings?
The answer lies in two key areas - regulation and legislation. Falling foul of the rules can have some serious consequences for senior management and the organization - ranging from a 'slap on the wrist' to substantial financial losses or significant erosion of brand. So what are the regulations and legislation that need to be addressed?
Firstly, let's take a look at regulation. Many will be familiar with the need to fulfill the regulatory requirements connected with certain market sectors - finance, health services, retailing, utilities and so on. The one regulation that binds each of these sectors, and indeed all types of organization, is 'corporate governance'. This is about the way organizations are managed - from the Board down to everyone who works for the company. Good practice guidance for corporate governance in the U.K. can be found in 'The Combined Code' (also known as the Turnbull Report after the chairman of the committee that produced it). Originally intended as the definitive guide to corporate governance for all companies listed on the London Stock Exchange, it has now become the 'de facto' standard for all organizations who take the subject seriously.
Secondly, there's the ever-growing volume of legislation that must be complied with if information is to be legally protected, and again it's senior management who have obligations to comply with any applicable laws. Failure to comply with legislation can lead to criminal or civil proceedings, or both, being launched against senior management jointly and severally. In the U.K. the main Acts to be considered are the Copyright, Designs and Patent Act 1988, the Data Protection Act 1998 (DPA), and the Regulation of Investigatory Powers Act 2000 (RIPA). The DPA and RIPA - together with the Human Rights Act 1998 - constitute what is satirically known as the 'Unholy Trinity', largely because of the alleged inconsistencies, conflicts and complexities that exist between and within them. This label is not entirely unfair as the Acts introduce a number of potential traps that are all too easy for unsuspecting senior managers and/or organizations to fall into.
The Data Protection Act 1998 provides for data subjects (people to whom any personal data 'belongs') to be given substantial rights by data controllers (organizations who collect and process the personal data belonging to data subjects). In particular, the Act codifies the need to ensure that data controllers implement appropriate technical and organizational controls to protect any personal data that they process from breaches of security such as unauthorized disclosure, modification or destruction. Before data controllers can process new personal data, they must, amongst other things, 'notify' the Office of the Information Commissioner about the intended processing and state, in general terms, how such data will be protected.
So what is required to protect personal data? The answer lies in the word 'appropriate'. Appropriateness is assessed on a risk basis, that is consideration of the degree of harm suffered if there is a security breach; the threats likely to cause an impact; and the organization's vulnerability to the threats manifested in a breach.
The Regulation of Investigatory Powers Act 2000 introduces a new regime for intrusive investigatory techniques. The main impact for most organizations is compliance with the framework, known as lawful business practice, that defines what monitoring and recording of communications (voice and data) is allowed and how it must be carried out. Most organizations will already have policies in place in respect of email usage and internet access. Their next actions should be to have these policies reviewed by their legal representatives to ensure that they are legally compliant with lawful business practice and the personal privacy requirements of the Data Protection Act. Following this review, the policies must be promoted to all staff that use the communication systems (and they must also be periodically reminded of the policies).
The Copyright, Designs and Patent Act 1988 is especially pertinent in respect of the copyrighted software used within an organization, although it is equally applicable to any form of documentation that is produced. In the U.K., copyright infringement is now considered an extremely serious offence, with directors and other miscreants liable for up to 10 years imprisonment for reckless abuse. A major concern of Government that has led to such a draconian penalty is the amount of money - estimated at £8 billion per year - being raised illicitly by selling counterfeit goods. Again, many organizations will have policies on the use of authorized software, and restrictions as to what other software may be loaded onto PCs. When buying a software license an organization is purchasing the right to use it, not own it. Few organizations realize the full extent of their liability in this respect, but the fact remains that it is they who are ultimately responsible for any copyrighted material being used illegally by their staff (and use includes merely storing it).
Clearly, it is difficult to cover here all the areas of compliance that organizations need to achieve from the total list of legal and regulatory issues to which they are subjected. There are, however, a number of ways of addressing any issues raised once you have considered your organization's compliance.
Firstly, organizations should seek to comply with ISO 17799: A Code of Practice for Information Security Management. This standard provides the framework upon which the policies and procedures should be developed. Secondly, relevant staff should attend training courses that will develop their knowledge and skills. Thirdly, organizations should implement a process of security risk assessment so that all the risks associated with their legal and regulatory obligations are understood and appropriately managed.
Don't just ponder - act!
The sheer volume of legislation worldwide confronting organizations is certainly raising the profile of security risk management, and senior management is becoming more aware of the consequences of not taking security seriously enough. It's not just a question of financial loss due to fraud or other unauthorized activity; it's concern over the degradation of brand that has cost thousands to build, not to mention loss of customer and shareholder confidence. If any doubt still remains over the possible consequences, then ponder recent events in the USA that illustrate the real-life effects of failure to comply with good corporate governance and legislation.
Alan Lycett is principal security consultant at Ultima Business Solutions (www.ultimabusiness.com).
Ultima Business Solutions is exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk