I have recently compiled a couple of papers targeted at the IT professional covering compliance issues. These were born out of the frustration of trying to understand exactly what an IT professional really needed to worry about when it comes to compliance. There is so much FUD—fear, uncertainty and doubt—concerning compliance that it makes some IT people worried about doing their jobs for fear of breaking the law!
In this article I've consolidated some notes from a video webinar I recently gave that might be useful for those embarking on their first compliance journey.
The European Union
I don't really want to give a geography lesson, but it is important to understand the context of EU laws and regulations.
The EU, or European Union, currently comprises 27 member states. It was established following the Maastricht treaty in 1993 which renewed the union originally called the European Economic Community or EEC and generates approximately 30% of worldwide GDP with around 500 million citizens.
The EU has developed a system of laws that apply to the movement of goods and people and the creation of a single trading entity. Each member state is subject to both EU and their own locally created national laws.
There are countries that form part of Europe geographically but do not have membership of the EU, for example Switzerland. These countries are therefore not subject to EU-based legislation. As part of its remit the EU has created business related compliance and regulatory requirements, including laws that cover the safe keeping and management of data in computer systems. Failure to comply with these laws can result in criminal proceedings and prosecutions, so any organisation operating in the EU needs to take such laws as seriously as those developed nationally.
When considering EU law it is important to understand the structure of the EU and how laws are enacted.
The EU Council represents national governments and is a council of ministers run by a 6-month rotating presidency. National ministers attend meetings as appropriate to their portfolio. The European Parliament is elected every five years by citizens of the member states and members of the European Parliament have geographically based constituencies which are generally larger than those for members of a national parliament.
The European Commission acts as a civil service and drafts new laws which are passed to the European Parliament for discussion and enactment. The EU is based on a rule of law which is laid down in a series of treaties and directives. These then become a collective legislative act of the EU which are then enacted in member state laws. If a member state fails to enact a suitable law then action can be taken against that state in the European Courts of Justice which is the judicial institution of the Community.
It is interesting to compare the evolution of IT-related laws in the US to those in Europe. One piece of legislation that has captured a lot of mind share in the US is that of security breach notification.
These laws have been enacted in most US states since 2002 and were created in response to an escalating number of breaches of consumer databases containing personally identifiable information.
The first such law, the California data security breach notification law, was enacted in 2002 and became effective in July 2003. There are ongoing discussions across the EU, both nationally and at a European level, to determine if such legislation should be implemented in this region. A proposal was published in late 2007.
People have different views on this legislation. I am a fan, as reputational risk is often a better motivator for corporate governance than a modest fine which would hardly raise a small paragraph in a local paper. That said, it is interesting to see how Europeans are dragging their feet over a notification law. Is this a cultural issue maybe?
Achieving compliance, in the broadest sense of the word, can be a good thing as it often instils good practices and procedures. On the other hand over compliance can be detrimental as the business can be bogged down in achieving a goal that delivers little direct business benefit.
Ultimately it is a balance that legislators need to achieve, with the help of IT practitioners.
I feel for medium sized businesses that are captured by the compliance net but have little or no resources to meet what can be seen as an onerous requirement. Fortunately some compliance and regulations have planned for this and offer suitable break points so that small and medium sized business don't fall foul of regulations whilst being able to run their day to day business.
As organisations switch onto the world of compliance they realise that it is far more cost effective to run compliant systems 24/7 rather than hastily scrabble to clean up prior to an audit. Those days should be long gone and organisations should ideally be "audit ready" at all times, or at least strive to be.
Undoubtedly adherence to compliance requirements can assist an organisation trying to achieve funding or a possible sale. In my experience of working in mergers and acquisitions during various due diligence investigations any non-compliance is often rapidly uncovered leading to increased suspicions concerning the overall management and health of the business.
The knock on effect to corporate valuations and exit multiples can have a direct, profound affect on the principals especially in smaller businesses.
EU Laws and Regulations
There are a lot of EU laws and regulations that we need to take note of. Not all of them apply to every sector, industry or geography which makes things even more complicated when trying to unearth which acts you should be worrying about.
No doubt a lot of these laws and regulations will be familiar, but believe me there are some quite obscure laws that take a bit of finding. For a recent compliance report I worked with a security software vendor to asses the relevance of acts or regulations to the implementation of encryption technologies. Unfortunately very few of the acts explicitly mentioned encryption so we had to form our own opinion as to whether implementing such a technology would help an organisation achieve an approved level of compliance.
Let's take a look at the Capital Requirements Directive, commonly referred to as Basel II. This is especially relevant following the current turmoil across the banking and finance sectors.
Basel II is designed to create an international standard that can be used by banking organisations when creating regulations concerning the amount of capital banks need to set aside to guard against operational risks.
The accord is designed to prevent international financial problems being created by collapsed banks, and sets rules on the amount banks need to keep in reserve based on their exposure. Advocates of Basel II see that it will introduce better safeguards into the worldwide financial community. The three pillars of Basel II encompass how banks can prepare for credit risks, interact with regulators and provide responsible disclosure.
Non-compliance can result in institutions having to reserve greater amounts of capital to cover their risk exposure resulting in less favourable pricing in capital markets. Operational risk forms the heart of Basel II. An institution therefore needs to protect its data with the utmost integrity; be it data at rest, in motion or during transactions.
Reading the requirements for Basel II would suggest to me that data encryption forms a mainstay of this requirement. This is where the rubber hits the road for us in IT, and shows the importance of interpreting the legislation from an information security perspective.
And what about EuroSox?
Two European directives were issued by the European Union Council of Ministers aiming to create more transparency and public confidence in the operations of companies operating within the EU. The Statutory Audit Directive (commonly referred to as EuroSox) is designed to strengthen the standards and public accountability of the audit profession. EuroSox also aims to enhance confidence in financial statements and annual reports from European companies.
The plan is that EuroSox will be incorporated into local national company laws, therefore penalties will vary from member state to member state
EuroSox will demand that IT maintains accurate, dependable records with full audit trails of any data changes. Management will expect accurate and dependable reports created from within IT systems. IT systems will need to be secured to meet auditor approval and data must be protected from unauthorised access. Data encryption will therefore have a key part to play in securing data covered by the EuroSox law.
Wading through EU compliance is time consuming and, at times, rather tedious. That said, it is vital that we as IT security professionals remain aware of the acts and regulations that apply to our specific geography, market place or industry sector.
With the current turmoil in the worldwide finance sector there is no doubt that legislation, oversight and regulation will be under more scrutiny than ever before. The risk is that politicians will see heavier compliance requirements as a quick fix to managing far more complex and difficult issues, and that will have a knock on effect to the IT security community.
In the meantime all we can do is keep our own house in order and make sure we are able to deliver compliant and well managed systems to the business.