Getting to Grips with Compliance – Some Notes from the Front Line

I have
recently compiled a couple of papers targeted at the IT professional covering
compliance issues. These were born out
of the frustration of trying to understand exactly what an IT professional
really needed to worry about when it comes to compliance. There is so much FUD—fear, uncertainty and doubt—concerning compliance that it makes some IT
people worried about doing their jobs for fear of breaking the law!

In this
article I’ve consolidated some notes from a video webinar I recently gave that
might be useful for those embarking on their first compliance journey.

The European Union
I don’t
really want to give a geography lesson, but it is important to understand the
context of EU laws and regulations.

The EU, or
European Union, currently comprises 27 member states. It was established
following the Maastricht treaty in 1993 which renewed the union originally
called the European Economic Community or EEC and generates approximately 30%
of worldwide GDP with around 500 million citizens.

The EU has
developed a system of laws that apply to the movement of goods and people and
the creation of a single trading entity.
Each member state is subject to both EU and their own locally created
national laws.

There are
countries that form part of Europe geographically but do not have membership of
the EU, for example Switzerland. These countries are therefore not subject to
EU-based legislation. As part of its remit the EU has created business related
compliance and regulatory requirements, including laws that cover the safe
keeping and management of data in computer systems. Failure to comply with
these laws can result in criminal proceedings and prosecutions, so any
organisation operating in the EU needs to take such laws as seriously as those
developed nationally.

When
considering EU law it is important to understand the structure of the EU and
how laws are enacted.

The EU
Council represents national governments and is a council of ministers run by a
6-month rotating presidency. National ministers attend meetings as appropriate
to their portfolio. The European Parliament is elected every five years by
citizens of the member states and members of the European Parliament have
geographically based constituencies which are generally larger than those for
members of a national parliament.

The European
Commission acts as a civil service and drafts new laws which are passed to the
European Parliament for discussion and enactment. The EU is based on a rule of
law which is laid down in a series of treaties and directives. These then become a collective legislative
act of the EU which are then enacted in member state laws. If a member state
fails to enact a suitable law then action can be taken against that state in
the European Courts of Justice which is the judicial institution of the
Community.

It is
interesting to compare the evolution of IT-related laws in the US to those in
Europe. One piece of legislation that has captured a lot of mind share in the
US is that of security breach notification.

These laws
have been enacted in most US states since 2002
and were created in response to an escalating number of breaches of
consumer databases containing personally identifiable information.

The first
such law, the California data security breach notification law, was enacted in
2002 and became effective in July 2003. There are ongoing discussions across
the EU, both nationally and at a European level, to determine if such
legislation should be implemented in this region. A proposal was published in
late 2007.

People have
different views on this legislation. I am a fan, as reputational risk is often
a better motivator for corporate governance than a modest fine which would
hardly raise a small paragraph in a local paper. That said, it is interesting
to see how Europeans are dragging their feet over a notification law. Is this a
cultural issue maybe?

Achieving compliance, in the broadest sense of the
word, can be a good thing as it often instils good practices and procedures. On
the other hand over compliance can be detrimental as the business can be bogged
down in achieving a goal that delivers little direct business benefit.

Ultimately
it is a balance that legislators need to achieve, with the help of IT practitioners.

I feel for
medium sized businesses that are captured by the compliance net but have
little or no resources to meet what can be seen as an onerous requirement.
Fortunately some compliance and regulations have planned for this and offer
suitable break points so that small and medium sized business don’t fall foul
of regulations whilst being able to run their day to day business.

As
organisations switch onto the world of compliance they realise that it is far
more cost effective to run compliant systems 24/7 rather than hastily scrabble
to clean up prior to an audit. Those days should be long gone and organisations
should ideally be “audit ready” at all times, or at least strive to be.

Undoubtedly adherence
to compliance requirements can assist an organisation trying to achieve funding
or a possible sale. In my experience of working in mergers and acquisitions
during various due diligence investigations any non-compliance is often rapidly
uncovered leading to increased suspicions concerning the overall management and
health of the business.

The knock on
effect to corporate valuations and exit multiples can have a direct, profound
affect on the principals especially in smaller businesses.

EU Laws and Regulations
There are a
lot of EU laws and regulations that we need to take note of. Not all of them
apply to every sector, industry or geography which makes things even more
complicated when trying to unearth which acts you should be worrying about.

No doubt a
lot of these laws and regulations will be familiar, but believe me there are
some quite obscure laws that take a bit of finding. For a recent compliance
report I worked with a security software vendor to asses the relevance of acts
or regulations to the implementation of encryption technologies. Unfortunately
very few of the acts explicitly mentioned encryption so we had to form our own
opinion as to whether implementing such a technology would help an organisation
achieve an approved level of compliance.

Let’s take a
look at the Capital Requirements Directive, commonly referred to as Basel II.
This is especially relevant following the current turmoil across the banking
and finance sectors.

Basel II is
designed to create an international standard that can be used by banking
organisations when creating regulations
concerning the amount of capital banks need to set aside to guard against
operational risks.

The accord
is designed to prevent international financial problems being created by
collapsed banks, and sets rules on the amount banks need to keep in reserve
based on their exposure. Advocates of Basel II see that it will introduce
better safeguards into the worldwide financial community. The three pillars of
Basel II encompass how banks can prepare for credit risks, interact with
regulators and provide responsible disclosure.

Non-compliance
can result in institutions having to reserve greater amounts of capital to
cover their risk exposure resulting in less favourable pricing in capital
markets. Operational risk forms the heart of Basel II. An institution therefore
needs to protect its data with the utmost integrity; be it data at rest, in
motion or during transactions.

Reading the
requirements for Basel II would suggest to me that data encryption forms a
mainstay of this requirement. This is where the rubber hits the road for us in
IT, and shows the importance of interpreting the legislation from an
information security perspective.

And what
about EuroSox?

Two European
directives were issued by the European Union Council of Ministers aiming to
create more transparency and public confidence in the operations of companies
operating within the EU. The Statutory Audit Directive (commonly referred to as
EuroSox) is designed to strengthen the standards and public accountability of
the audit profession. EuroSox also aims to enhance confidence in financial
statements and annual reports from European companies.

The plan is
that EuroSox will be incorporated into local national company laws, therefore
penalties will vary from member state to member state

EuroSox will
demand that IT maintains accurate, dependable records with full audit trails of
any data changes. Management will expect accurate and dependable reports
created from within IT systems. IT systems will need to be secured to meet
auditor approval and data must be protected from unauthorised access. Data
encryption will therefore have a key part to play in securing data covered by
the EuroSox law.

Wading through
EU compliance is time consuming and, at times, rather tedious. That said, it is
vital that we as IT security professionals remain aware of the acts and
regulations that apply to our specific geography, market place or industry
sector.

With the current
turmoil in the worldwide finance sector there is no doubt that legislation,
oversight and regulation will be under more scrutiny than ever before. The risk
is that politicians will see heavier compliance requirements as a quick fix to
managing far more complex and difficult issues, and that will have a knock on
effect to the IT security community.

In the
meantime all we can do is keep our own house in order and make sure we are able
to deliver compliant and well managed systems to the business.