Information Governance and IT Law - Risk and Compliance Evaluation - Assignment Example

Information Governance and IT Law - Risk and Compliance Evaluation Introduction The UK is committed to an ambitious vision in which electronic networks will create an Information Society and Knowledge Economy. Information and Communication Technologies (ICT) hold the potential to revitalise UK business, to spur economic growth and competitiveness, to revolutionise working practices and living environments as well as to transform government services and our democratic process. With the froth from the dotcom bubble out of the way, UK businesses are getting down to the serious task of harnessing ICT to make them more competitive. However, it is clear that electronic networks will only be exploited if trust and confidence can be assured. Today, cyber-crime and information security incidents are deterring consumers and imposing costs on businesses. Tomorrow, as organisations become more dependent upon networks, insecurity will be a business critical issue. • The UK has an ambitious agenda to become a leader in the Knowledge Economy and to use ICT to transform public life • Trust and confidence in information networks is vital to the achievement of this vision • A clear national agenda has been articulated in Protecting the Digital Society • The private sector should be capable of managing its own information risks via good corporate governance • Corporate boards are increasingly aware of the importance of Information Assurance • This awareness is not yet being translated into effective controls • Boards need clear incentives and effective tools to enable them to realise the potential of the Knowledge Economy I. Justify, based on the ideas of corporate and information governance and BS 7799 part 1, the three key areas that a company should be concerned with in developing their Information Security Management System (ISMS), giving relevant examples based on the case study to illustrate your analysis. There are numerous guidelines and standards relating to Information Assurance and security. These range from the high level Guidelines on Information Security produced in 2002 in revised form by the Organisation for Economic Co-operation and Development (OECD), through risk assessment systems such as the Carnegie Mellon University (CMU)/Software Engineering Institute (SEI)'s OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), to the joint initiative by the National Security Agency (NSA) and National Institute of Standards and Technology (NIST) to promulgate minimum technical standards for system configuration. What Boards require is a management standard that enables them to implement Turnbull in relation to information risk. The most prevalent such standard today is British Standard 7799 Code of Practice for Information Security Management, (Part I of which became International Standard 17799). Since the company’s servers and the Storage Area Network (SAN) for the UK operation are contained in two mirrored data centres, the three key areas that our company should be concerned with in developing their Information Security Management System (ISMS) are: 1. BS7799 is a comprehensive work of reference and is intended to facilitate the identification of a wide range of IA controls, which most IT environments in the industrial and commercial sectors will need. The Code contains a detailed set of controls that will satisfy the IA requirements of most IT environments across all functional domains, and a specification (BS7799 Part II), against which compliance may be assessed. It also has a certification scheme linked to it so that organisations can obtain independent confirmation that their information security management systems comply with the standard. The company’s staff is managed from the UK parent company by a dedicated, specialist Human Resources department 2. BS7799 serves as a means of implementing the Turnbull Report's recommendations. In Government, the Cabinet Office Security Division is actively promoting this approach A report by the Public Audit Forum states that: “the Standard and its supporting guidance is a strong candidate to form the basis of inter-organisational information systems auditing”1. In the UK private sector, however, awareness of the standard remains poor. According to a DTI sponsored telephone survey of 1000 organisations across a wide range of UK businesses: “only 15% of people interviewed said that they were aware of the content of BS7799. In large organisations, this number only rose to 42% which is still disappointingly low.' 2 The company has customers in 130 countries in a range of high technology fields; the company provides customer support offices in most of these countries, the staff of which are managed from the UK parent company by a dedicated, specialist Human Resources department. This poses a logistical problem of information dissemination; whereby the relevant Information regarding the legalities and minute details of BS7799 should be systematically disseminated, sorted, organized and then implemented in each of the 20 offices that it operates throughout the world. 3. Certification can be defined as that process by which an organisation, procedure or process is tested, evaluated and rated in order to determine whether it complies with a certain standard. Certification has been a widespread goal in a number of quality related areas in recent years. Standards such as ISO9000 and Investors in People (IIP) have been adopted by private and public sector organisations alike. In relation to Information Assurance, however, industry practice seems to be compliance with standards, rather than going through the formal certification process. The DTI's Information Security breaches Survey 2002 noted: “Significant numbers of UK businesses are now compliant with BS7799. 38% of those aware of the standard have already adopted it in their organisation and 18% are planning to in the near future. This means that approximately 80,000 UK businesses are now compliant with BS7799, and a further 40,000 are planning to be in the next year. What is more, 48% of those that are compliant have obtained some form of accreditation of their compliance against the standard by a third party – this equates to roughly 40,000 UK businesses. Very few of this were formally certified on the BS 7799 Certificate Register; most have simply had some form of security audit.'3 One company that undertook fall certification was the Internet Bank ‘Smile.’ The bank believes that its accreditation serves to reassure customers and gives the organisation the edge on its competitors. Although such customer-based drivers are the aim of the standard, the cost and time involved in obtaining certification acts as a barrier rather than an enabler for the majority of organisations. For example, the process of obtaining accreditation for the Cooperative Bank's Internet Bank Smile involved: “175 pages of documentation and cost 45 consulting days, 20 of which were dedicated to risk assessment”. As highlighted by Tim Voss, global IT security risk director at Reuters: “We comply in spirit, even if we don't have the certificate on the wall, but the benefits aren't massive in view of the cost involved in getting accreditation.' 41 After reviewing a case study of an BS7799 implementation, the IAAC Standards Working Group concluded in its Position Paper (published December 2000) 42, that the guidelines within BS7799 are based on good practice with a regular procedure for updating the standard. However, the Working Group concluded that the certification process is perceived to be cumbersome and that it struggles to adapt to less mature organisations. This could be because less mature organisations do not typically have a well-defined process for information management, which is necessary for the implementation of BS7799. Smaller companies often find certification very burdensome. Whilst companies should be encouraged to certify to the standard, it will be more practical and useful to focus upon gaining acceptance that information risk is one of the key risks that needs to be controlled in all organisations and to require Directors to provide specific confirmation through their Turnbull reporting that IA controls are in place. Directors would need to seek assurance that information risks are being managed, either by reports from management, internal auditors or by third parties. In this respect, ISO17799 could serve as a yardstick against which the organisation's IA practises could be measured. The focus should be upon compliance rather than certification. Since there are 40,000 employees worldwide for the company, some of whom move overseas during their careers, the need an integrated Human Resources management system is imminent. Not only that but the centralized, UK based HR department should be technologically and financially sound enough to implement relevant certification programs for its employees in the 20 countries, globally. This would aver to the stringent BS7799 requirements for well-defined process of information management for a company of this size. II. Using the concepts in BS 7799 parts one, two and three, identify and justify the top three major areas of compliance risk that the case study organisation needs to address in the area of customer confidentiality and to meet all relevant Legal and Financial Services regulations. Give examples from the case study to illustrate your argument. • Information assets and extended information networks are now critical to most businesses • Turnbull requires boards to deal with safety, security and business continuity – all of which now depend on information systems • Information Assurance is a holistic, strategic approach to ensuring the reliability, security and privacy of corporate information assets • The e-commerce ecosystem and the consumer value chain mean that it is not enough for companies to focus only on internal controls • Corporate governance is the basic duty of a board of directors • In the private and public sectors alike, corporate governance is now risk-based • Boards have a duty to satisfy their stakeholders that all risks are being effectively managed • Internal controls should be used to ensure that risk management is embedded throughout an organisation While Corporate Governance has long been recognised as essential to any enterprise, the ‘new economy’ has given rise to a greater demand for vigilance against ‘new’ risks. A number of factors need to be considered – these include globalisation and the increased connectivity of societies; the increased speed of production cycles; the impact of new technologies; increased demands for and awareness of regulation; a greater interdependency between businesses; and an increasing skills shortage. Added to this is the fact that company assets are changing from purely ‘tangible’ ones to include more ‘intangible’ assets – the “dematerialisation” of business. The Board should consider the following when assessing their corporate governance: “… areas such as customer relations, safety and environmental protection, security of tangible and intangible assets, business continuity issues, expenditure matters, accounting and financial and other reporting”. The proper management of information systems, including the protection of the confidentiality, integrity and availability of information, is a central element of this ‘duty of care’. Sound governance is the foundation for long-term organisational success. According to the Institute of Chartered Secretaries and Administrators, governance refers to: “the systems by which organisations are run and the laws, regulations and best practice with which they are required to comply”. In a more general sense, governance means “ensuring compliance with regulations and the implementation of appropriate administrative procedures”. 4 Corporate Governance was defined by the 1991 Cadbury Report as “the system by which organisations are directed and controlled. The Board of directors are responsible for the governance of their organisations”. More particularly, corporate governance concerns: “the relationship between the shareholders, directors and management of a company, as defined by the corporate charter, bylaws, formal policy and rule of law”. 5 Corporate Governance is the responsibility of senior management and the Board. The Board is usually made up of executive and non-executive members who have the overall duty for governance within any organisation. The responsibilities of the Board include setting the company's strategic aims, providing leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship. They set financial policy and oversee implementation (including the use of financial controls). The Board's actions are subject to laws, regulations and the shareholders in general meeting. On a day-to-day basis, a senior individual within the enterprise – such as the Chief Financial Officer, the Company Secretary or the Chief Operations Officer – must stay abreast of obligations and responsibilities provide advice on how to comply with legislation and best practice, and manage organisational systems and procedures. Internal auditors assist with a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.6 The internal auditors also provide the shareholders with an objective check on the Directors' financial statements. The shareholders' role is to appoint the directors and the auditors, satisfying themselves that an appropriate governance structure is in place. 7 In exclusively financial terms, the Directors owe a ‘duty of care’ to the shareholders. Although the reports of the Directors are addressed to the shareholders, they are important to a wider audience of “stakeholders”, defined as shareholders, creditors, analysts, customers and consumers, employees, the supply-chain and – perhaps more widely – the Government and the public whose interests the Board may also take into account.8The trend towards demanding that companies pay attention to interests other than profit maximisation and shareholder value has gained ground in recent years under the rubric of Corporate Social Responsibility (CSR). Corporate Governance and Risk Management Whatever the relative priorities in a business's goals, good corporate governance involves the management of risks to an organisation with a view to ensuring the continuity of that organisation's business and its commercial success. The 1999 Turnbull 'Report on Corporate Governance' (Internal Control: Guidance for Directors on the Combined Code} requires companies to ensure they have a sound system of internal control and effective risk management processes which the Board regularly reviews. Companies should by now be fully compliant with the Guidance. Although primarily prepared for the listed companies of the FTSE, the Turnbull principles have been developed for the private sector in general.9 In a number of cases, organisations working for listed companies are expected to prove compliance with Turnbull's guidelines as part of the partner scrutiny process. Further adoption of the Turnbull principles is being encouraged via the industry regulators, e.g. the Financial Services Authority. Good corporate governance involves three steps: identifying the risks, establishing who will be impacted by them, (in other words, to whom does a Board have a duty of care), and controlling and mitigating these risks. As part of this process, internal controls are used to keep the company on course toward the achievement of its mission and to minimise surprises along the way. Internal control is broadly defined as a process, affected by an entity's board or directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • effectiveness and efficiency of operations • reliability of financial reporting • compliance with applicable laws and regulations The Turnbull Report states the need for internal controls as follows: “the corporate governance framework should ensure the strategic guidance of the company, the effective monitoring of management by the board, and the board's accountability to the company and the shareholders. To achieve this, the board should ensure the integrity of the corporation's accounting and financial reporting systems, including independent audit, and that the appropriate systems of (internal) control are in place”. Internal controls are effective if they are exercised sufficiently often to enable judgements about risk mitigation choices – these might include the transfer of some risk to third parties, the sharing of risks through joint ventures, contingency planning and the avoidance of unplanned risk-taking. The top three major areas of compliance risk that the organisation needs to address in the area of customer confidentiality and to meet all relevant Legal and Financial Services regulations are to make sure that the organization: 1• is embedded in the operations of the company and is capable of responding to change 2• includes procedures for reporting major weaknesses immediately and manage their key risks 3• remedy weaknesses promptly and review all aspects of internal control on a regular basis. A system of internal control is sound to the extent that it provides reasonable assurance that a company will not be hindered in pursuing its business objectives or in the orderly and legitimate conduct of its business, by reasonably foreseeable occurrences. This includes ensuring that fundamental financial and other controls are maintained. 3. Critically evaluate the impact of relevant legislation and other legislative instruments on the achievement of full compliance for these three major risk areas. Identify, using examples from the case study, how these instruments will affect the ISMS. Responsibility for corporate governance and risk management begins and ends with corporate leaders. As the Institute of Internal Auditors puts it: “The responsibility for risk management within an organisation dearly lies with the board (or equivalent) that should be responsible for setting the strategy and senior management who should be responsible for implementing the strategy, although it is also clear that everyone within an organisation bears some risk management responsibility. This responsibility and accountability is clearly set out in the Turnbull guidance and other similar pronouncements for non-listed organisations In order successfully to achieve the organisational business objectives, management should ensure that sound and effective risk management processes exist and that they are functioning as intended. Boards and audit committees have an oversight role to determine that risk management is functioning effectively within the organisation” 10 In the UK environment, the role of the Board is to support the governance process by exercising outside scrutiny of management. Non-Executive Directors (NED) have long played a key role in this scrutiny process. Recently, however, influential voices have warned that the NED system is failing. The outgoing President of the Institute of Directors, Lord Young of Graffham, speaking at the Institute of Dkectors' (IoD) annual convention on 24 April 2002 questioned the assumption that part-time, non-executive Dkectors could know enough about what is going on in their companies to spot potential difficulties. 14 These concerns have been taken up in the wake of major corporate governance failures such as Enron and Worldcom by the Department of Trade & Industry. The Higgs review has dealt with claims that NEDs may be too close to the executives on whose Boards they sit. 4. Make recommendations to the Board of Directors on the relevant sections of the ISMS. • ISO 17799 provides a sound means of translating the Turnbull requirements into an Information Assurance programme • Certification is deskable but the focus should be upon achieving compliance • Auditors and internal auditors play a vital role in managing information risk but they sometimes lack the necessary training and skills • Risk data is lacking but there is clear business benefit in participating in information sharing initiatives that promise to fill this gap • Dependency risk is poorly understood but is of increasing importance to business continuity • Market pressures to conform to “normal practice” are likely to be the most effective route to ensuring widespread take-up of IA policies as a way of managing information risk The Turnbull Report was successful in bringing the issue of internal control and risk management to the attention of the Board; its principles remain the building blocks on which good Corporate Governance is based. In addition to Turnbull's impact on listed companies, sector specific regulators such as the Financial Services Authority and Oftel are increasingly emphasising the importance of financial and operational risk management to their industries. However, Turnbull is not prescriptive about the means companies should employ in managing their risks.11 This is an important principle since each sector will have its particular requirements and features. Nonetheless, the development of the new economy and of e— commerce has increased the complexity of the world in which businesses, governments and consumers operate. Additional tools and further guidance will be needed if Boards are to incorporate IA fully into their Corporate Governance framework. The additional elements of this framework are a Management Standard; Audit; Risk Data and; Dependency Risk. A Management Standard Internal Audit The emphasis on risk management the expansion of the role of internal auditors. The Institute of Internal Auditors has issued a Position Statement, which clearly outlines the role of senior management in risk management processes, and the role that internal auditors can play in making these processes effective: “The role of internal audit within risk management cannot, and should not, be prescribed. The role within one organisation may change over time and the role from one organisation to another is likely to be very different…… Internal auditors' involvement in risk management should stop short of managing risks on management's behalf. However, in order to add value, it is often beneficial for internal auditors to give proactive advice or to coach management on embedding risk management processes into business activities” 12 Conclusion Just as the quality of the audit function within an organisation has become an integral part of corporate governance quality so the quality of information systems auditing is equally significant. The specialised nature of information systems auditing, and the skills necessary to perform such audits, ideally require globally applicable standards that apply specifically to information systems auditing. ISACA produces standards, guidelines and procedures for IS auditing, and supports the CISA (Certified Information Systems Auditor), qualification. Both this and the CISSP, (Certified Information Systems Security Practitioner – issued by ISC2), are recognised by the IT profession and by recruiters. In the UK, IT audit has been a feature of the Institute of Internal Auditors qualification programme since the early 1980s. IIA UK and Ireland introduced a programme of comprehensive computer audit training by offering the QiCA qualification in 1981/82. This has proved to be more attractive to internal audit students than the other two qualifications, mainly because whereas CISA and CISSP focus on IT security, QiCA has a greater focus on computer and information systems audit. Works Cited 1. IAAC Standards Working Group Position Paper, December 2000, http://www.iaac.org.uk Retrieved on April 18th 2007 2. IIA-UK and Ireland – Position Statement “The Role of Internal Audit in Risk Management” 3. IS Auditing Guideline– Due Professional Care, Booklet 14 – Information Systems Audit and Control Association (ISACA) (1999). 4. The UK Financial Reporting Council and The London Stock Exchange, The Committee on the Financial Aspects of Corporate Governance– The Cadbury Report (May 1991), Chair: Sir Adrian Cadbury. 5. Institute of Chartered Secretaries and Administrators www.icsa.org.uk/about/govern.htm 6. The Corporate Library (asp.thernfpnfatelihfaty.net/glnssafy/default.asp?Lettef=Q) Retrieved on April 19th 2007 7. www.theiia.org/ecm/guidance.cfm?doc_id=118 Retrieved on April 21st 2007 8. DTI Information Security Breaches Survey 2002”, https://www.securitysurvey.gov.uk/View2002SurveyResults.htm Retrieved on April 18th 2007 9. Audit Implications of Service Delivery in the Public Sector, Public Audit Forum http://www.pu1-)lic-audit-forum.gov.uk/auditimplications.pdf Retrieved on April 22nd 2007 10. DTI Information Security breaches Survey 2002”, https://www.securitysurvey.gov.uk/View2002SurveyResults.htm Retrieved on April 20th 2007 Read More