The baby bull elephant in the room
- Article 29 of 33
- SC Magazine, July 2012
Page 1 | Page 2 | Page 3 | All 3 Pages
Certainly, CSOs in vertical markets such as the defence industry and healthcare have had to deal with compliance requirements for almost as long as there have been computers, but laws like the UK's various Data Protection Acts over the years have made virtually all companies the subjects of compliance requirements. Research by IT security integrator SecureData shows that 94 per cent of CSOs now have some responsibility for compliance in their organisations.
On top of existing legislation, there are new regulations coming into effect or being proposed that seem set to make CSOs' lives just a little bit harder - or a nightmare, depending on how prepared they are. The Information Commissioner's Office has published a code of practice concerning data sharing in the UK that covers both routine and one-off instances. The FSA has published new guidance on mortgage fraud and money laundering. The Office of Fair Trading has also published a code of practice about money laundering, while the Ministry of Justice has published draft guidance on the Bribery Act, which came into force on 1st July last year.
Perhaps the biggest and most visible bits of compliance legislation have come from the EU. These include a privacy law regarding cookies, which passed its enforcement deadline in May, and its proposed harmonisation and update of European data protection laws. The former requires all web sites to tell visitors what they use cookies for and to request their permission to use them. What it doesn't do is tell them how to do this. "People haven't appreciated how non-trivial it is," says Eduardo Ustaron, a partner at Field Fisher Waterhouse. "The technology is there, the solutions are there. What makes it a big deal is the need to make tricky decisions about balancing compliance with commercial imperatives so that it isn't intrusive."
"Sites are carefully constructed to maximise efficiency," explains Keynote Systems' director of privacy services, Ray Everett. Injecting a banner warning about cookies only reduces that inefficiency. In addition, with many web sites carrying advertising hosted by third-parties, it can be hard for organisations to know exactly what cookies are served by their sites. To counter that, Keynote's Web Privacy Tracking application not only crawls pages, it performs transactions, examines which networks are serving ads and details what cookies are consistent with the organisations policies and which aren't. But, he says, he still gets many calls from CSOs wanting to know how the 'cookie law' fits into their overall privacy compliance schemes.
The second of the EU's pieces of legislation is far more wide-ranging and, in fact, game-changing. It proposes changes to the previous 1995 data protection legislation that gave birth to the UK's 1998 Data Protection Act. Changes include the mandatory appointment of a data protection officer, the introduction of a 'right to be forgotten', a requirement to notify authorities of data breaches within 24 hours of their occurrence, and the ability of authorities to impose fines of up to two per cent of global turnover for companies that breach the rules.
Although this sounds stringent, particularly with regards to fines, Deema Freij, legal counsel EMEA and APAC at secure file-sharing service IntraLinks, says that because the UK already has quite strong privacy requirements, there will be comparatively little work for UK companies to achieve compliance compared with companies in EU countries like Spain, provided they've already tried to comply with the DPA. Importantly, it will also force cloud-service providers to become compliant, since now any data breaches that occur with clients' data will be as much their responsibility as it is their clients'.
However, the 24-hour breach notification rule could be very difficult to comply with, since it will require monitoring and logging systems and processes to act on them. Research from LogRhythm published in April found that of 200 IT decision-makers at UK businesses, 87 per cent would be unable to identify individuals affected by a breach within 24 hours, while 13 per cent said it would take them between one week and a month to pinpoint which customer data was affected, and six per cent did not believe they would ever be able to accurately obtain the information. Meanwhile, SecureData's research found that 59 per cent of senior IT managers believe draft data protection compliance rules will cost their businesses more, while 40 per cent think the proposed 24-hour deadline for notifying individuals of a data breach would advertise security weaknesses before an appropriate security review could be completely. Only 64 per cent and 58 per cent respectively believed that the proposed regulations would improve business security processes and consumer data protection.
As a result of these problems, Freij's feeling is that the issue is being "heavily negotiated" with the EU in an effort to water it down before the final version is published. This uncertainty about what the regulations will eventually contain certainly can't help CSOs begin to prepare for compliance with them.
Yet these are far from the only pieces of compliance legislation - just the ones that have hit the headlines. There are far more low key, simpler pieces that still have to be obeyed, whether CSOs have heard of them and it's possible to do so or not. The FSA has, for example, imposed the requirement on financial services companies to have all business-related mobile phone calls monitored and recorded. The deadline for this was in November of last year. Many CIOs and CSOs managed to put in place ways to record phone calls, although some organisations took the more radical route of banning the use of mobile phones for work-related conversations. However, according to Natterbox CEO Neil Hammerton, while many companies put in place their compliance solutions at the last minute through complacency, technical problems were as much a cause.
"There was complacency. They knew it was coming for two years, but they didn't believe it was going to be enforced. But the technology largely wasn't ready last year: we were only ready from September and few global organisations would risk using a small company - if there's a breach, who would be accountable?"
As a result, companies took on one-year contracts - the shortest time possible - for the services while they evaluated them and are now looking to replace their initial technology choices, finding the technology didn't serve their purposes or offered poor user experience: in some cases, there were delays on calls and delays of up to a minute in placing calls. Hammerton feels that now organisations are no longer under as great a pressure to be compliant since they have a solution and now he has the backing of partners like Fujitsu and Orange, organisations will be able to adopt his company's technology, which avoids time lags using replacement SIMs and equipment stored at network exchanges rather than software on phones. And then there's another piece of EU legislation: the EU First Company Law Amendment Directive. This requires companies to include their registered company name and registration number, place of registration and registered office address in every sent email, including those sent by mobile phones with email capabilities. Companies like The Email Laundry, which offers a solution for automatically adding such information to every email, are hoping to capitalise on this legislation, but with penalties of up to only £1,000 for non-compliance, it's likely to sit lower down in CSOs' priority lists than other tasks, assuming they've even heard of it: while many large public sector organisations will have extensive briefings and training from the government about compliance, and larger private sector organisations will have compliance departments or legal teams well briefed on the laws, Deloitte partner Peter Gooch says that many smaller companies, particularly in relatively unregulated industries like the media and in smaller companies such as tech start-ups, are about five to ten years behind regulated industries in their attitudes and knowledge of regulation. How much attention organisations pay to compliance is also influenced by the penalties for non-compliance. Si Kellow, CSO of Proact, says that because of the low maximum fines associated with compliance legislation, he - along with many other CSOs - ranks his compliance priorities with contractual obligations at the top of the list, followed by the chance of brand damage for lack of compliance, then fines and any other requirements after that. Logica's business consulting cyber security lead Cheryl Martin says that reputational damage may be even more important in sectors such as oil and gas where it can have a colossal effect on share price, whereas for other organisations, an inability to trade because an authority has removed authorisation - whether it be the PCI-DSS or the FSA - will be a concern. At the moment, fines will remain the lowest issue, except in the most heavily regulated industries, but Kellow says the huge potential size of fines under the new EU data protection legislation will change priorities.
Adrian Davis, an analyst at the Information Security of the ISF argues that as well as trying to stay up to date with compliance legislation - hopefully, with the help of either a compliance department or consultants - trying to get different pieces of compliance legislation to fit together coherently is one of the biggest problems CSOs face. A global organisation has to face the different attitudes of US and European legislators towards data privacy, for example. On top of that, regulators of different markets may impose requirements that don't tally with government legislation and even a country's own regulators can impose different rules to those imposed by the government elsewhere: "Some financial services records need to be kept for at least seven years, others for as long as 20-30 years. Yet the DPA requires records to be kept for a maximum of seven years unless you're doing something with them."
The best that a CSO can hope to do, according to Deloitte's Peter Gooch, is for the CSO to use good security practice such as ISO27001, educate staff as best as possible, implement some form of data loss prevention technology, be proactive and try to be compliant to at least one regime - but that's still no guarantee of safety.
Logica's Cheryl Martin concludes: "For some, it feels very lonely being a CSO. Most of their work is about compliance now and too often, IT security is taken into the boardroom and disregarded by members. The moment there is a breach, they'll be the one in the limelight, it'll be their operational structure that is questioned, when 99 per cent of the time it's an employee that caused the breach in the first place." Compliance may be an organisational problem, but ultimately, it's the CSO's problem and like that baby bull elephant, it's only getting bigger.
Case study: Proact
Si Kellow, CSO of cloud-provider Proact, has been working in IT and security in both public and private sectors for over 20 years, wishes he had the time to focus on compliance, but he doesn't. "Unfortunately, there are so many areas - not just privacy and data security, but also financial regulations and PCI, for example - that it's just far too big. If I could dedicate my time to looking at compliance, I could probably fill my week several times over."
Proact handles data for customers all over Europe - not just the EU but also for countries outside the union, such as some of the Balkan states. Although it doesn't operate in any particular vertical market, general compliance rules apply to it with regards to data protection, for example. However, despite data protection being an EU-wide requirement, Proact faces problems dealing with it in practice.
"Within the UK, there's the Data Protection Act 1998," says Kellow. "That is the enactment into UK law of the European directive on privacy. The problem is that each state has its own enactment of that." Proact now takes a 'highest common denominator' approach, looking to all the states in which it trades for the strictest data protection compliance requirements and abiding by those, while having local representatives in different countries to ensure any local 'wrinkles' in compliance are abided by."
However, getting to know what those data protection requirements were was "trial and error" according to Kellow. "I found out where we were doing business and asked in-house if there were any local requirements, whether anyone had an interest in the country and if they had any resource to assist me." Proact has now hired a former corporate lawyer and the company effectively has an in-house legal resource. "I ask him if he sees anything about data, privacy or compliance to flag it and I'll get the details."
Since becoming CSO of Proact in November, Kellow has endeavoured to make the company more systematic in its compliance efforts. "I said what we needed to do as a business was say 'This is the path we want to take, we need to map out the common denominators and we need to get the business compliant to a point.' We can now just compare any new compliance measures to the map, see we're already at a particular point and whether that's above or below the requirements, and then just start to deal with deltas. As a business that makes us far more agile."
Technology naturally comes into play with compliance issues. Proact uses encryption technology, for example, to ensure that all data coming into its systems is worthless if there is a breach and ensures that virtual machines can only be booted up on specific hardware. He also has data distribution systems since for compliance, process is more important to the company than technology. "One thing key to all compliance requirements is they all ultimately come down to the written word. It doesn't matter what technology you have unless all the staff have got the words, understood them, and are tested on a regular basis to make sure that their understanding is up to date. Unless you have the written word sorted out so you can map the technical controls onto it, the technical controls are meaningless."
Nevertheless, some compliance is still hard to deal with, he says. "I still struggle to understand where the scope and requirements of the PCI piece is. You can find conflicting information when you read about it yourself. As a company, I know exactly where we are for PCI and put in a lot of effort to being fully compliant with our scope as we define it. But as cloud service provider, that's where we have interesting conversations."
Page 1 | Page 2 | Page 3 | All 3 Pages