IT GOVERNANCE LTD
Article for Data Center Journal
Managing Risk and Compliance within the Network
Today's service-oriented IT architectures can create many new business opportunities, but these opportunities bring with them new kinds of risk that must be effectively managed, says Alan Calder of IT Governance Limited.
Good corporate governance depends on effective management of internal controls and on the availability, confidentiality, and integrity of information within an organisation. Corporate reputation, brand preservation, and financial results all depend on the defence of business processes, and on compliance with a growing array of legislation and regulation. The network has a fundamentally important role to play in achieving these objectives, because it touches every aspect of the extended organisation and connects business processes. The old, perimeter-based network security model is increasingly inadequate for managing network security risks. An end-to-end system-based approach is needed that is integrated, collaborative, and adaptive, that helps an organisation better manage its network security risk while readying it to meet regulatory compliance requirements.
THE CHALLENGE
Internally, the vast majority of today's public and private organisations are increasingly dependent on automated business processes. Information systems and the networks that support them are now viewed as a strategic corporate asset based on their ability to contribute to the overall strategy and objectives of the business, the level of investment and resource committed, and new security risks that must be managed. In response, business management and IT management are converging, making it essential for managers at all levels in organisations of all sizes to understand how information technology can enable the business and, even more importantly, how network security risks are best dealt with.
Externally, organisations face increased pressure from governments and individuals who are concerned about the appropriate use of information, particularly personal and financial. As a result, all organisations are now facing growing legal and regulatory compliance demands, as governments and the public are insisting that organisations take appropriate steps to ensure the proper use and protection of both corporate and personal information. For example, within Europe, organisations are faced with active, determined public prosecutors and regulators who - at both the national and European levels - are increasingly equipped with a growing range of legislation and penalties, including those available under local implementations of:
• The EU Data Protection Directive of 1995
• The EU Directive on Privacy and Electronic Communications 2002
• European Human Rights Legislation
• Freedom of Information legislation
• The Council of Europe's Convention on Cybercrime of 2001
Global businesses must comply globally. Businesses listed or operating in the United States may also have to comply with the Sarbanes-Oxley Act as well as other US legislation, such as Gramm-Leach-Bliley, HIPAA or California's Senate Bill 1386, while every financial institution in the world is affected by the operational risk requirements of Basel II. Organisations operating in the Middle East or Africa may have local versions of corporate governance, data protection, and privacy regulations to comply with but, if they wish to access Western capital markets, they increasingly have to meet the West's regulatory and information security requirements. There are also important information security considerations for all boards in the scope of legislation and commercial requirements that range from the local governmental information security requirements through Computer Misuse legislation, anti-money laundering regulation, anti-spam laws, e-commerce regulation, and the PCI (Payment Card Industry) Standard.
In response to these internal and external pressures, IT governance is becoming a corporate governance concern as top management focuses on how to align information systems and networks with the business strategies of the organisation, while managing new information risks that threaten confidentiality, integrity, and availability of business processes and information.[1] But historically, the approach to managing risk associated with information and network security has been fragmented across organisational divisions and departments (`silos'), resulting in a duplication of efforts and technologies. Inevitably, these different approaches are inconsistent; efforts are duplicated; and control systems overlap, contradict, or undermine one another. Measurement and reporting is equally fragmented, resulting in management not knowing whether they are efficiently and effectively managing network risk including emerging compliance requirements.[2] As forecast by Forrester Research, organisations now seek a formalised, consistent approach to managing information risk and compliance requirements across the entire organisation.
THE SOLUTION
It is increasingly recognised that the best way to manage security risk and compliance requirements is through a systematic and comprehensive approach, based on industry best practices, that complies with the organisation's national corporate governance requirements and which might, for instance, work within the requirements of The Committee of Sponsoring Organisations of the Treadway Commission's (COSO) Enterprise Risk Management framework. The starting point should be a single, over-arching and organisation-wide control framework, within which all individual network security and compliance requirements can be addressed. This approach, according to J.L. Bayuk, "Helps coordinate enterprise-wide risk and compliance efforts and reduces the cost and dislocation of IT audits, because if auditors can easily see how an auditee's control framework fits together, they are likely to take up considerably less IT staff time and resources in their risk assessment effort."[3] In fact, many organisations are adopting this systematic approach worldwide.
There are two widely recognised and widely deployed IT control frameworks. The first, developed by the IT Governance Institute in America, is the Control Objectives for Information and Related Technologies or CobiT. The second, developed by the International Standards Organisation with worldwide input, is ISO27002 (which was formally known as ISO17799), supported by ISO27001. CobiT is more process-orientated, while ISO27002 identifies best practice information security controls. Both offer good starting points for the development of an organisational framework for the coherent, cost-effective management of the IT-related risk and network security requirements of the PCI standard, of the Data Protection and Privacy Protection directives, and all other current corporate governance and internal control regimes. Both CobiT and ISO27002 allow companies to use established best practices to simplify and unify their IT processes and internally defined controls. While CobiT is useful, ISO27002 is essential, because it provides an internationally recognised and complete information security controls framework.
Alan Calder is chief executive of IT Governance Limited, the one-stop-shop for information security books, tools, training and consultancy. He is co-author of ‘IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799’. For more information visit www.itgovernance.co.uk
IT Governance Limited is exhibiting at Infosecurity Europe 2008, Europe’s number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd – 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk
[1] Governance and the Extended Enterprise: Bridging Business Strategies and IT Strategies, John Wiley & Sons: New Jersey, 2005
[3] J.L Bayuk, "Stepping through the IS Audit", Information Systems Audit and Control Association: 2004