Regulatory compliance and data security is a very big issue when dealing with information technology, that local, national, and international companies face daily. This includes every type of business (public and private), non-profit, and governments. Security incidents can be initiated by internal or external forces from anywhere in the world, a global concern. Global issues face both national and international businesses. Global economy boundaries have been muted in the past few years with the advent of the internet. Each country has created laws or regulatory requirements for the different industries. Treaties have been established between countries, under international law, to provide an agreement on particular subjects. When a company is global, this is compounded by each country their presence is located. Prosecution of data theft in the digital age is becoming prevalent.
When looking at legal and regulatory requirements, they have common thread to address issues stemming from fraud, theft, and malfeasance, from both internal and external threat actors, of a particular data set of information. These threat actors could be located anywhere in the world. Increasing data-breach reports have shown the gaps and holes in the security posture of a company. Criminal organizations are using these security shortfalls to gain sensitive information for profit. Senior management is being held responsible for the security of the data that is within their organization.
Recently, social scientists have studied the problem of compliance in international regulatory issues and international law. The empirical research1 has showed some key findings:
- Compliance is generally adhered to.
- The high level of compliance has been achieved with little attention to enforcement.
- For those compliance problems that do exist are best addressed as management rather than enforcement problems.
- Management rather than enforcement approach holds the key to the evolution of future regulatory cooperation in the international system.
To maintain a competitive edge, business has turned to information technologies to help management achieve their business goals. Computer systems are so entwined with the business process, the business could fail if the systems are compromised. This heavy reliance on information systems has forced companies to re-think about the little boxes that provide so much information to the company.
In a 2006 report2, information technology is making its way on the board agenda. This survey states that 38 percent respondents have Information technology regularly on the board agenda, while 25 percent state Information technology is always on the agenda. IT/telecom and financial industries were higher than manufacturing in this study, while retail and the public sectors where in the middle.
Many of the global regulatory pressures have forced companies to take a more sophisticated view of information security. Previously, information technology security was only focused at the perimeter and external threats while missing the internal threats of fraud, theft, and malfeasance. Integrating Information technology risk into all business risks, has become the norm over the last few years. Each of these items can affect privacy laws for each country the company may have a presence and require discussions with law enforcement agencies.
In most countries, businesses are held accountable, since corporate actions affect the global economy and contain sensitive data that some seek. So what makes an organization compliant with national, international, regulatory issues and international law? “Well-governed companies to attract higher P/E ratios over those lacking in corporate governance.”3 U.S. firms, with stronger governance, has seen faster sales growth and more profitable from better operations than their peers. This has the same effect in other countries including Korea, Russia, and others. 2002 McKinsey Survey state the higher premiums paid for well-governed companies was 30 percent in Eastern Europe and Africa, and 22 percent in Asia and Latin America. This more sophisticated view has created financial gain for those companies.
In the United States, the Sarbanes-Oxley Act of 2002 (SOX) has forced public traded companies to provide a top-down risk assessment for financial risk. Section 404 of SOX looks at how the pervasive Information technology controls affect the financial reports. The SOX effect has been seen across the globe in various one-offs, or SOX-lite. This can be seen by comments of Oscar M. Lopez, chairmen of the Lopez Group of Companies, during the 11th Annual FOCAP Forum4 on prospect for the Phillippines, January 15, 2008.
“In the Philippines, this revamp took many forms, all of which I think are good and will be beneficial to us over the long term. First was the enactment of Republic Act No. 8799 or the "Securities Regulation Code" on July 18, 2000, which strengthened the laws and enforcement for good corporate governance. This was followed by circulars from the Banko Sentral imposing a "fit and proper rule" for bank directors, then by the Code of Corporate Governance by the SEC and more latterly, the adoption of the IFRS standard of accounting, among others.”
Corporate governance has been around since the 19th century. Since that time interest in corporate governance has been on a pendulum of favoritism of stock holders. Since 2000 with massive bankruptcies and criminal malfeasance of some corporations, passages of legislation other regulations are creating strong corporate governance requirements. This affects the economy, not just with the United States, but has an effect on global markets.
Whether a business is publicly traded or not, the management of the business is looking at risk factors as part of a daily process. Business risks include: strategic risk, operational risk, financial risk, legal risk, and regulatory risk. Compliance is looking not only at the legal and regulatory risk, but also contractual and internal risks' companies face.“Organization, by its very nature, contains … powerful factors of misdirection. To overcome these obstacles requires more than good intentions, sermons, and exhortations. It requires policy and structure. It requires that management by objectives be purposefully organized and be made the living law of the entire management group.”5
Corporate governance is “the process used to manage the business affairs of the company toward enhancing business prosperity and corporate accountability with the objective of realizing long term shareholder value, while taking into account the interests of the other shareholders.”6
With this as a basic understanding of corporate governance, management7 must provide direction, guidance and meaningful oversight. This requires management to commit specific actions to policies, procedures, standards, and guidelines that become a living document for all to follow. Once actions are committed to a document, management must seek assurance that compliance is maintained to this guidance.
When a company is international, corporate governance is compounded with the differences in culture, legal and regulatory issues. The differences are not just solved where global management exists within the company, but through a global process, with global participation and at the local level. Many other nations have tougher regulations and laws than the United States. Legal and regulatory compliance becomes imperative that Information technology security is approached at the global corporate governance level and across the enterprise. Information technology security is the responsibility of management, since they are the key stakeholders of the data within their perimeter.
Governance practices vary between countries and frameworks, but would include: accountability, awareness, ethics, inclusion, resource allocation, thoroughness, effectiveness, compliance, and ongoing assessments. This practice must address all areas within a company, including Information technology.
Accountability to the shareholders and to the organization is part of the duties of management. Management must oversee the company's organizational strategies, mission, structures, systems, staff, standards, and ethics, with strong oversight. Management is required to show the organization's fact of due diligence and due care to meet their fiduciary requirements.
Effective awareness and communications must start with management. This awareness must permeate throughout the company and become a living component of management expectations. Without the top-down approach, governance and especially security will fail.
Ethics have been stimulated since the recent scandals of WorldCom, Enron and others. Corporate codes of conduct or ethics policy, is essential when dealing with governance. Strong compliance to the ethics policy or corporate code of conduct will set the “tone at the top” and create an environment where potential exposure to the company can be reduced. Customer privacy and business to business (B2B) relationships can be the most important strategy that can be affected with weak ethics, which effect the bottom line.
Combined efforts of system8 owners, users, custodians, security personnel, and perspectives of customers, partners, and other stakeholders must be included when creating a strong governance posture. The inclusion of all parties will require to perform a thorough risk assessment to document perceived and actual business risks that companies face.
Improper staffing or high turnover will have an effect to the bottom line of the company. Resource allocation must not be limited to just staffing, but include our resources or supplies that may be needed to support the business goals. Resource allocation must be determined and what is the acceptable level that will allow the company to proceed. Information systems are almost completely intertwined with every business process.
Is information security fully integrated into all relevant organization policies? Security must include people, corporate culture, training, processes, and communications. It is not just hardware, software, and technical issues. Thoroughness will establish appropriate confidence in the shareholders and the management team.
The effectiveness of the risk management program must mitigate risk at appropriate cost based on the systems in use, their criticality, data value / sensitivity, and relationships to other systems. Management oversight is needed to assure appropriate levels risk mitigation is applied.
Management is faced with four types of compliance in today's environment. Legal, regulatory, internal, and contractual compliance are requiring management to document their due diligence and due care to meet these compliance issues.
Information sharing is a best practice that can be accomplished by a variety of means such as interacting with industry groups, attending briefings, meetings and conferences, and working actively with regulatory bodies. Key stakeholders should meet with their peers to discuss and hear other potential solutions to the same issues.
Risk assessments must be assimilated into all business decisions, become second nature to the process and be continuous. Using risk assessments allows management to understand that the perceived risks are effectively controlled based on management's risk appetite. Continuous risk assessments creates a process where new risks can be discovered and addressed.
IT governance, global legal and regulatory challenges
President Clinton, at a White House cybersecurity meeting in Feb 2000, said “we cannot mandate our goals through government regulation. Each sector must decide for itself what practices, procedures, and standards are necessary for it to protect its key systems. But as part of this partnership, the federal government stands ready to help.”
Most countries have regulations and laws dealing with financial issues. International companies are faced with ensuring appropriate safeguards or controls, to insure the financial reporting does not contain material misstatements. The management must seek assurances that information security controls are effective to minimized risks. Information technology is pervasive throughout the business process and needs to fall under the same scrutiny as financial controls.
Overall security intrusions into data networks have a higher chance to occur from inside. Security professionals have secured the perimeter from external attacks for the most part, while not addressing internal threats. Are appropriate tools deployed to detect potential attacks, from either external or internal, to the data source? The CSI 2007 Computer Crime and Security Survey indicates that a shift has occurred showing financial fraud over took virus attacks, with greater financial loss. Security audits by internal staff were the prevalent method to validate effective monitoring of controls. A 2007 Oversight Systems9 study discovered the three top reasons why frauds occur are: “pressures to do whatever it takes to meet goals” (81 percent), “seek personal gain” (72 percent ), and “think I won't get caught” (41 percent).
Addressing tougher global regulatory issues requires management buy-in and support. Management demonstration of this commitment is done in forms of documentation that shows appropriate corporate policies, effective controls, monitoring and testing of controls, reporting of the results of the testing in meeting minutes at a high level, and other actions. Having a high-level audit committee to provide accountability, oversight, and authority to perform their duties, reinforces management commitment. This upper level audit committee will be the central gathering points from smaller local or regional audit teams in each of the countries. Each local or regional audit teams perform and report their findings to local management and the audit committee.
The start of information technology governance begins with management reviewing the direction of the organization and business goals. Strategic plans and global policies should reflect management direction using risk-based management. These are high level documents without being technical in nature, addressing many issues and including known legal, regulatory, internal, and contractual compliance. Additional policies, standards, or procedures, at the local level, may be created by data owners and stakeholders to ensure compliance to the corporate level policies. During the creation of these local policies, appropriate input must be gained to determine any legal, regulatory, contractual, and internal compliance issues. These policies, standards and procedures may be technical in nature. Strategic plans are usually long-term, three to five years. Tactical plans are shorter in duration, less than one year, may be created by the data owners or data custodians, and used to achieve milestones of the strategic plans.
A multi-disciplinary team at the local level can provide input from all areas of the local business and report to the audit group their findings. Team members include department heads, key stakeholders, legal, auditors, and others. A discovery process by the team identifies regulations, compliance acts, and other issues facing the company. International laws and compliance issues are different than the United States and may conflict. Once the discovery process has been finished, all information should be analyzed at the global level to find areas of overlapping issues and areas of conflict. Resolutions to the conflicts are important to create overall compliance. Many organizations may have multiple items that overlap each other. Most of the compliance issues require some kind of classification schemes to be developed to identify data for levels of protection -- for example, personal identifiable information (PII), patient health care information (PHI), and cardholder data -- that would require the same types of controls to protect. Mapping individual compliance requirements to each other can create a cost-effective compliance program.
Internal and external compliance is achieved by placing appropriate controls to protect the data classifications the organization uses based on compliance requirements. These controls are in the form of both soft (policies, procedures, and standards) or hard (technology) controls. Soft controls assign responsibility, guidance, timing, and other requirements that are needed to provide a measure of due diligence. Management and operational controls are soft in nature, provide appropriate separation of duties or dual controls to minimize high risk duties that can lead to fraud or theft. Hard controls can be implemented to validate appropriate separation of duties.
Hard controls are usually technology that is used to prove that the soft controls are being enforced. A hard control can be an exception report created by audit trails of transactions, that is created by the computer system every time predetermined activity is seen, and is reviewed under the separation of duties. Other examples of hard controls would be implementation of a firewall, intrusion detection systems (IDS) or intrusion prevention systems (IPS). Each of these would be hard control that would be used to provide compliance to the information security policy. Technologies are used to provide automation of manual tasks, while improving reliability of the controls, and reducing potential error of human efforts.
Senior management must implement appropriate controls to detect, prevent, and correct risks, fraud, or malfeasance. This is substantiated in the U.S. with the implementation of the Model Business Corporation Act in most states, uniform commercial code, U.S. sentencing guidelines, federal rules on civil procedures, and other fiduciary responsibilities.
Fiduciary responsibility dwells with managers or data owners on the day-to-day protection of information assets. Senior management must hold the data owners accountable for the actions taken to protect information assets. A strong information security policy is only part of the solution that companies must implement. A single event by itself is not a security incident, but a series of events could be an indication that a problem exists. If management has created appropriate controls, alerts or detection of events that could indicate a potential problem, will initiate actions to determine if a security incident is occurring.
A security incident plan or policy (SIRP) is the cornerstone to information security. This provides the mechanisms to take action when events turn into a security incident. A strong security incident plan has several features that can be applied to all businesses, regardless of the company size. Without a security incident plan, getting law enforcement involvement internationally, is difficult.
Some of the basic requirements of a security incident plan have its roots from the information security policy or program that is established by senior management. An effective security incident response policy10 has six key items: preparation, identification, containment, eradication, recovery and follow-up.
A strong security incident response policy will define: Assigned roles and responsibilities, understand staff abilities, communications liaison for media and law enforcement, appropriate procedures to contain the incident. Creating a strong liaison between the company and local law enforcement is key while developing the security incident response policy. Engaging law enforcement agencies during the development of a SIRP will reduce potential issues with collecting evidence for prosecution of any illegal acts found and create open channels with local law enforcement.
Each event needs to be analyzed to determine if the event is the precursor to a security incident. Once an event triggers a potential security incident, appropriate response mechanisms are initiated, with befitting classification for escalation, to curtail the security incident. This must be thought of before an incident happens, not after an incident has started. Determining who can escalate the process, contact with law enforcement, media liaison, evidence collection, responsibilities, procedures, and other items need to be in place before a problem exists.
To sustain regulatory compliance, a holistic approach must be taken. Treating each compliance issues as separate projects, will create higher costs and duplication of effort. Creating the overall picture of all issues, treating them as one, will reduce the ongoing costs and create repeatable processes to sustain compliance. In many cases, the individual compliance issues overlap. Creating a mapping of each of the compliance issues may be time consuming, but the overall benefits will improve the return on investment (ROI), while making the company more agile to future demands, and meet the current and future business goals. Some of the mapping work has been done for most of the U.S. and International compliance requirements. The Unified Compliance Framework11 provides HTML charts that evaluate the requirements of compliance issues, frameworks, and harmonizes a control language for implementation. Their framework works within CoBIT, ISO 27001, and others.
Creating a framework, that is applicable to the company, can create a strong driving force to make compliance part of the company culture and practice a strong governance presence. Using a strong process control and management framework with strong technology orientation, can allow companies to realize high customer satisfaction, become a marketing / business advantage, and reduce overhead.
A competitive advantage can be created by reducing redundancy of compliance tasks. The risk assessment is the one area that will reap the biggest benefit from the holistic approach. The risk assessment will have to encompass all the requirements of each of the compliance and international issues found. The multidisciplinary team focus is to develop the compliance requirements for the organization, identifies which overlapping areas, types of controls used, items that would have to be covered separately, and creates standards for performing additional tasks. Using a holistic approach will allow future compliance standards to map to current controls that are in place.
For companies, national or international, governance plays an important part creating oversight, accountability and information security. Security threats are not just focused on global companies, but any type of company. For global companies, more vigilance is required at the global level, which is fed by local levels of oversight, can keep management abreast of the regulatory climate the company faces, while reducing fraud, theft, and malfeasance. Practicing strong governance and security practices will create fewer chances of security incidents from occurring while taking a proactive stance when a true security incident occurs. Appropriate communications at the local level will create a partnership with law enforcement, that is invaluable during international issues.
More stringent regulations are on the horizon from many countries. Developing a framework that allows agile compliance to these future requirements is critical in the future of a company. Organized crime, terrorism, and other groups have found a very lucrative business, getting and reselling critical information. Murphy's law, “things will go wrong in any given situation” works overtime when it comes to protecting business assets. To protect the business assets, companies must take a proactive approach, move Governance to a priority at senior management level, and prepare for action when required.
1 “Is the Good News about Compliance Good News about Cooperation?” Downs, Rocke, Barsoom, International Organization, Vol. 50, No. 3, pp. 379-406
2 “IT Governance Global Status Report - 2006," IT Governance Institute, PricewaterhouseCoopers, page 13
3 International Finance Corporation, World Bank Group, September 2005,
4 ABS-CBN Interactive
5 Peter F. Drucker, "Management: Tasks, Responsibilities, Practices," 1974
7 The term management will be used to identify either board of directors for corporations, or senior management for private or nonprofit companies.
8 Systems throughout this document includes not just the computer systems, but business processes around the computer systems as part of the process.
9 www.oversightsystems.com, white papers, “Oversight_2007_Fraud_Survey.pdf”
10 RFC 2196, “Site Security Handbook”, NIST publication “SP-800-100", FFIEC “Information Security Handbook,” and others can provide invaluable guidance for processes.
James Ritchie was the principal auditor at Integralis, Inc., and has over 24 years of experience as a systems engineer in the information technology arena and consulting. The last six years focusing on compliance auditing for GLBA, SOX, HIPAA, PCI-DSS, and FISMA. James has been an adjunct faculty for Briarwood College, a previous trainer in both New Horizons and for ISACA. James also has performed forensic investigations for corporate fraud and criminal defense teams.