Be prepared for security compliance legislation

After the initial concerns surrounding the strict reporting requirements embodied in the Sarbanes-Oxley legislation in the US, many CEOs have found that changing their organisations` reporting processes to accommodate these requirements has resulted in more benefits than merely keeping them out of jail.

Through compliance, business leaders have found they have a keener insight, deeper into their organisations than ever before.

"The reason for this insight is improved access to better collated and more reliable information," says Grenville Payne, practice manager, infrastructure and transformation services at Unisys Africa.

"Unfortunately, while companies are faced with steep penalties if they do not improve their reporting to the standards set in the legislation and CEOs do not attest to their accuracy, there is no legislation requiring companies to ensure the information used in its reports has been secured. This has to change, soon."

There are similar corporate governance laws to Sarbanes-Oxley that have been passed, or are in the making in other countries - including SA. What these laws state is that (as in the past) an external auditor must certify that the company`s results are an accurate reflection of the company`s status. They go a step further, however, and require directors to attest to the existence, accuracy and reliability of internal processes through which the data given to the auditor was delivered.

Yet another governance nightmare enters the corporation at this point: managing the security of information. The basic principles of secure information demand that the confidentiality, integrity and availability (CIA) of information can be guaranteed at each point in the information lifecycle. And this doesn`t happen simply because you have a good anti-virus product installed.

"To achieve the aims of CIA, corporations need to implement standards that govern their handling of data," notes Payne. "The standard in question, widely accepted as the information security management standard, is the British BS17799 standard which has been accepted in SA and renamed SANS17799.

"It is not too much of a stretch of the imagination to understand that as Sarbanes-Oxley and similar laws in different countries have their rough edges smoothed and are expanded to exclude the possibility of fraud anywhere on the information value chain, compliance with information security governance will become part of the legislation. The onus will therefore be on businesses to ensure they comply with the provisions of SANS 17799."

And it doesn`t end there. Information security governance is the foundation needed to effectively fulfil the security aspects of corporate governance issues, but effective IT governance provides the basis on which to build effective information security governance.

Another potential standard defines IT governance, COBIT (Control Objectives for Information and Related Technology). COBIT provides a clear indication of what needs to be done to effectively manage corporate information provision procedures according to 34 processes in four domains: planning and organisation, acquisition and implementation, delivery and support, and monitoring.

"But the standards process is not yet complete," notes Payne. "The last part of the IT governance puzzle ensures the IT services delivered are aligned with the company`s business and governance needs. This final piece is known as the IT Infrastructure Library (ITIL).

"ITIL is a set of practical best practices, a framework for service management drawn from the public and private sectors internationally and used to aid the implementation of best practice and defined process and methodologies within organisations for IT service management. And in case we didn`t have enough standards to help us achieve our goals, the best-practice processes in ITIL are supported by the British Standards Institute`s "Standard for IT Service Management", otherwise known as BS15000."

The above is a brief description of the processes and procedures companies will be expected to follow when (and it is a case of when, not if) legislation is expanded to include information management compliance. One expects that the various standards and best practices will be streamlined and rolled up into one comprehensive piece of legislation and a standard flexible enough to be applicable across geographies and industries.

The scope of the task that lies ahead for companies is enormous. Legislation will require that all the standards mentioned - and probably a few more by the time it is passed - be implemented and become part of corporations` daily operations. Waiting to the last minute before starting to ensure your company complies is not an option.

"The thinking behind all these standards is not to confuse or make life complicated, believe it or not, but to impart a sense of trust," concludes Payne. "When companies deliver their results in future, the fact that they comply with all of these standards will be a stamp of integrity, informing shareholders and legislators that they can believe and rely on the data they produced because everything is verifiable via internal and independent external processes. A vital step in corporate recovery from the damage the Enrons of this world inflicted.

"Once this level of trust has been re-established, everyone can get back to doing business without the additional burden of legislators, shareholders and the public in general peering over CEOs` shoulders at every opportunity."