Compliance requirements cannot be ignored.
We have all heard of Enron – the fiasco that ushered in stricter compliance and governance laws in the form of the Sarbanes-Oxley law in the US and Basel II in Europe. Since then governments and industry bodies have gradually increased and improved their compliance demands across all industry sectors.
Since IT underpins the vast majority of our systems and processes these days, such demands have seen an increase in the use of IT governance, risk and compliance management platforms to ensure that an organisation’s IT department is, where applicable, helping it to fulfil its legal, regulatory and ethical obligations. Indeed, research firm Gartner has seen “an early, rapid growth market” in IT governance, risk and compliance management software. These software products provide critical capabilities that enable audit support, self-assessment and automated measurement of general computer controls, says Gartner. In July a subsequent whitepaper, Hype Cycle for Governance, Risk and Compliance Technologies, stated that although regulatory compliance continues to drive product sales, organisations are looking for automation solutions that can help them more reliably and comprehensively manage multiple forms of risk.
It is clear that risk and compliance are key components of the CIO and IT managers’ roles these days. IT Brief spoke to two large New Zealand organisations that must take compliance with the relevant laws very seriously. The Auckland Regional Council and the University of Otago both have highly complex IT environments that serve a diverse range of stakeholders. The Regional Council has two data centres and a multitude of applications, while the university counts 10,500 PCs and 720 servers among its IT assets.
How to act
CIOs and IT decision makers are required to ensure their organisations remain compliant with any relevant laws, whether they be the Privacy Act, the Copyright Act or any other acts that pertain to a specific industry sector. For the Auckland Regional Council’s Group Manager ICT, John Holley, the Public Records Act 2005 is the most significant one, but he also names a number of lesser-known acts including the Local Government Act 2002, which stipulates requirements around consultation and financial reporting, the Rating Act 2002, which details what personal information can and cannot be shown, the Official Information Act 1982, the Local Government Official Information and Meetings Act 1987, and the Statistics Act, 1975. Otago University’s Tracy Huntleigh-Smith, Strategy and Planning, Information Technology Services, says privacy, data security and the provision of official information are of particular importance to the university. She says: “As well as the penalties embedded in the legislation, any breach of compliance or service interruption reduces the level of trust that users and the community have for those systems.”
Indeed, this was evidenced in the infamous UK case of HM Revenue and Customs (HMRC), which IT Brief considered last month in the light of its security implications. Privacy and data breaches can, as demonstrated, result in major inquiries and the eventual loss of jobs. The HMRC case is also a useful example in terms of the crossover between security and compliance – two disciplines that will always be closely interlinked.
Privacy and security go hand in hand, and one of the resources available to organisations and the public is the New Zealand Privacy Commissioner. Each quarter the Privacy Commission publishes its rulings at privacy.org.nz. October’s case notes made for some interesting reading, in particular several complaints that a government department had lost personal information, which was subsequently passed on to media outlets. The Privacy Commissioner, who participated in IT Brief’s Q & A pages this month, investigated the data breach, which related to a staff member dropping a file in an Auckland street. She was satisfied that, although the department had breached Principle 5 of the Privacy Act which relates to security safeguards, no harm came to those whose data was leaked and the department had acted properly when it followed the Privacy Breach Notification Guidelines.
It is not enough, however, to write a policy and guidelines and file them away in a drawer these days, as Huntleigh-Smith of Otago University explains, saying the university has a risk framework which “requires a continuous improvement approach to managing risk”. “In particular we have to be vigilant about emerging risks, and proactively working with suppliers and peers to be aware of these risks and to manage them.”
Under a cloud
One such risk is that posed by cloud computing. Many in the IT industry are witnessing the changes that cloud computing is bringing but are unsure, still of the consequences. There is much still to be debated in terms of security and compliance in the cloud, as borne out by the debate about to take place at the Association of Local Government Information Management’s (ALGIM) annual conference, as highlighted in our front page news article. In May a Gartner whitepaper, entitled Compliance in the Cloud: Whose Data Is It Anyway?, concluded that whether data is in the cloud or not, it still belongs to that organisation (not the hosting party) and all of the legal and regulatory obligations are the same as if it were stored on premises. There is also a Bill currently going through Parliament in New Zealand, called the Privacy (Cross-border Information) Amendment Bill, which will likely help to clear up a number of concerns.
All paid out
Another risk that is currently in the limelight is payment card security – something the payment cards industry is addressing as it implements stricter standards, which are covered in two of IT Brief’s guest columns this month (pp24-26). Between November 2008 and May 2009, Radisson Hotels and Resorts suffered a privacy breach, referred to as “unauthorised access”, in which data that may have included guest credit card information was accessed at a small number of its hotels. Radisson became aware of the unauthorised access through information provided by payment card companies and its payment card processors.
Of course, protecting your organisation’s data is extremely important and Holley of the Auckland Regional Council suggests that you employ industry standard practices including controlled access to information, segregation of duties, security systems and monitoring and regular audits. He says you can ensure staff compliance through constant monitoring and exception reporting, along with induction and training programmes.
One area that may soon necessitate a review of your policies, is the current Review of Policy being undertaken by the Law Commission, which could result in changes to the Privacy Act. When the time comes, Otago University’s Huntleigh-Smith suggests you use a “highly consultative” process to update your policies. “Essentially it would be hard for a technical expert to write policy in isolation and be sure that it will meet the diverse needs of our organisation. This makes the process slower, but the resulting policies are much more robust.”