It goes without saying that organisations ought to comply with best practice in information security as a matter of course – it is in their best interests. But increasingly, new laws and regulations are being framed in a bid to ensure that security does not threaten good corporate governance.
Regulations such as Basel II in financial services, the US Health Insurance Portability and Accountability Act (HIPAA) and California’s controversial Database Protection Act all seek to govern the way organisations handle and store information. In Europe, companies may also face a shock next year when the European Union equivilent of Sarbanes-Oxley is introduced.
Some laws, such as the California data law, also set out explicit penalties should a security breach result in personal information being compromised.
This is not a localised issue: companies that want to trade across the US will need to comply with California law; global companies with US operations will also need to take California’s statutes into account. So legislation designed for one part of the world can quickly take on a global significance.
Even so, only one company has yet reported a security breach under the California Database Protection Act.
A project currently being undertaken by the Business Software Alliance (BSA), the US-based consortium of software companies, involves mapping legislation on corporate governance against best practice in IT security. The organisation aims to create a table of legal requirements for security initially in the US, and later worldwide.
Already, it has uncovered a number of complexities and contradictions. For example, a law directed at better corporate governance may demand that businesses keep transactional data for seven years, but a data privacy law may require that the same information is destroyed after three.
In these circumstances, it is not yet clear which law will have primacy. But businesses will need to show how they have acted to comply with the relevant rules and, where there is a conflict, how they have tried to resolve it.
Even so, mere legislative compliance will not always equate to good IT security. In some cases requirements for extensive archiving will be a distraction from important security work. In others it could even damage security. For example, by demanding that firms keep more data than is necessary for commercial reasons.
This goes some way to explaining why, in most UK enterprises today, IT security and legal or regulatory compliance remain separate areas of work. However, as more companies see security as a board-level issue, they will converge, say analysts.
In some areas, legislation demands that companies take steps to prevent unauthorised access to their data. Although this might not be IT specific, compliance is impossible without guarding data against accidental releases, attacks by hackers or the consequences of a virus or worm.
And, although preventative or perimeter security may not always have a direct connection to legal compliance, the two disciplines are moving closer together. As businesses bring their disaster recovery and security operations into line, for example through more robust and resilient backup arrangements, they will also make compliance an easier task by easing data retrieval.