Compliance: the CISOs problem
With the burden of compliance increasingly falling on the shoulders of information security professionals, Rob Buckley asks how they can navigate the maze of ever-changing and expanding legislation – and keep their employers out of the headlines.
“Compliance is like a baby bull elephant: it's big today, it's only going to get bigger and, if you upset it, it's going to rampage.” That's how one CIO describes compliance, a topic that should be a concern of every information security professional working today.
Certainly, CSOs in vertical markets such as the defence industry and healthcare have had to deal with compliance requirements for almost as long as there have been computers, but laws such as the UK's various Data Protection Acts over the years have made virtually all companies the subject of these requirements. Research by IT security integrator SecureData shows that 94 per cent of CSOs now have some responsibility for compliance in their organisations.
On top of existing legislation, there are new regulations coming into effect or being proposed that seem set to make CSOs' lives just a little bit harder – or a nightmare, depending on how prepared they are. The Information Commissioner's Office has published a code of practice concerning data sharing in the UK that covers both routine and one-off instances. The Financial Services Authority has published new guidance on mortgage fraud and money laundering. The Office of Fair Trading has also published a code of practice on money laundering, while the Ministry of Justice has published draft guidance on the Bribery Act, which came into force last year.
“People haven't appreciated how non-trivial it is,” says Eduardo Ustaran, a partner at Field Fisher Waterhouse. “The technology is there, the solutions are there. What makes it a big deal is the need to make tricky decisions about balancing compliance with commercial imperatives so that it isn't intrusive.”
“Sites are carefully constructed to maximise efficiency,” explains Keynote Systems director of privacy services Ray Everett. Injecting a banner warning about cookies only reduces that inefficiency. In addition, with many websites carrying advertising hosted by third parties, it can be hard for organisations to know exactly what cookies are served by their sites. To counter that, Keynote's Web Privacy Tracking application not only crawls pages, it performs transactions, examines which networks are serving ads and details what cookies are consistent with the organisation's policies and which aren't. But, Everett says, he still gets many calls from CSOs wanting to know how the ‘cookie law' fits into their overall privacy compliance schemes.
The second of the EU's plans is far more wide-ranging and, in fact, game-changing. It proposes changes to the previous 1995 data protection legislation that gave birth to the UK's 1998 Data Protection Act (DPA). Changes include the mandatory appointment of a data protection officer, the introduction of a ‘right to be forgotten', a requirement to notify authorities of data breaches within 24 hours of their occurrence, and the ability of authorities to impose fines of up to two per cent of global turnover on companies that breach the rules.
Although this sounds stringent, particularly with regards to fines, Deema Freij, legal counsel EMEA and APAC at secure file sharing service IntraLinks, says that because the UK already has quite strong privacy requirements, there will be comparatively little work involved for British companies to achieve compliance compared with their EU counterparts – provided they already comply with the DPA. However, it will also force cloud service providers to become compliant, as any data breaches that occur with clients' data will be as much their responsibility as it is their clients'.
It is the 24-hour breach notification rule that could be particularly difficult to comply with, since it will require monitoring and logging systems and processes. Research from LogRhythm published in April found that of 200 IT decision-makers at UK businesses, 87 per cent would be unable to identify individuals affected by a breach within 24 hours, while 13 per cent said it would take them between one week and a month to pinpoint which customer data was affected, and six per cent did not believe they would ever be able to accurately obtain this information.
Meanwhile, SecureData's research found that 59 per cent of senior IT managers believe draft data protection compliance rules will place additional financial burdens on their businesses, while 40 per cent think the proposed 24-hour breach notification deadline would lead to security weaknesses being made public before an appropriate security review could be completed. Only 64 per cent and 58 per cent respectively believe that the proposed regulations would improve business security processes and consumer data protection.
As a result, Freij's feeling is that these issues are being “heavily negotiated” with the EU in an effort to water down the planned regulations before their final versions are published. This uncertainty about what the regulations will eventually contain certainly can't help CSOs begin to prepare for compliance with them.
Coming thick and fast
Yet these are far from the only pieces of compliance legislation – just the ones that have hit the headlines. There are far more low-key, simpler pieces that still have to be obeyed, whether or not CSOs have heard of them and regardless of their ability to do so. The FSA has, for example, imposed the requirement on financial services companies to have all business-related mobile phone calls monitored and recorded. The deadline for this passed in November last year. Many CIOs and CSOs have managed to put in place ways to record phone calls, although some organisations took the more radical route of banning the use of mobile phones for work-related conversations. However, according to Natterbox chief executive Neil Hammerton, while many companies put in place their compliance solutions at the last minute, technical problems were as much a cause of this tardiness as complacency.
He explains: “There was complacency. They knew it was coming for two years, but didn't believe it was going to be enforced. But the technology largely wasn't ready last year: we were only ready from September and few global organisations would risk using a small company – if there's a breach, who would be accountable?”
As a result, companies took on one-year contracts – the shortest time possible – for the services while they evaluated them, and are now looking to replace their initial technology choices, finding these didn't serve their purposes or offered a poor user experience: in some cases, there were delays – of up to a minute, for example, in placing calls. However, Hammerton feels that now Natterbox has the backing of partners such as Fujitsu and Orange, organisations will be more willing to adopt his company's technology.
Then there's the EU's First Company Law Amendment Directive. This requires companies to include their registered name and number, place of registration and office address in every sent email, including those sent by mobile phones. Companies such as The Email Laundry, which offers a solution for automatically adding such information to every email, are hoping to capitalise on this legislation, but with penalties of up to only £1,000 for non-compliance, it's likely to be less of a priority for CSOs than other tasks, assuming they have even heard of it. Deloitte partner Peter Gooch says that while many large public sector organisations will have had extensive briefings and training from the Government about compliance, and big companies will have compliance departments or legal teams well briefed on the laws, many smaller businesses, particularly those in relatively unregulated industries such as the media and tech start-ups, are about five to ten years behind in terms of knowledge.
How much attention organisations pay to compliance is certainly influenced by the penalties for non-compliance. Si Kellow, CSO of Proact, says that because of the low maximum fines associated with compliance legislation, he – along with many other CSOs – ranks his compliance priorities with contractual obligations at the top of the list, followed by the chance of brand damage for lack of compliance, then fines and any other requirements after that. Logica's business consulting cyber security lead Cheryl Martin says reputational damage may be even more important in sectors such as oil and gas where it can have a colossal effect on share price, whereas for other organisations, an inability to trade because an authority has removed authorisation – whether it be the PCI DSS or the FSA – will be the main concern. At the moment, fines will remain the lowest issue, except in the most heavily regulated industries, but Kellow says the huge potential size of fines under the new EU data protection legislation will change priorities.
Adrian Davis, an analyst at the Information Security Forum, argues that as well as trying to stay up to date with compliance legislation – hopefully, with the help of either a compliance department or consultants – trying to get different pieces of compliance legislation to fit together coherently is one of the biggest problems CSOs face. A global organisation has to deal with the different attitudes of US and European legislators towards data privacy, for example. On top of that, regulators of different markets may impose requirements that don't tally with government legislation, and even a country's own regulators can impose different rules to those imposed by the government elsewhere. “Some financial services records need to be kept for as long as 30 years, yet the DPA requires records to be kept for no more than seven years unless you're using them,” says Davis.
The best that a CSO can hope to do, according to Deloitte's Gooch, is to follow good security practice such as ISO 27001, educate staff, implement some form of data loss prevention technology, and try to be compliant with at least one regime – but that's still no guarantee of safety.
Logica's Martin concludes: “For some, it feels very lonely being a CSO. Most of their work is about compliance now and, too often, IT security is taken into the boardroom and disregarded by members. The moment there is a breach, they'll be the one in the limelight, it'll be their operational structure that is questioned, when 99 per cent of the time it's an employee who caused the breach in the first place.”
Compliance may be an organisational problem, but, ultimately, it's the CSO's problem – and, like that baby bull elephant, it is only getting bigger.
So many rules, so little time...
Si Kellow, CSO of cloud provider Proact, wishes he had more time to focus on compliance. “Unfortunately, there are so many areas – not just privacy and data security, but also financial regulations and PCI, for example – that it's just far too big. If I could dedicate my time to looking at compliance, I could probably fill my week several times over,” he says.
Proact handles data for customers all over Europe, and despite data protection being an EU-wide requirement, it faces problems dealing with it in practice. “Within the UK there's the Data Protection Act,” says Kellow. “That is the enactment into UK law of the European directive on privacy. The problem is that each EU state has its own enactment of that.” Proact now takes a “highest common denominator” approach, looking to all the states in which it trades for the strictest data protection compliance requirements and abiding by those, while having representatives in different countries to ensure any local “wrinkles” in compliance are abided by.
Getting to know what those data protection requirements were was a matter of “trial and error”, according to Kellow, and Proact has hired a former corporate lawyer. “If he sees anything about data, privacy or compliance, he flags it and I get the details.”
Since becoming CSO of Proact in November, Kellow has endeavoured to make the company more systematic in its compliance efforts. “We can now just compare any new compliance measures with the ‘compliance map', see we're already at a particular point and whether that's above or below the requirements… as a business that makes us far more agile.”
Technology naturally comes into play with compliance issues. Proact uses encryption technology, for example, to ensure that all data coming into its systems is worthless if there is a breach and ensures that virtual machines can only be booted up on specific hardware. It also has data distribution systems since, for compliance, process is more important to the company than technology. “All compliance requirements ultimately come down to the written word. It doesn't matter what technology you have if staff don't understand the words and are not tested on a regular basis. Unless you have the written word sorted out so you can map the technical controls onto it, the technical controls are meaningless.”