Peeling away the layers of legislation

5 Jul 2005

As companies of all sizes become tuned to tying their IT strategy more closely with their business strategy, security is taking place at the top table. This is partly because it’s increasingly bound up with the concepts of governance and compliance — subjects currently exercising the minds of many company directors.

Last week Hewlett-Packard (HP) hosted an event for chief information officers (CIOs) focusing on this very subject. Introducing the event, HP Ireland sales director Gary Tierney joked that security presentations were similar to rollercoaster rides — aimed at scaring the participant. While that didn’t exactly bear out, at times the audience’s tour of the complex legal requirements brought to mind the layers of an onion — one after another peeled away until the end result leaves you in tears.

Paul Jeffries, EMEA senior solution architect with HP Services, led the audience through a complex maze: due diligence is the major objective, he said. Governance is the formalised series of methods by which this is achieved and compliance is how organisations measure that governance is being done. He pointed out legislation, such as the Sarbanes-Oxley Act, 2002, “tells you what to do, not how to do it”.

In broad strokes, Sarbanes-Oxley is legislation that requires the management of a business to evaluate the effectiveness of controls around financial reporting and disclosure of information.
These elements must be checked against a known standard, Jeffries advised. He advised the audience of the need to test themselves at every step and to be able to prove the results, rather than simply reporting on all of this.

“Everyone’s got to deal with compliance in some respects. It’s not just a tick in the box but you have to ask ‘Does it work?’ and ‘Is it right?’ You have to decide what information will be produced to demonstrate compliance.” Making the task more challenging still is the fact security standards such as ISO 17799 can help managers to pick security controls — but they do not suggest which ones to pick or how to do so.

Encouragingly, Jeffries said sound management of the business, based on the principles of these regulations, has the potential to produce cost savings. “Firms that adopt a compliance management architecture will cut their costs by 50pc over the next five years,” he said.

This claim was challenged from the audience and Jeffries admitted the exact savings were hard to prove. But he said complying with good governance can generate operational efficiencies for a business. In an interview afterwards, Tony Redmond, vice-president and CIO of HP Services, echoed this point: “If you have good governance and compliance processes, you’re not going to have to clean up the mess that can be caused by something that goes wrong.”

It’s normally around this point that the IT industry likes to step in with a solution but there are no easy answers for this one. “You can’t buy products that make you compliant,” Jeffries said.

Although legislation such as the Sarbanes-Oxley Act and its European equivalent Basel II are largely financial in nature, their effects will be far reaching and, according to Jeffries, will ultimately percolate down to the levels of smaller businesses. “You can’t look at it from the perspective of ‘I’m in Ireland’. You’ve got to do it to be in the club, to do business.”

By Gordon Smith