Security part 1: legislation drives data protection

9 Oct 2003

The world’s experts in IT security from the Pentagon to the vendors of anti-virus software to our local consultants are unanimous on at least one message: systems security is not an IT issue. It is a top-level management issue.

Like any good internal service department, IT carries out its technical functions according to the policies, priorities and budgets it is given by the management of the organisation. The tools, rules and best practice examples are all there to do a first-class job of protecting the organisation’s system from financial or malicious threats. But the same could be said of any function of a business – marketing, after-sales service, physical distribution and so on. What drives success in practice is the priority that management gives to each function – and that can often mean the level of serious thought and care given to strategy, policies and day-to-day procedures just as much as resources.

Put it this way: systems security is always about people and preventing them from doing what you do not wish them to do. That covers system viruses, vandals and similar electro-bugs as well as hackers, crackers and even accidental intruders. But it also and most importantly covers unauthorised access to information, regardless of whether the prying is coming from outside or inside.

Protection against the internet baddies and bandits is relatively easy and there is a plethora of ‘standard’ anti-virus and firewall solutions. But even their success depends in large measure on people following the rules. As for that urban myth that most of the hype about e-security is driven by anti-virus and other software publishers, security consultants and so on, a PricewaterhouseCoopers survey on behalf of the Department of Trade and Industry in the UK last year established that a 44pc of British businesses had suffered at least one malicious security breach in the previous year. Ireland’s figures are unlikely to be very different.

By far the greatest range of e-security concerns an organisation’s data, from information that might be of competitive advantage to other items of more immediate potential financial value such as authorisation passwords and codes for payments or funds transfer or the credit card details of your customers. Responsibility starts in the boardroom in management terms and ends up back there in legal terms as the directors’ duty of care certainly extends to data protection.

“Business will begin to focus on compliance with the data protection regulations and in particular the requirements for security of personal data that a company holds,” explains Patrick Roberts, president of the recently formed Irish Chapter of the Information Systems Security Association, a highly regarded international professional organisation. He says that maintaining levels of control over access to data has in the past been driven mostly by the fear of theft or inappropriate disclosure. “But now the legal sanctions in data protection legislation have made it an imperative that organisations ensure that personal information is appropriately secured at all times. In fact our members are reporting that data protection legislation has begun to drive investment in security products, policies and procedures.”

In fact in some respects information security has now become a hot corporate governance issue, as Roberts also points out: “It would be difficult to ignore the revolution in corporate governance that has occurred worldwide as a result of difficulties at Barings Bank, Enron, WorldCom and some other very big names.

“Developments such as the Turnbull Report in the UK have led to an increased focus on information security as a core component of sound corporate governance. So, although security has traditionally been a function of the IT department, its increased importance as part of internal control systems generally means that the overall responsibility is increasingly moving upwards in the organisation.”

One Irishman with a global view is convinced that most Irish organisations are going to have to work a lot harder at IT security: “How many have ever run any kind of risk exercise? Have they ever drawn up a risk profile?” asks Tony Redmond, vice-president and chief technology officer of HP Services. Newly Dublin-based with a HP-wide role, he points out that internet-based attacks are increasing – and garnering headlines – but that ‘the enemy within’ is potentially even more dangerous. “Who knows your organisation better? Even within the organisation and certainly working with partners it’s the same principle as ‘good fences make good neighbours’. You want everyone to feel valued and trusted but that has to be balanced with the needs of good security practices. That’s fundamentally why security is a human issue and a management issue, not a technological one,” he explains.

On the other hand, IT systems have to be more automated service infrastructure to handle the day-to-day, second-to-second details of security. “Quite simply we don’t have enough security professionals in the world for detailed oversight, so it has to be automated. Yet there is no substitute for the experience, intuition and judgement of expert people. So we have to develop ever more intelligent and proactive network defences, incorporating as far as we can the diagnostic, almost sensory experience of human expertise in detecting the symptoms of external attacks or inappropriate behaviour. It’s quite a challenge,” Redmond adds.

By Leslie Faughnan