Most Canadian enterprises are familiar with the
Ontario Bill 198 passed into law December 2002, allowing the Ontario Securities Commission and the Canadian Securities Association to pass their own instruments (regulations) that would allow the imposition of penalties and jail time. Instrument OSC/CSA 52-109 (Certification of Disclosure in Companies' Annual and Interim Filings) was passed January 2004 and instrument OCS/CSA 52-111 (Reporting on Internal Control over Financial Reporting) passed February 2005. Instrument 52-109 is equivalent to the US Sarbanes-Oxley (SOX) Act’s section 302 and 52-111 is equivalent to SOX’s section 404 in the US.
Instrument 52-109 essentially says that companies must be truthful in their financial statements and put in place systems and processes to ensure this. The effective date for this was March 30th, 2005.
Instrument 52-111 requires that the CEO and CFO certify that they are responsible for having adequate internal controls, using a recognized framework for these, relying on “evidential matter”, that they attest to the effectiveness of their controls (including reporting weaknesses), and have external auditors reporting on all this. The effective date for this instrument is June 30th, 2007.
Both of these regulations are applicable to any publicly traded company in Canada, bringing Canadian laws in line with those of the US. From a technology perspective the significant portion of these two regulations is in 52-111, where the concepts of control, governance framework, and “evidential matter” (essentially auditable logs and data collected in a very specific way) are introduced.
The regulation calls for implementing adequate controls in a company by using an accepted IT governance framework. There are three potential frameworks that can meet the level of IT control called for – COSO/COBIT, ITIL (ISO20000) and ISO 17799. ITIL and ISO 17799 are fairly international in their scope and flavour, while COBIT has been developed in the US and is applicable in Canada.
Here is some background on these frameworks.
ITIL® (Information Technology and Infrastructure Library) is closely related to ISO 20000. It was developed by the British government in the mid 1990s to address increased business and government reliance on IT systems. ISO 17799 is also based on a British standard (7799-1), but is aimed at information security specifically, rather than as a generic governance model. As such ISO 17799 is aimed and designed towards protecting the infrastructure from misdeeds rather than governing it. COBIT ® is the Control Objectives for Information and related Technology as developed by the IT Governance Institute and ISACA (Information Systems Audit and Controls Association). Both ITIL and ISO 17799 are older than COBIT, but are just as relevant to these regulations. All are aimed at implementing best practices around governance and security of IT infrastructure.
One thing common to each of the frameworks is their structured approach to the implementation and management of IT systems like the network, along with the idea of due diligence and due care. This means that an organization must be able to show that it has not only taken care to provide security around its data and network, but also that it has done so using a best practices model. The new regulations provide an impetus for security by putting in place penalties for failing to adequately protect IT infrastructure.
Changes to network security include understanding what asset is at risk, the value of the asset, what the risk is, and how to protect the asset, reducing the risk in a way that can be verified in an audit. Most companies think of an IT asset as the data on servers and workstations and not the network itself. While most value is in the data, the network does have a role to play.
Implementing good network security practices is part of all the frameworks. This means putting in access control systems, using encryption sensibly, and perhaps linking the network to back-end directory services in order to keep user lists current. In addition to this, many companies would benefit from implementing a good Public Key Infrastructure certificate system, and then combining that with directory services and network access.
Companies also need to put in place processes that regularly review their network. Areas under review should include the number, type and identity of all devices attached to the network. IT departments should regularly review active access control lists (ACLs) on all routers and switches, and check for stale or unknown entries. ACLs should be coordinated between the same types of devices (say all the routers) and different types of devices (say between routers, switches, firewalls, and directory services). Sufficient control must be put in place consisting of strong authentication and tightly controlled authorization for any access to the organization from the Internet to ensure that risks to assets are minimized.
How much is done depends on what value a company places on their assets and what risk they are comfortable with. The new regulations have increased that asset value by punishing companies and individuals who cannot demonstrate how they have protected the data and that they are complying with the regulations.
In the past many companies ignored good security and IT governance practices, particularly when it came to the network. These companies felt that unless the public discovered a problem, they could get by doing the minimum necessary to keep systems functioning. With the passages of these new laws and regulations, public companies will now need to demonstrate to external auditors that they have taken steps to protect their valuable information in ways that can be verified. In addition, companies will now be forced to disclose the weaknesses in their systems, and presumably rectify any problems identified. Companies must address any holes in network security and governance now or face the consequences when the legislation becomes enforceable.
No comments:
Post a Comment