IISP NW branch meeting 15 nov 2012 security through governance, compliance…
Whats on your E RADAR? IT Governance, Security and Risk across the online economy Will Roebuck Founder and CEO E RADAR | Smarter business online
Why is IT governance important?● It costs jobs and affects livelihoods without it● Safeguard competitive and collaborative advantage ● Corporate reputation ● (Public) procurement requirements ● Officer (director) liability● Meet fiscal, legal and regulatory requirements● Provide minimum standards of best practice
Online in 2012 – 15 years of strengths● Speed and convenience of business transactions● Cost and inventory control● Global presence and market opportunity● Better customer service● Competitive and collaborative advantage● Research and innovation● Social revolution (accessibility and connecting people)
Online in 2012 – 15 years of weaknesses● Pace of change v legacy technologies ● e.g. Royal Bank of Scotland, NHS IT Infrastructure● Conflict of laws and regulations ● Whose law applies? ● Common law v statute● Work place social networking v time-management● Increased globalisation = domino effect (e.g. Enron)● Take up of network and information security● Beware of imitations...
Online in 2012 – 15 years of opportunity ● 2,405,510,036 online June 2012 (34.3% world population)* ● E-commerce sales represents 16.9 per cent of total sales ● Website sales represented 4.2 per cent of total sales ● 78.7 per cent of businesses had a website ● 51.9 per cent of businesses had mobile broadband using 3G ● 86.5 per cent of businesses used the Internet to interact with public authorities.* Internet World Stats http://www.internetworldstats.com/stats.htm
Online in 2012 – 15 years of threats● Society, business and government ● Financial fraud ● Children and citizens e.g. harassment, bullying... ● Theft – identity, data, intellectual property ● International terrorism● UK Cyber Crime Strategy (Nov 2011)● Cost to UK economy ● Cyber crime - £27 billion per year? ● Welfare/tax fraud - £200/£300 per citizen per year
Online business environment● Supply and demand ● Goods, services, digital downloads, financial instruments ● The bottom line● Encouraged by ● Competition, enterprise and innovation● Supported by ● People, processes, technology, and information ● Laws, regulations, standards and best practice
What does this all mean?● Balance supply and demand against risk● Deploy resources carefully● Smarter business management ● Identify, develop and use the right people skills ● Re-engineer business processes ● Invest in enabling technology● Provide good laws and regulations ● Responsive legal environment
IT challenges over next decade● Cloud computing● More online applications ● Just require connectivity; transparent licensing● Social networks and software ● Enagage with partners and customers; find out interests● Document management and collaboration ● Organise resources centrally – audit trails● CRM 2.0 ● Internet capabilities to manage customers, incl loyalty
IT challenges over next decade● Unified communications ● Connecting to the right people● Web 3.0 – semantic web ● Intelligent applications● Business intelligence ● Improving insights to employees... professional networks● Virtualisation – Green IT ● Physical to virtual servers saving energy, carbon foot print,● Enterprise mobility ● Applications accessible from mobile devices
Why governance and compliance?● Customer trust and confidence● Business protection e.g. evidential trail● Sector requirements● Reduced insurance premiums● Corporate reputation● Director and vicarious liability● The regulatory stick● Secure transactions
Challenges and issues● Corporate ● Vicarious and director liability ● Duty of care towards employee ● Prevent improper and illegal activity over systems /networks● Personal ● Directors failing to undertake duties implied by law or as additional duties in their contract
Challenges and issuesContractual ● Prove existence of agreement in disagreement with a customer ● Defend an action for unfair dismissal before employment tribunal● Legal ● Prove an intellectual property right or invention
Challenges and issuesRegulatory ● Registering, reporting, retaining and disposal of records – Annual returns – Invoicing and VAT – Health and Safety – Personnel records ● Data Protection ● Consumer Protection● Security of systems and networks... and information
Digital evidence and admissibility● Evidence is ● the way that a fact is proved or disproved in a court, tribunal or disciplinary. ● Oral, real (primary or secondary) or hearsay (less reliable) – Primary = e.g. signed original contract – Secondary = e.g. unsigned draft of the contract● Burden of proof ● Civil cases = with plaintiff and balance of probabilities ● Criminal cases = with prosecution and beyond reasonable doubt
Digital evidence and admissibility● Evidence in electronic format is admissible ● Electronic Communications Act 2000 ● Civil Evidence Act / Youth Justice and Criminal Evidence Act● May be legally acceptable but may not be admissible.● Admissible document must be sufficiently relevant● Court must decide and may give different weight to primary or secondary evidence● British Standards Code for Legal Admissibility and Evidential Weight of Information Stored Electronically.
Misuse of devices● Abuse and misuse (Illegal, illicit or wrong) ● Defamatory remarks ● Breach of confidentiality ● Using and abusing copyright without permission ● Negligence in sending viruses to other business ● Sexual or racial harassment● Criminal Offences ● e.g. downloading child pornography ● Other illegal images
Monitoring communications● Right to privacy – even at work● Regulation of Investigatory Powers Act 2000● Lawful Business Practice Regulations 2000 ● Inform monitoring for lawful business purposes ● Quality, training and security● How do you monitor remote workers? ● Blanket monitoring of employees not acceptable ● Must be justified ● Other alternatives?
Data protection● 8 data protection principles● Principle 7 – adequate security measures● Principle 8 – international transfers ● Cloud computing ● Where is personal data ● Information Commissioners Guidance● Sensitive personal data ● Encryption
Retention, deletion and retrieval● Organisations must have evidence to rely upon it!● Information management policy covering ● Retention, access and exchange (including security), deletion and retrieval● Why a policy? ● Business (cost, time and risk management) ● Legal (e.g. accounting records = 6 years, criminal penalties) ● Regulatory (FSA Rules, Food Standards etc)
About E RADAR● Championing enterprise and the online economy● Focus on public policy, governance, compliance and risk ● Pre-legislation and post legislation ● IT and online contracting● Free-to-use forums ● Monitoring and scrutiny ● Thought-leadership and best practice ● Knowledge Xchange● Social network
Back to you... and 2012● A turning point? ● Global recession with Euro under threat ● £1 trillion UK government borrowing ● 60% EU cross-border e-commerce transactions fail ● Public sector cuts and increasing unemployment ● European Digital Single Market – working or not?We need visionaries, innovators and entrepreneurs torecognise the opportunities and walk through the door...”
“The best way to predictthe future is to create it!”