This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
In the context of the framework, ‘compliance’ is taken to be a measurement of the degree to which security practice in an organisation accords with the documented security requirements and standards.
This definition encompasses the idea that an organisation could be partially compliant, and also the concept that compliance must be against something - an agreed set of procedures or a defined target state of affairs.
Cabinet Office requires UK Government departments to have developed an ISMS demonstrating compliance with ISO/IEC 17799 for all their nominated key information systems.
ISO/IEC 17799 identifies two kinds of compliance:
In practice the applicable legal and regulatory requirements will normally be documented within the security policy; consequently the target for compliance is the agreed security policy. However, this section of the framework is nevertheless based on the ISO/IEC 17799 division.
The achievement of accreditation for a system, and/or ISO/IEC 17799 certification for an organisation, are indications of compliance against the system RMADS and organisation’s ISMS respectively. However, as noted in the introduction to this section, compliance is a matter of degree.
Maintaining accredited status therefore relies very firmly on the process of ongoing risk management, in order to monitor the gap between policy and practice, with an aim of reducing it to zero and maintaining it at that level.
Overview
ISO/IEC 17799 states that:
‘The design, operation, use and management of information systems should comply with all relevant criminal, civil, statutory, regulatory or contractual obligations’
The contractual aspect will depend on individual circumstances and the framework does not address it.
Organisations also need to ensure that changes in legislation and regulations are taken into account for both new and legacy systems. On an ongoing basis, the impact of new or revised legislation and regulations should be identified, together with the action necessary for compliance, and the associated timescales. The Cabinet Office Better Regulation Executive (BRE) can assist in this.
Data Protection Act
The Data Protection Act 1998 [External website] deals with personal data, and sets out eight key principles in relation to the processing, storage and dissemination of the data. The Act sets out a subject’s right of access, and provides for certain exemptions. Further advice can be obtained from the Office of the Information Commissioner.
Freedom of Information Act
The Freedom of Information Act 2000 [External website] obliges government bodies including Central Government and Local Authorities to provide access to ‘recorded data’ following a valid request. The Act provides for certain exemptions. Advice can be obtained from the Department for Constitutional Affairs (DCA) and the Cabinet Office Security Policy Division (COSPD).
Regulation of Investigatory Powers Act
The Regulation of Investigatory Powers Act 2000 [External website] sets out the conditions under which communications can be intercepted by government organisations, in a way which is aligned with the Human Rights Act. Advice can be obtained from the Home Office.
Official Secrets Act
The Official Secrets Act 1989 [External website] makes it an offence for a servant of the Crown or a Government contractor to commit unauthorised disclosure of sensitive information passed to them, including in situations where the act was not deliberate but occurred through the failure to apply such care as might reasonably be expected.
Computer Misuse Act
The Computer Misuse Act 1990 [External website], inter alia, criminalises the act of attempting to gain unauthorised access to a computer system including where these are assets provided by an employer.
Copyright Designs and Patents Act
The Copyright Designs and Patents Act 1988 [External website] applies to computer software products, and is intended to prevent the unauthorised copying of same. Organisations must therefore monitor their position on software licence agreements in terms of licences deployed and assigned, in order to ensure that software licence agreements are not breached.
Police and Criminal Evidence Act
The Police and Criminal Evidence Act 1984 includes a specific clause setting out the conditions under which computer generated evidence is admissible in court.
It should be noted that compliance with BS7799 does not give legal nor regulatory exemption. Organisations should always seek legal advice where there is doubt. The Treasury Solicitors are a useful first point of contact.
Regulatory compliance
Regulatory requirements are usually industry-specific. However, the 2001 Basel II Accord from the Basel Committee on Banking Supervision indicates the likely scope of requirements in most cases.
Basel II is concerned with ensuring a sufficient level of financial provision against risks, and sets out a means of calculating the necessary level of provision. Crucially, the method includes a consideration of operational risk i.e. the effectiveness of Information Assurance processes and controls within the organisation. For most analysts this embodies the principle that reduced risk leads to a reduced requirement for capital. From an IA point of view it reinforces the statement that IA is an integral part of underlying business operations.
Determining Applicable Legislation
Outline advice on determining applicable legislation is available from the e-Government Security Framework documents, and from IS2.
The recommended best practice is to seek specialist advice in deciding the applicable legislation. This framework identifies candidates for consideration in relation to an organisation’s Information Systems.
‘IT Governance is a prime requirement to ensure compliance with the raft of new legislation that is starting to appear in the wake of well-publicised financial mismanagement of high profile companies. Prime …..is the Sarbanes-Oxley Act. This Act not only changes the financial reporting requirements of organisations covered by the Act, it effectively shifts the balance of power within those organisations; creating a whole new corporate culture and hierarchy.’
As a piece of US legislation, Sarbanes-Oxley does not specifically apply in the UK (although UK companies listed in the US must comply, and UK based auditors of US companies are not completely exempt).
The Turnbull report [External website], while it relates to UK listed companies, nevertheless provides strong recommendations. It sets out a number of key issues relating to the requirement for an internal control structure and procedures for financial reporting.
Organisations should consider adopting the security review model developed by the MoD, which is based on validation, verification and oversight.
Validation is the process of confirming that the implemented controls are appropriate to the risk. Verification confirms that the planned controls have actually been implemented. Oversight confirms that for the organisation as a whole, the security position is acceptable.
In general terms these three processes come down to:
The Official Cabinet Committee on Security is required to present annually to the Prime Minister an audit on the information security of the public sector. CSIA is required to produce a report indicating the status of IA in government departments for the Prime Minister and Senior Officials, in line with the Government Strategy for Information Assurance and in line with Sir Andrew Turnbull’s statement that such a survey should be conducted on a annual basis.
Departments completed an information assurance audit of their key IS systems in 2004, which was based on the IA metrics issued by CSIA. The return gives a snapshot picture of the health of a department’s IA process, and enables changes over time to be measured and assessed for action. Audit of evidence supporting the IA metrics is under consideration by CSIA.
To assist in this process, departmental SIROs are required to undertake an annual assessment of IA in their departments and submit a statement of this to CSIA for key IS. Each department must define its critical IA objectives and provide evidence of compliance to a set of criteria based on ISO/IEC 17799 controls.