Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
IISP NW branch meeting 15 nov 2012 security through governance, compliance…
1. What's on your E RADAR?
IT Governance, Security and Risk
across the online economy
Will Roebuck
Founder and CEO
E RADAR | Smarter business online
2. Why is IT governance important?
● It costs jobs and affects livelihoods without it
● Safeguard competitive and collaborative advantage
● Corporate reputation
● (Public) procurement requirements
● Officer (director) liability
● Meet fiscal, legal and regulatory requirements
● Provide minimum standards of best practice
3. Online in 2012 – 15 years of strengths
● Speed and convenience of business transactions
● Cost and inventory control
● Global presence and market opportunity
● Better customer service
● Competitive and collaborative advantage
● Research and innovation
● Social revolution (accessibility and connecting people)
4. Online in 2012 – 15 years of weaknesses
● Pace of change v legacy technologies
● e.g. Royal Bank of Scotland, NHS IT Infrastructure
● Conflict of laws and regulations
● Whose law applies?
● Common law v statute
● Work place social networking v time-management
● Increased globalisation = domino effect (e.g. Enron)
● Take up of network and information security
● Beware of imitations...
6. Online in 2012 – 15 years of opportunity
● 2,405,510,036 online June 2012 (34.3% world population)*
● E-commerce sales represents 16.9 per cent of total sales
● Website sales represented 4.2 per cent of total sales
● 78.7 per cent of businesses had a website
● 51.9 per cent of businesses had mobile broadband using
3G
● 86.5 per cent of businesses used the Internet to interact
with public authorities.
* Internet World Stats http://www.internetworldstats.com/stats.htm
7. Online in 2012 – 15 years of threats
● Society, business and government
● Financial fraud
● Children and citizens e.g. harassment, bullying...
● Theft – identity, data, intellectual property
● International terrorism
● UK Cyber Crime Strategy (Nov 2011)
● Cost to UK economy
● Cyber crime - £27 billion per year?
● Welfare/tax fraud - £200/£300 per citizen per year
8. Online business environment
● Supply and demand
● Goods, services, digital downloads, financial instruments
● The 'bottom line'
● Encouraged by
● Competition, enterprise and innovation
● Supported by
● People, processes, technology, and information
● Laws, regulations, standards and best practice
9. What does this all mean?
● Balance supply and demand against risk
● Deploy resources carefully
● Smarter business management
● Identify, develop and use 'the right' people skills
● Re-engineer business processes
● Invest in enabling technology
● Provide good laws and regulations
● Responsive legal environment
10. IT challenges over next decade
● Cloud computing
● More online applications
● Just require connectivity; transparent licensing
● Social networks and software
● Enagage with partners and customers; find out interests
● Document management and collaboration
● Organise resources centrally – audit trails
● CRM 2.0
● Internet capabilities to manage customers, incl loyalty
11. IT challenges over next decade
● Unified communications
● Connecting to the right people
● Web 3.0 – semantic web
● Intelligent applications
● Business intelligence
● Improving insights to employees... professional networks
● Virtualisation – Green IT
● Physical to virtual servers saving energy, carbon foot print,
● Enterprise mobility
● Applications accessible from mobile devices
12. Why governance and compliance?
● Customer trust and confidence
● Business protection e.g. evidential trail
● Sector requirements
● Reduced insurance premiums
● Corporate reputation
● Director and vicarious liability
● 'The regulatory stick'
● Secure transactions
13. Challenges and issues
● Corporate
● Vicarious and director liability
● Duty of care towards employee
● Prevent improper and illegal activity over systems /networks
● Personal
● Directors failing to undertake duties implied by law or as
additional duties in their contract
14. Challenges and issues
Contractual
● Prove existence of agreement in disagreement with a
customer
● Defend an action for unfair dismissal before employment
tribunal
● Legal
● Prove an intellectual property right or invention
15. Challenges and issues
Regulatory
● Registering, reporting, retaining and disposal of records
– Annual returns
– Invoicing and VAT
– Health and Safety
– Personnel records
● Data Protection
● Consumer Protection
● Security of systems and networks... and information
16. Digital evidence and admissibility
● Evidence is
● the way that a fact is proved or disproved in a court, tribunal
or disciplinary.
● Oral, real (primary or secondary) or hearsay (less reliable)
– Primary = e.g. signed original contract
– Secondary = e.g. unsigned draft of the contract
● Burden of proof
● Civil cases = with plaintiff and 'balance of probabilities'
● Criminal cases = with prosecution and 'beyond reasonable
doubt'
17. Digital evidence and admissibility
● Evidence in electronic format is admissible
● Electronic Communications Act 2000
● Civil Evidence Act / Youth Justice and Criminal Evidence Act
● May be legally acceptable but may not be admissible.
● Admissible document must be sufficiently relevant
● Court must decide and may give different weight to primary
or secondary evidence
● British Standards Code for Legal Admissibility and
Evidential Weight of Information Stored Electronically.
18. Misuse of devices
● Abuse and misuse (Illegal, illicit or wrong)
● Defamatory remarks
● Breach of confidentiality
● Using and abusing copyright without permission
● Negligence in sending viruses to other business
● Sexual or racial harassment
● Criminal Offences
● e.g. downloading child pornography
● Other illegal images
19. Monitoring communications
● Right to privacy – even at work
● Regulation of Investigatory Powers Act 2000
● Lawful Business Practice Regulations 2000
● Inform monitoring for lawful business purposes
● Quality, training and security
● How do you 'monitor' remote workers?
● Blanket monitoring of employees not acceptable
● Must be justified
● Other alternatives?
20. Data protection
● 8 data protection principles
● Principle 7 – adequate security measures
● Principle 8 – international transfers
● Cloud computing
● Where is personal data
● Information Commissioner's Guidance
● Sensitive personal data
● Encryption
21. Retention, deletion and retrieval
● Organisations must have evidence to rely upon it!
● Information management policy covering
● Retention, access and exchange (including security),
deletion and retrieval
● Why a policy?
● Business (cost, time and risk management)
● Legal (e.g. accounting records = 6 years, criminal penalties)
● Regulatory (FSA Rules, Food Standards etc)
22. About E RADAR
● Championing enterprise and the online economy
● Focus on public policy, governance, compliance and risk
● Pre-legislation and post legislation
● IT and online contracting
● Free-to-use forums
● Monitoring and scrutiny
● Thought-leadership and best practice
● Knowledge Xchange
● Social network
23. Back to you... and 2012
● A turning point?
● Global recession with Euro under threat
● £1 trillion UK government borrowing
● 60% EU cross-border e-commerce transactions fail
● Public sector cuts and increasing unemployment
● European Digital Single Market – working or not?
We need visionaries, innovators and entrepreneurs to
recognise the opportunities and walk through the door...”
24. “The best way to predict
the future is to create it!”