Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

ISACA Calls For Annual Reports To Include Security Breach Data

ISACA : 26 July, 2010  (Company News)
Responding to calls for mandatory data breach reporting in the UK, ISACA believes that the reporting should be extended to shareholders and other parties through the use of financial reports as the communication vehicle
Reports that a legal expert has called for the mandatory reporting of all data breaches to the UK Information Commissioner's Office (ICO) - in order to bring more clarity to the amount of data being lost and improve efforts to prevent breaches - should be tempered by the reputational risk to the companies concerned, says ISACA, the not-for-profit IT security association.

And it's because of the reputational risk, that the mandatory reporting should be included in the company's regular accounting releases, such as quarterly and annual reports, says the not-for-profit IT security association.

"That way the issue can be given the precedence it requires, but also allowing the company to report the security breaches to all interested parties, namely the shareholders and employees, rather than simply catering to sensationalists and the media generally," said Rolf von Roessing, ISACA's international vice president.

"The idea of mandatory reporting is an excellent one and one that should be embraced, but rather than risking the reputation of a company being pilloried - and perhaps sending its share plummeting as a result of unfettered media reporting - the reporting process should be more measured, and require the `signing off' of the report by management, in a similar process to Sarbanes-Oxley s302 disclosure reporting in the US," he added.

According to von Roessing, whose IT security association now has in excess of 80,000 members worldwide, the fact that someone of the stature of a partner with Field Fisher Waterhouse is saying that mandatory reporting is now necessary to stop companies attempting from burying their bad news, indicates the strength of business feeling about the issue of reporting of security breaches.

However, he says, whilst the public has a legitimate interest in learning about security breaches, it is important to look at the bigger picture, that of the real public interest in a company being seen to learn from its mistakes and allowing management to recover a situation, rather than subjecting the company to a public witch hunt which benefits no-one in the longer term.

With its global membership of IT security professionals, von Roessing says that ISACA has been watching with great interest how the various countries of the world are developing their security best practices and governance legislation.

According to the ISACA international vice president, the UK is relatively unique in having increased its maximum penalty for a serious breach of its data protection legislation to half a million pounds, yet has not imposed anywhere near that sort of fine on any organisation so far.

Obviously, he says, the fear of being the first company to be hit by a hefty fine - and the attendant publicity surrounding that fine - is almost certainly what is helping to ensure that many IT departments are keeping up with the latest in information security and protection, but threats are neither enough nor appropriate to improve information security in the longer term.

This is, he explained, a great `stick' to threaten IT staff with for the time being, but it is very questionable how long the threat on its own will be sufficient, or whether a `stick' approach is indeed the best one for the industry as a whole. Inevitably, information security breaches cause major damage, and many organisations need help rather than punishment.

In the longer term, he went on to say, there is a definite need for an educational stance and new approaches such as ISACA´s Business Model for Information Security (BMIS) to be adopted by security regulatory authorities such as the ICO, and this is where mandatory reporting in a controlled manner makes a lot of sense, since it considerably levels the playing field.

ISACA's BMIS, says von Roessing, is already being adopted by number of UK organisations, which are embracing the concept of taking a holistic approach to IT security, rather than a piecemeal fear-driven approach as appears to be the case at the moment.

"Our observations suggest that there are very few organisations whose management are suppressing the fact that they have had a data breach and where it would be in the public interest to make that breach public knowledge. Taking a measured and holistic approach to the problem - embracing ISACA's BMIS model - allows for the statutory reporting of IT security incidents, but as part of a regular reporting process, as is the case with quarterly and annual financials," he said.

"If a holistic approach to the issue of security breaches is taken, then it sets the scene for organisations to adopt a more open and pragmatic approach to an IT security incident, and for management to report relevant problems in a timely and controlled manner. This avoids any harm to the organisation's reputation and, where appropriate, share price, and is in the longer term public interest," he added.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo