|
|
|
|
|
|
US lawmakers are currently proposing the idea of mandatory IT security audits to force companies to take security seriously but what's the support like for similar legislation in the UK? Beale says the current situation is "a bit diffuse", and he would like the government to provide incentives for the development of some clear, universal standards. Future legislation can never be ruled out, but there is a strong argument that it should very much be a last resort given the difficulties of drafting a workable law, he claims. Liberal Democrat Richard Allan MP says that while company and government services should conduct IT security audits on a regular basis to ensure that they can detect and resolve any weaknesses in their systems, framing legislation in such a rapidly moving area would be difficult. "There is a risk that an audit imposed by regulation would simply become a check box to tick rather than security being the concern of everyone in an organisation," warns Allan, one of Westminster's most technologically savvy MPs. He wants the issue of IT security to be addressed now rather than waiting for a specific new legal requirement to come into place. "Rather than bringing in new legislation, it may be more effective to make all company directors aware of the many existing legal responsibilities that mean they must run secure systems. Laws on data protection, financial probity, trading standards, and consumer protection amongst others, as well as commercial requirements under financial and contract law all mean that businesses need to consider the security of their IT," Allan pointed out. Dan Scobie, head of business solutions at ISP Star Internet, agrees that creating a new law for IT security would be tricky. "The danger is that we'd end up with another Data Protection Act scenario -- with complicated legislation that is very difficult to interpret." Another hurdle is that the whole process of introducing legislation would take far too long to be practicable, he adds. "You've got to write the legislation, find Parliamentary time and push it through Parliament. Suddenly, you find you've done nothing for five years," he says.
The US approach The United States has a cybersecurity policy, called the National Strategy to Secure Cyberspace, but critics claim it lacks teeth. Five working parties are hiving away on white papers at this moment, hoping to deliver recommendations that can be implemented quickly.
|
| |||||
|
|
|
|
