|
|
|
|
|
|
US lawmakers are currently proposing the idea of mandatory IT security audits to force companies to take security seriously but what's the support like for similar legislation in the UK? In the meantime, existing scrutiny procedures have a role to play, according to Brice Clark, worldwide director of strategy and business planning for HP's ProCurve networking business. He recently met a senior executive from a company that failed a general audit, because the auditors were able to get into the boardroom, plug a laptop into a wide-open Ethernet network and crash the company's IT system. "The potential for abuse in this way is enormous, because so many companies do the same thing. Frankly, I'm amazed the problem isn't worse," Clark says. He, though, doesn't personally believe that legislation is the answer, favouring the education route.
The value of an audit An audit of a company's accounts seeks to confirm that they are a true and accurate representation of the company's financial state of affairs. It doesn't make any comments on whether this is a good or bad state of affairs to be in -- that responsibility lies with the shareholders. In the same way, an IT security audit that merely stated that a firm was running antivirus software without checking that the latest patches were installed would be of little value. An annual IT security audit might also tempt companies to ignore such matters for the rest of the year. "It could lead to an attitude within enterprises that sees annual audits as discharging the responsibility for security or supplanting more stringent safeguards already in place in an enterprise, and so ending up making matters worse," claims Manek Dubash, director of analyst group Webster Buchanan Research. "As ever, governments need to think through fully the real world consequences before moving to legislate, and consider whether they've picked the right tool for the job," he adds. With the Home Office insisting that mandatory security audits aren't under consideration in the UK, Britain's business community has an opportunity to up its game away from the glare of the spotlight. It's an opportunity it would do well to seize, as it might take just one devastating virus or hacker attack to push calls for new legislation. "If people can't work together and achieve some commonality, the danger is that government will decide to impose some level of audit," Beale predicts. And once the internal details of your firm have been taken down, who knows where that evidence might end up. "One potential medium-term outcome of the US proposal is that a successor government might insist on the results of security audits being lodged with a governmental agency under the guise, for example, of aiding the so-called 'war against terrorism'," warns Dubash.
|
| ||||
|
|
|
|
