By Steve Ranger, 4 May 2005 16:15
NEWS Nearly half of IT executives claim they aren't fully aware of the standards and legal requirements that apply to them.
In a survey of 300 IT decision-makers conducted by the National Computing Centre (NCC), 44 per cent admitted to not being fully aware of IT standards and legal requirements - and 22 per cent admitted to not having any awareness of the issue at all.
Sarbanes-Oxley Act and Financial Services Authority regulations, as well as legislation such as the Data Protection Act, can all have a bearing on the IT department. Other standards such as BS7799 and the e-government interoperability framework can also apply.
Stefan Foster, managing director of NCC, said: "This is an alarming figure, indicating significant lapses in compliance and poor adoption of best practice."
He said that while IT executives might be aware of legislation they might not realise its implications for them. "It's a question of the connection," he said.
"The legal side of the business might pick up on data protection but does the IT department implement it in the same way," he added.
This lack of awareness could have a real impact on business he warned: "Larger corporates will also insist on compliance to standards so as to minimise risk in their supply chains, so non-complying IT functions beware you could affect the fundamentals of your business."
Clive Davies, IT and outsourcing partner at law firm Olswang, said IT chiefs have a "pivotal" role to play in making sure companies comply with regulation.
IT directors should be involved with the creation and implementation of compliance policy, he said. "It's not primarily down to the IT manager but they have an important role to play."
Comments
There are 9 comments. Join the discussion
1. Aden Brill
People don't know because it does not matter - for example, the Sarbanes-Oxley Act is an American act that relates to very few UK companies. Get real......
2. Ken Thompson
The world used to rely on common sense laws. Most English law resulted from courts "doing the right thing". Now law's are erractic and contradict natural thought. They seem to exist to fill the pockets of lawyers and accountants. But they are the creators of the laws. Is not that a conflict of interest? Stir up problems and the professionals make money. The layman pays.
3. Roger Huffadine
Why worry
It will take 30 years for case law to reach a point where IT execs are in fear of prison - Look at the 1973 Health and safety at Work Act, it took 30 years before executives were routinely prosecuted.
4. Richard
Good for Lawyers: Bad for Business.
The craze for new regulations, "regulators" and quangos has brought very little benefit; except work for Lawyers.
However, these new regulations do divert businesses from their prime tasks and increase their costs.
My "advisor" has increased his charges to cover the increased cost of meeting FSA regulations: Higher charges but absolutely no benefit to me.
5. james Button
As the data protection registrar doesn't worry about compliance, why should IT managers.
6. Dick Price
"Other standards such as BS7799 and the e-government interoperability framework can also apply."
What a pity that such an important topic manages to side-step and confuse readers about BS7799. It is purely a management standard in the same way that ISO9001 and ISO14001 are - it covers Information Security Management.
The important thing that would have been helpful would be to explain that BS7799 can be applied to ALL organisations, one of its sections relates to appropriate compliance with relevant laws and regulations, and that certification to the Standard demonstrates that ALL aspects of Information Security are being taken seriously.
7. Michael Decker
I read with interest your article about IT executives' awareness of the standards and legal requirements that apply to them. I would drill down even further than simply talking about IT. Forget firewalls and intrusion detection systems - your average everyday email system is increasingly becoming the Achilles Heel for IT managers looking to make their systems more compliant with regulation, and less likely to bring the company name into disrepute.
This is for several key reasons.
The current most common single reason for disciplinary action is the sending of unauthorised emails. Most European organisations should retain email as protection against litigation, employment tribunals or regulators such as the FSA, MHRA, etc. However awareness of the legal and regulatory position is patchy at best and many organisations are leaving themselves open to considerable risk. Email usage is nearly universal in business nowadays but if an organisation is not keeping an unimpeachable repository of its communications it will be unable to prove what has happened or find what the organisation has committed to. In addition, according to The Chartered Institute of Personnel and Development (CIPD), disciplinary action for new technology-related offences (email and Internet abuse) now exceeds the combined total for dishonesty, violence, and health and safety breaches. Companies must take a strategic approach to their email management.
8. anonymous
Well said Mr price from Brum. As for those who suggest there is no need to be concerned and imply that regulation has no purpose in IT - shame on you.
IT are the custodians of our Businesses information - All who work in IT must have a professional approach and recognise their responibility for protecting the Business appropriately - this includes compliance to legal statute! Running a business without adequate control is no longer acceptable - just ask the share holders, employees, clients and suppliers of Enron, Andersons (etc.) to work out why!!
If you really consider yourself an IT Professionial - then you need to know about controls and legal responsibilities. Thankfully, I think the real leaders in IT already know this.
9. Matthew Flynn
Alternatively you might check out the BCS book 'A Manager's Guide to IT Law'. It costs about as much as saying hello to a lawyer (£25.00) and is a lot more user friendly.
www.bcs.org/books/ITLaw