IT legislation guide: bring yourself up to speed with the latest regulatory mandates enterprise IT must comply with.
Electronically stored information (to give it its Federal Rules name) and computer systems shape so much of our lives and our work that IT pervades almost everything we do at a basic level. Economies rely on it; lives rely on it.
These realities have come to the attention of politicians and regulators. When all the legislation pertaining to IT is lumped together, it puts a lot of pressure on the enterprise IT functions. Indeed, it is no exaggeration to declare that IT operations are now the single most-regulated part of any organisation which is ironical considering that IT professionals are not necessarily required to be licenced or certified in order to practice.
'It is not the data that changes, it is the world around it,' says Craig Carpenter at information risk management systems vendor Recommind. 'Some portions of legislation maybe different, but all roads lead to IT. The IT function is often held responsible for proving who did what and when: it has to become fluent in e-disclosure.'
As a result of US corporate misgovernance scandals ranging from lost customer data to faked drug test research results, the landslide of legislation and regulation means that businesses must maintain evermore airtight control over their information and IT systems, internally and externally. The Financial Times estimates the one-off cost of complying with SOX alone for the average large Fortune 1000 US company amounts to $5.1m (£3.4m) for the implementation of a qualifying corporate governance policy, plus a further ongoing average cost of $3.7m (£2.4m) for continuing compliance measures over time.
Data protection and information security risk management have, as a consequence, become top priorities for companies around the world, spawning new information risk governances, and the emergence of the practice of e-disclosure - something most palpably recognised in South Africa recently. A third report on corporate governance practices compiled by the King Committee in response to the South African Companies Act 71 of 2008 brought IT clearly into the corporate governance arena.
Overall, most legislation that involves e-disclosure requires that consideration is given to the integrity and availability of the functioning of IT systems, as well as who has responsibility for them - a fact that becomes more complicated when outsourcing business or IT functions to third parties. It also requires checks and balances to verify the authenticity of system information; and that concerns around unauthorised use, access, disclosure, disruption or changes to the systems or data are adequately addressed.
It's no surprise then that, even against economic turmoil at the end of 2009, a survey by Ernst & Young of 1,900 senior executives in over 60 countries found data protection and information security - a prerequisite of many governance and privacy-based regulation - were top priorities. It is not just those IT systems that handle transactional or confidential data: everyday tools like email and instant messaging can come into the scope of compliance.
How to use the E&T IT Legislation Guide
The tables over the following three pages outline laws and regulatory compliances that apply to the IT function in the UK and much of Europe. The IT Legislation Guide references also skills- and policy-oriented industry frameworks and initiatives that, although not necessarily mandated by law, look likely to inspire future legal requirements with respect to specific aspects of the practice and operation of IT; so more generalist qualifications, like ICTTech and CITP, are not included this time round. The Guide thus provides an at-a-glance view of the IT-specific law load current and prospective, plus indications of the risks involved in non-compliance, especially for those executives mandated to ensure that compliances are observed, and that the requirements of the legislation are maintained. Also appended is a specially-devised 'Concern Quotient': this provides a comparative rating on how concerned responsible parties should be about keeping on the straight-and-narrow.