ZDNet UK - News - UK cold on mandatory security audits:
December 08, 2003, 18:05 GMT
Government and businesses agree that British companies should not be forced to conduct an audit of their IT security each year
Companies, politicians and analysts are united in their belief that the introduction of compulsory IT security audits in the UK would not be a welcome development.
There is little support for a British version of the Corporate Information Security Accountability Act -- a piece of legislation under scrutiny in America that would force publicly traded US corporations to certify that they have conducted a computer security audit each year.
The UK government says that it is concentrating its efforts on protecting the nation's critical national infrastructure -- telecoms, water, energy and public services -- and that other companies must take responsibility for their own IT security. But Jeremy Beale, head of e-business at the Confederation of British Industry (CBI), believes that the vast majority of medium-sized and small businesses don't have the in-house technical expertise to make themselves secure and to engage with suppliers. 'These small firms will be part of a supply chain with larger companies, and the security and robustness of a supply chain is only as strong as its weakest link,' Beale told ZDNet UK. Despite this knock-on effect, the CBI says it doesn't support the introduction of compulsory IT audits because suitable standards aren't yet in place.
And many other experts claim that making firms vouch for the security of their networks and systems annually would actually encourage them to neglect the issue for the rest of the year."
We predict that even though the US government requires this for it's own agencies a.k.a. (FISMA) that corporate will have time to get it's own act together. Uncle Sam will not mandate this either for some time to come. What will be more of interest is how many public traded companies provide evidence in it's reports about the results of the latest security audit. Not only as a gesture of good corporate governance but also as a clear market differentiator. Where will you keep your bank account or personal health records information? With the company that gets an "A" or an "F" for their latest audit report card?