Most Canadian enterprises are familiar with the Sarbanes-Oxley Act, which sets new standards for corporate governance and financial reporting, but an equivalent Canadian bill is getting less attention. This doesn’t mean network managers can afford to ignore the Canadian bill though. In fact, if network managers don’t ensure their security and IT governance practices meet regulations, their companies could find themselves in a lot of trouble.
Ontario Bill 198 passed into law in December 2002, allowing the Ontario Securities Commission and the Canadian Securities Association to pass their own instruments (regulations) that would allow the imposition of penalties and jail time. Instrument OSC/CSA 52-109 (Certification of Disclosure in Companies’ Annual and Interim Filings) was passed in January 2004 and Instrument OCS/CSA 52-111 (Reporting on Internal Control over Financial Reporting) in February 2005. Instrument 52-109 is equivalent to Section 302 of the U.S. Sarbanes-Oxley (Sarbox) Act and 52-111 is equivalent to Sarbox Section 404.
Instrument 52-109 essentially says that companies must be truthful in their financial statements and put in place systems and processes to ensure this. The effective date for this was March 30, 2005.
Instrument 52-111 requires that the CEO and CFO certify they are responsible for having adequate internal controls, using a recognized framework for these, relying on “evidential matter,” that they attest to the effectiveness of their controls (including reporting weaknesses), and have external auditors reporting on all this. The effective date for this instrument is June 30, 2007.
Both of these regulations are applicable to any publicly traded company in Canada, bringing Canadian laws in line with those of the U.S. From a technology perspective, the significant portion of these two regulations is in 52-111, where the concepts of control, governance framework, and “evidential matter” (essentially auditable logs and data collected in a very specific way) are introduced.
The regulation calls for implementing adequate controls in a company by using an accepted IT governance framework. There are three potential frameworks that can meet the level of IT control called for — COSO/COBIT, ITIL (ISO 20000) and ISO 17799. ITIL and ISO 17799 are fairly international in their scope and flavour, while COBIT has been developed in the U.S. and is applicable in Canada.
Here is some background on these frameworks:
ITIL (Information Technology and Infrastructure Library) is closely related to ISO 20000. It was developed by the British government in the mid 1990s to address increased business and government reliance on IT systems. ISO 17799 is also based on a British standard (7799-1), but is aimed at information security specifically, rather than as a generic governance model. As such ISO 17799 is aimed and designed towards protecting the infrastructure from misdeeds rather than governing it.
COBIT is the Control Objectives for Information and related Technology, as developed by the IT Governance Institute and ISACA (Information Systems Audit and Controls Association). All are aimed at implementing best practices around governance and security of IT infrastructure.
One thing common to each of the frameworks is their structured approach to the implementation and management of IT systems like the network, along with the idea of due diligence and due care. This means an organization must be able to show it has not only taken care to provide security around its data and network, but also that it has done so using a best practices model. The new regulations provide an impetus for security by putting in place penalties for failing to adequately protect IT infrastructure.
Changes to network security include understanding what asset is at risk, the value of the asset, what the risk is, and how to protect the asset, reducing the risk in a way that can be verified in an audit. Most companies think of an IT asset as the data on servers and workstations and not the network itself. While most value is in the data, the network does have a role to play.
Implementing good network security practices is part of all the frameworks. This means putting in access control systems, using encryption sensibly, and perhaps linking the network to back-end directory services in order to keep user lists current. In addition to this, many companies would benefit from implementing a good Public Key Infrastructure certificate system, and then combining that with directory services and network access.
Companies also need to put in place processes that regularly review their network. Areas under review should include the number, type and identity of all devices attached to the network. IT departments should regularly review active access control lists (ACLs) on all routers and switches, and check for stale or unknown entries. ACLs should be coordinated between the same types of devices (say, all the routers) and different types of devices (between routers, switches, firewalls, and directory services). Sufficient control must be put in place consisting of strong authentication and tightly controlled authorization for any access to the organization from the Internet to ensure that risks to assets are minimized.
How much is done will depend on the value that a company places on its assets and the level of risk it is comfortable with.
In the past, many companies ignored good security and IT governance practices, particularly when it came to the network. These companies felt that unless the public discovered a problem, they could get by doing the minimum necessary. With the passage of these new laws and regulations, public companies will now need to demonstrate to external auditors that they have taken steps to protect their valuable information in ways that can be verified. In addition, companies will now be forced to disclose the weaknesses in their systems, and presumably rectify any problems identified.
QuickLink: 065511
— Kanellakis has worked at Enterasys Networks and its predecessor Cabletron Systems for almost 15 years. These days he is enjoying spending time with his family and looking for interesting ventures to pursue.
