Andy Jones of the Information Security Forum assesses the hidden costs of compliance.

'Are they in the prisoner's handwriting?' asked another of the jurymen.

'No, they're not,' said the White Rabbit, 'and that's the queerest thing about it.' (The jury all looked puzzled.) 'He must have imitated somebody else's hand,' said the King. (The jury all brightened up again.)

'Please your Majesty,' said the Knave, 'I didn't write it, and they can't prove I did: there's no name signed at the end.'

'If you didn't sign it,' said the King, 'that only makes the matter worse. You MUST have meant some mischief, or else you'd have signed your name like an honest man.'

There was a general clapping of hands at this: it was the first really clever thing the King had said that day.

The King, in Alice in Wonderland, encapsulates the dilemma that legal and regulatory compliance requirements can generate. To fail to comply must imply that there is something to hide, and so compliance becomes a must-do task, irrespective of the cost of doing so.

Many compliance costs are visible – for example the costs of implementing controls to become compliant – however, many are not. These hidden costs of compliance can be significant and, unless they are carefully managed, add significantly to the overall true cost of compliance.

This article, based on research performed by the Information Security Forum, describes some of the hidden compliance tasks that can generate the hidden costs of compliance.

Identifying compliance legislation and regulation

'Well, I shan't go, at any rate,' said Alice: 'besides, that's not a regular rule: you invented it just now.'

'It's the oldest rule in the book,' said the King. 'Then it ought to be Number One,' said Alice.

For many organisations there is an increasing amount of legislation and regulation that simply requires that you comply with its provisions. Even identifying what legislation and regulation an organisation needs to comply with can be a significant task, especially for organisations that operate on an international scale.

Some legislation and regulation is relatively well-known, such as the Sarbanes-Oxley Act 2002 (SOX) or Money Laundering regulations; some may be sector specific, such as the Gramm-Leach-Bliley Act 1999 and some may just be unfamiliar such as the Telecommunications Regulations of the People’s Republic of China 2000.

However, identifying relevant legislation and regulation is only the first step toward compliance. Once identified, these laws and regulations have to be transposed into tangible and testable controls.

Laws are often written by lawyers for other lawyers and may not provide definitive guidance as to what organisations have to do, at a practical level, to become compliant with a particular law. Additionally, some laws need to be interpreted in the context of each individual organisation.

SOX is such an example, making it very difficult to identify a generic solution that can be adopted to become compliant. The task of identifying and interpreting legislation and regulation is a highly skilled and, consequently, costly exercise.

The task requires input from legal teams to help to identify and advise on laws: from information security specialists to translate the legal requirements into tangible controls; and from audit teams to be able to demonstrate compliance.

All this investment needs to be made before the very first control that will help to achieve compliance is implemented. And this investment constitutes the first hidden cost of compliance.

Producing the evidence

'It proves nothing of the sort!' said Alice. 'Why, you don't even know what they're about!'

Many compliance-related laws and regulations, including SOX, require that compliance is auditable and testable by an independent third party. To prove compliance, organisations will need to provide evidence that appropriate controls are in place – and work.

In practice, the requirement to provide tangible evidence of control testing means that retention of testing records, often for substantial periods of time, can be an important and costly element of achieving compliance.

Record retention, particularly for a large organization, is typically achieved through a technical record management solution, supported by business processes.

These solutions can be significant investments and, as they are expected to retain records for a substantial number of years, can have high lifetime costs associated with the related technology becoming obsolete over time.

Nevertheless, as compliance-related legislation and regulation requires good record management discipline, the investment in a technical record management solution is increasingly becoming a prerequisite of achieving compliance.

The implementation of a technical record management solution to manage evidence of compliance constitutes the second hidden cost of compliance.

Monitoring compliance

'Stolen!' the King exclaimed, turning to the jury, who instantly made a memorandum of the fact.

Whereas audits are very often seen as one-off annual events, compliance-related legislation and regulation can also contain requirements for ongoing and real-time monitoring of the level of compliance.

For example, Section 302 of the Sarbanes-Oxley Act 2002 states that a disclosure must be made of 'any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls'.

Of course SOX doesn't require prevention of fraud, just the reporting of it, but does implicitly require that there are detection mechanisms and systems in place.

The requirement for ongoing monitoring and detection of the level of compliance can also be found in money-laundering legislation and can require significant investment in systems and processes to identify fraudulent, suspicious or criminal activity, irrespective of the risk posed by such fraudulent activities.

The investment in systems and processes to provide ongoing and real-time monitoring and reporting of the level of compliance is the third hidden cost of compliance.

Dealing with myths and legends

When I used to read fairy-tales, I fancied that kind of thing never happened, and now here I am in the middle of one!

As the volume of compliance-related legislation and regulation has increased, so have the number of products and services that have been given a 'compliance makeover'. Record management systems are now marketed as SOX-ready; identity management systems are positioned as key to achieving compliance, and even fax servers promise to help.

Whilst much of this is true (to a point), achieving compliance is more than just buying an off-the-shelf product. In the midst of this marketing fury, some myths and legends seem to have arisen as to what is 'in scope' for particular compliance- related legislation and regulation.

As an example, the requirement for good disaster recovery facilities is often associated with achieving compliance with SOX and a number of organisations have invested in disaster recovery measures on that basis.

However, the legislation has no explicit requirements for disaster recovery – it doesn't care if your organisation goes under, so long as it is reported correctly.

The danger is then that investment is made in products and services that have only a secondary relationship with the compliance goal, and these myths and legends make up the fourth hidden cost of compliance.

Summary

As the King in Alice in Wonderland suggests, compliance should be viewed as a must-do task and increasing amounts of compliance-related legislation and regulation are resulting in significant expenditure in controls and processes to satisfy compliance requirements.

The cost of compliance is, however, much more than just the cost of applying controls and processes. Hidden costs, such as those described above, may prove to be significant and by stretching budgets and resources, can put a compliance programme at risk.

To understand the full and true cost of compliance, organisations need to identify and understand the cost of all of these hidden tasks and rabbit-holes that can, as happened to Alice, trap the unwary.

Based on research and questionnaires returned by many of its 280+ international members, the Information Security Forum has produced a series of reports on the implications of compliance based legislation for information security that are available to members. Analysis of this information forms the basis for this article.

www.securityforum.org

Extracts are from Alice in Wonderland by Lewis Carroll.