- Email: [email protected]
UK MPs demand action on computer security
Vol. 10, No. 8, Page 4
UK MPs DEMAND ACTION ON COMPUTER SECURITY
flexibility now being offered goes far enough towards reversing this trend.
Accounts Committee has issued a report urging
The report, Computer Security in GovernmentDepartments, is published by Her
the Treasury to take immediate action to
Majesty’s Stationery Off ice, London, price f 3.90.
The UK House of Commons Public
improve the security of Government computer
Roy Carter, UK
installations by the appointment of specialized computer security and systems control personnel. The Committee voiced its “serious concern” over delays in implementing effective protection for the Civil Service’s data processing systems, particularly as to the preparation of disaster contingency plans, including the prevention of financial losses due to fraud, accidents and industrial action. The report refers to critical comments as to the state of the Civil Service’s computer security programme made by the National Audit Office (reported in CFSB Vol. 10, No.3, January 1988), citing Members of Parliament’s (MPs) “surprise and concern” that many Government departments have failed to remedy shortcomings in their systems of internal control, despite clear warnings. It calls on the Treasury, as the body responsible for coordinating Government computer security, to enforce the compliance of lax departments. Although Government computer fraud is not thought to cause heavy losses at present, only 11 cases involving a total of f 94 000 having been identified in the five years to 1986, the Committee makes it plain that any such loss of public money is unacceptable, especially as many potential loopholes have been identified but not yet plugged. Many departments remain vulnerable to serious losses or unnecessary expenditure because they have failed to make effective plans, says the report. While criticizing the Civil Service’s failure to appoint enough specialized employees to address the problem, the Committee accepts that recruiting has been hampered by the higher salaries offered by private sector firms, which tends not only to affect recruitment but also the retention of existing staff-the Treasury reports a 20% annual turnover in computer systems personnel. The report expresses some scepticism as to whether the greater pay
COMPUTER FRAUD & SECURITY BULLETIN
UK FINANCIAL SERVICES ACT IMPLIES STATUTORY REQUIREMENTS FOR COMPUTER SECURITY The Financial Services Act came into effect in April 1988 to provide statutory regulations over the conduct of investment business in the UK. The Securities and Investment Board (SIB), through various Self- Regulatory Organizations (SRO), seeks to achieve this control by the introduction of standard practices and formally defined codes of conduct throughout the Securities and Investment industry. Each company operating within this sphere must be a member of the relevant SRO and subsequently be authorized to carry out its business. The SROs, charged with ensuring that companies operate in accordance with the provisions of the Act, have defined strict Conduct of Business rules and a comprehensive supervisory mechanism to ensure firms continue to operate accordingly. These rules and procedures go far beyond specific accounting and financial requirements, placing demands and expectations on a firm’s operating methods. In various sections of the SRO rulebooks, specific requirements for adequate computer security measures are both stated or implied. In this article, specific reference is made to the rule book of The Securities Association (TSA). Readers are advised, however, that similar rules and requirements exist in other SRO rule books. ‘Fit and proper’ test The ‘fit and proper’ test is part of the TSA’s authorization procedure. During the application process (to become a member of the TSA),
0 1988 Elsevier Science Publishers Ltd., England. lSS/$O.OO + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means. electronic. mechanical, photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)
UK MPs DEMAND ACTION ON COMPUTER SECURITY
flexibility now being offered goes far enough towards reversing this trend.
Accounts Committee has issued a report urging
The report, Computer Security in GovernmentDepartments, is published by Her
the Treasury to take immediate action to
Majesty’s Stationery Off ice, London, price f 3.90.
The UK House of Commons Public
improve the security of Government computer
Roy Carter, UK
installations by the appointment of specialized computer security and systems control personnel. The Committee voiced its “serious concern” over delays in implementing effective protection for the Civil Service’s data processing systems, particularly as to the preparation of disaster contingency plans, including the prevention of financial losses due to fraud, accidents and industrial action. The report refers to critical comments as to the state of the Civil Service’s computer security programme made by the National Audit Office (reported in CFSB Vol. 10, No.3, January 1988), citing Members of Parliament’s (MPs) “surprise and concern” that many Government departments have failed to remedy shortcomings in their systems of internal control, despite clear warnings. It calls on the Treasury, as the body responsible for coordinating Government computer security, to enforce the compliance of lax departments. Although Government computer fraud is not thought to cause heavy losses at present, only 11 cases involving a total of f 94 000 having been identified in the five years to 1986, the Committee makes it plain that any such loss of public money is unacceptable, especially as many potential loopholes have been identified but not yet plugged. Many departments remain vulnerable to serious losses or unnecessary expenditure because they have failed to make effective plans, says the report. While criticizing the Civil Service’s failure to appoint enough specialized employees to address the problem, the Committee accepts that recruiting has been hampered by the higher salaries offered by private sector firms, which tends not only to affect recruitment but also the retention of existing staff-the Treasury reports a 20% annual turnover in computer systems personnel. The report expresses some scepticism as to whether the greater pay
COMPUTER FRAUD & SECURITY BULLETIN
UK FINANCIAL SERVICES ACT IMPLIES STATUTORY REQUIREMENTS FOR COMPUTER SECURITY The Financial Services Act came into effect in April 1988 to provide statutory regulations over the conduct of investment business in the UK. The Securities and Investment Board (SIB), through various Self- Regulatory Organizations (SRO), seeks to achieve this control by the introduction of standard practices and formally defined codes of conduct throughout the Securities and Investment industry. Each company operating within this sphere must be a member of the relevant SRO and subsequently be authorized to carry out its business. The SROs, charged with ensuring that companies operate in accordance with the provisions of the Act, have defined strict Conduct of Business rules and a comprehensive supervisory mechanism to ensure firms continue to operate accordingly. These rules and procedures go far beyond specific accounting and financial requirements, placing demands and expectations on a firm’s operating methods. In various sections of the SRO rulebooks, specific requirements for adequate computer security measures are both stated or implied. In this article, specific reference is made to the rule book of The Securities Association (TSA). Readers are advised, however, that similar rules and requirements exist in other SRO rule books. ‘Fit and proper’ test The ‘fit and proper’ test is part of the TSA’s authorization procedure. During the application process (to become a member of the TSA),
0 1988 Elsevier Science Publishers Ltd., England. lSS/$O.OO + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means. electronic. mechanical, photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)