Solutions focused on the needs of our clients
Need you help
Tel.: (+34) 971 728 008
The companies dedicated to the new Information and Communication Technologies (ICT) are well aware of the risks in which the development of their business activity is found, and although these possible ill may occur in any business (almost all of them already have with presence on the Internet), this sector is one of the most vulnerable in terms of compliance or compliance.
Two years ago, a study was published: "Compliance management in the ICT environment", prepared by the Spanish Association of Telecommunications Users and the Information Society (Autelsi), and which reflected the challenges and opportunities that they had ICT companies in relation to compliance models or regulatory compliance.
What challenges do ICT companies face in terms of compliance?
Compliance depends very much on information systems, and with that we can have a very clear starting point: the growing dependence of new technologies on the business world is such that many businesses today operate exclusively in the environment of the Society of Information. We are talking about digital transformation and globalization and innovation based on technology as a driver of change. Thousands of technological solutions appear every day, responding to the needs of SMEs and large corporations of all types of industries.
Hence, concepts such as Big Data, Cloud Computing, Internet of Things, Social Business, Open Source, Mobility appear ... That is why risk management is so important within the framework of ICT departments of any company, identifying measures, controls and Evidence that supports the general compliance program.
Along with this we must know that there is a potential set of criminal offenses that can occur in a technological company such as: Cybersecurity and data protection, intellectual and industrial property crimes or the crime of computer damage. These three elements stand out among the most relevant in terms of computer security, but they are not the only ones. Nowadays, the tendency is to increase computer resources for the commission of crimes. Those who execute them run a lower risk and obtain a greater benefit.
What should ICT companies take into account when preparing their regulatory compliance plan?
The main control elements are grouped basically in:
• Control of the environment
• Risk analysis and management
• Information and communication access and dissemination systems
• Control and monitoring activities
Thus, these internal measures and controls are supported by policies and procedures, established by the organization with the aim of ensuring regulatory and legal compliance, highlighting the following typically ICT controls:
• Definition of information security policies and the use of technological means in which business processes are supported, including supervision and periodic review of compliance.
• Access control based on the need to know through which to regulate access to information that also allows control of information leaks.
• Audit at the level of systems, applications, networks and operating system through which the access, modification and deletion of the information is identified.
• Destruction and secure deletion of critical information for the storage media business, as well as that which is in paper format.
• Backup and recovery of critical information for the business.
• Information integrity controls to avoid their alteration (serve as an example of services and computer solutions such as firewalls, IDS / IPS, rights management software, applications to filter information, etc.)
• Classification of the information according to its level of criticality for the business processes of the organization, which will form the basis of the security measures to be applied.
• Securing (or encrypting) the information transmitted by electronic means (mainly email or instant messaging).
• Monitoring of activity in systems, applications, networks, etc., to ensure the issuance of alarms when anomalous behaviour is detected.
In a business environment where there is increasing dependence on computers and the exchange of information through networks, one of the aspects that should integrate an effective criminal compliance system is a good computer security scheme.
We understand that globalization, exacerbated by the use of the Internet, opens a new space in which the traditional geographical limits to delimit the regulations applicable by each country lose outlines, and actions with effect at one end of the world can be made from terminals located at the opposite pole.
As a result of all this, from Illeslex we are aware that the legal sector advocates a proactive role in companies and society in general, also reflected in some recent ISO standards such as the following:
- ISO19600 on Regulatory Compliance Management Systems (Compliance Manager System) is based on the best international management practices, in this case of Legal Compliance, Transparency, Corporate Ethics and Good Governance. In addition, the structure of this standard has been used by UNE in its recently approved UNE 19601, on Criminal Compliance Management Systems. It is a certifiable standard that follows the scheme of Article 31 bis of the Criminal Code and seeks that companies can implement effective systems for the prevention of criminal risks that this provision contemplates as a way to exempt or mitigate the liability of legal persons.
- ISO 37001 for the prevention and detection of bribery, known as anticorruption and anti-bribery. It stands out because it has a system of controls similar to that of ISO 19600, but aimed at mitigating the risk of those specific crimes occurring.
- ISO 19086, on cloud computing, seeks to establish blocks of service level agreements (SLA) in the projects that are addressed in the cloud. Microsoft has been one of the sponsors of this ISO, and with the aim of providing a secure cloud has also developed a checklist in which the legal heads of cloud computing projects will find all the legal issues that must be addressed to avoid subsequent surprises.
- A future ISO on Blockchain is foreseen, the technology that underlies cryptocurrencies or Bitcoins. ISO considers that it is a technology of such relevance for the security and confidence of international transactions, that its standardization will mean a step forward in the way of working on an international scale, a stimulus for greater interoperability and greater acceptance and innovation in its use and applications. Currently several groups of experts work on issues related to Blockchain as its architecture, taxonomy, ontology, use cases, security and privacy and smart contracts.
As a result of all this, the professionals and technicians of Illeslex promote a progressive adoption of these international standards because they allow the companies they advise to work in an international and complex legal context in a safe, more efficient way, anticipating problems of legal contours with work processes that have proven effective and that's why they have been approved. It also means bringing the staff of companies, or at least their managers and managers, closer to a culture of compliance, in many cases through the training that most of these international standards impose to obtain their certification or advise for their correct implantation.
And, ultimately, one of the direct economic consequences of adjusting to these patterns is, if they are certifiable as they are UNE 19601 or ISO 37001, which is able to demonstrate a commitment of good work that can be the decisive to gain market confidence and thus access certain contracts or bids, taking into account the recent Law 9/2017 on Contracts of the Public Sector
José Antonio Caldés