Select Page

In the last post many of the US regulations were discussed. This post focus on the UK regulations which has a Information Security Impact

The Turnbull Guidance 1999

Known as .Internal Control: Guidance for Directors on the Combined Code., this regulation.s principal aim is to encourage companies to identify and manage internal and external risk within their organizations.

IT security represents a major risk to business continuity. Security information management tools can help IT departments draw up reports demonstrating management of information security and business continuity risk.

Applicable for all companies listed on the UK Stock Exchange must implement the findings

The Companies Act 1985 Regulations 2005

These sets of regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. This review must also include business analysis via key performance indicators.

This set of regulations includes similar information security requirements as with the Turnbull Guidance; Information security measures are needed to manage risk by ensuring business continuity and protect IP rights. Requirements state that processes should also protect the data information used to create the reports provided to auditors and directors.

The Companies Act 2004

Known as the UK Companies (Audit, Investigations and Community Enterprise) Act 2004 it aims to improve the reliability of financial reporting and the independence of auditors while strengthening the role of the Financial Reporting Review Panel (FRRP) in enforcing good accounting and reporting, by giving it new powers to require necessary documents.

Information security solutions can help maintain the integrity and availability of these pieces of information.

The Act affects all companies audited in the UK and their directors.

Money Laundering Regulations 2003 (MLR)

Businesses must appoint a money laundering reporting officer (MLRO) to train employees on the relevant principals and requirements of the legislation, verify the identity of new clients, and maintain records of client identification and transactions for five years. Information security technologies and procedures are needed to ensure that records are not lost, corrupted or defaced in any way.

Applicable for financial services institutions as well as relevant professionals and other .relevant. industries including estate agencies, insolvency practitioners, tax consultants, accountants, finance and real estate legal services professionals and organizations dealing in goods involving transactions of more than .15,000.

EU Data Protection Directive

The directive covers the processing of personal data, including automatically-processed data and manual data in a filing system. Conditions include the confidentiality and security of processing as well as provisions for transfer to a third country. Organizations must implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.

The US Safe Harbor Arrangement is a streamlined process for US companies to comply with the Directive, developed by the US Department of Commerce in consultation with EU.

The 95/46/EU Data Protection Directive applies to member countries within the EU and other countries that conduct business with member countries.

EC Privacy and Electronic Communication Regulations (EC Directive) . 2003

The legislation protects the public from electronic marketing practices that cause nuisance, offence and invasion of privacy.

IT security solutions and processes should be put in place to ensure that electronic marketing records are both available and correct.

Electronic service providers need both business continuity measures to maintain system and network uptime as well as measures put in place for more general data protection issues relating to customer data sets.

Organizations that use email marketing must comply with the regulations; additionally telecom companies and ISPs must implement security technologies and practices to safeguard their services.

UK Data Protection Act

The Act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data. Anyone processing personal information must comply with eight enforceable principles of good information handling practice. Good information security practice is implied in all eight, but explicitly in Principle 7, which relates to the prevention of unauthorized or unlawful processing, and of accidental loss or damage to data.

Companies must ensure that both organizational as well as technical means must be used to protect personal information.

Any organization collecting personal data is covered by the Act

The Freedom of Information Act 2000 . UK

The Act states that public authority information cannot be altered, defaced or destroyed. Public authorities need to implement effective records and document management systems and IT security solutions are required to ensure the uptime of these systems and that both the information and the records kept on them are not altered or corrupted in any way.

The Act gives the general public access to information held by public authorities.

EU Annex 11, Computerized Systems

The central consideration of this regulation is that .records are accurately made and protected against loss or damage or unauthorized alteration so that there is a clear and accurate audit trail throughout the manufacturing process..

Annex 11 applies to all pharmaceutical manufacturers in the EU using computerized systems in manufacturing, storage, distribution, and quality control of medicinal products

Annex 11 applies to all pharmaceutical manufacturers in the EU using computerized systems in manufacturing, storage, distribution, and quality control of medicinal products