From: Thomas Jennings [mailto:Thomas.Jennings@fsa.gov.uk]
Sent: 04 October 2001
To: 'Sharpe, Karen (UK - London)'
Subject: RE: Response from ISACA (London Chapter)
Dear Ms Sharpe
DISSCUSSION PAPER ON E-COMMERCE
Thank you for commenting on the above paper. Your response will be
taken
into account when taking forward e-commerce work within the FSA.
Any
developments which may involve rules or guidance will be subject to
further
consultation. A feedback statement on responses to the discussion
paper
will also be issued.
Yours sincerely
Peter Parker
Head Of Internet Unit
From: Sharpe, Karen (UK - London)
Sent: 29 September 2001
To: e-commercetheme@fsa.gov.uk
Cc: rdavis@uk.ey.com; consultants@ravenswood.co.uk;
KhanK@rabo-bank.com;
john@lhscontrol.com; allan@internetworking4u.co.uk
Subject: Response from ISACA (London Chapter)
Please see attached the Information Systems Audit and Control
Association
(ISACA) London Chapter's response to the FSA Discussion paper "FSA's
Approach to Regulation of e-Commerce".
ISACA is a professional association for IT auditors and security and
control
specialists. The London Chapter has around 650 members. Our
members come
from a range of organisation and sectors, including Banks, Building
Societies, Corporates, Local Authorities, Central Government
departments,
Accounting firms and Consultancies. There is also a wide spread of
experience and technical knowledge amongst our members, ranging from
those
new to IT audit to others having 15 to 20 years experience in the field.
The Chapter played an active part in the development of BS 7799 and is
keen
to provide an input into thought leadership activities relating to areas
of
professional interest to our members.
The attached paper was written on behalf of the Chapter by Allan
Boardman
[allan@internetworking4u.co.uk], with input from Richard Davies, Kamal
Khan,
John Mitchell and Derek Oliver. Please don't hesitate to contact
me or
Allan should you wish to obtain further information regarding our views
on
this, or any other relevant issue.
With Kind Regards
Karen Sharpe
President, London Chapter
Response to FSA Discussion Paper - FSA's Approach to
Regulation of e-Commerce from the Information Security and Controls
Association (ISACA), London Chapter
Overall
The FSA has a crucial role to play in promoting
consumer and business confidence in e-Commerce and ensuring that an
environment is created whereby proper standards and controls are
maintained. The discussion paper lays the foundation as an excellent
reference point for any person, company or organisation interested in
the regulation of e-Commerce.
FSA's role
Consumers of financial services in the UK require a
high degree of comfort over the services provided by the financial
institutions and expect that those institutions should comply with
international standards in terms of confidentiality, integrity and
availability. The FSA has an important role to play in pursuance of its
main stated objectives of maintaining market confidence, promoting
understanding of the financial system, protecting consumers, and
reducing financial crime. To achieve these aims the FSA must provide
member firms with guidance to assist them to follow good practices and
safeguard the interests of their customers.
The FSA should provide clear advice, direction and
guidance on basic information security requirements and good control and
risk management practices. This should be based on case studies and
examples of what it has observed working well in other organisations.
The FSA has an important role to play in raising the
awareness and improving general education of e-Commerce related issues,
including the potential benefits, as briefly mentioned in the
introduction to the discussion paper.
Legal, regulatory and supervisory roadmap
There has been much development in this area in the
last couple of years. It would help consumers and businesses if a clear
overview of all the relevant legal and regulatory frameworks was
provided, including areas such as Turnbull, Basle, Regulatory
Investigatory Powers Bill, Data Protection Act and the related European
Directive, Electronic Commerce Bill, etc.
Security and controls
It is important that a framework should not be
re-invented specifically for e-Commerce. Instead, the FSA should
leverage off frameworks and internationally recognised standards already
in existence to ensure continued compliance, for example:
- ISO I7799, the Code of Practice for Information Security
Management; and
- COBIT (from ISACA).
COBIT (Control Objectives for Information and related
Technology) has been developed as a generally applicable and accepted
standard for good Information Technology (IT) security and control
practices that provides a reference framework for management, users, and
IS audit, control and security practitioners.
IT Governance
Institutions being regulated should be encouraged,
through awareness and training programs, to adopt more formal IT
Governance practices and in this respect the FSA should provide more
explicit guidance to senior management. Once again the FSA should seek
to leverage off existing frameworks, augmented for specialist e-Commerce
areas such digital signatures and identities, rather than developing new
ones.
Sharing of information
Frameworks and relevant information should be
available on the FSA's website as a focal point for regulatory and legal
information, or referenced from the website.
Finally, ISACA London Chapter, in its capacity as
being representative of the controls and audit community, would welcome
the opportunity for discussions or dialogue with the E-Business Advisory
Group that has been established by the FSA. |
