Implementation of Legislation
See ICT1 for a description of computer law and computer crime
Data Protection Policy
Under the law, organisations must:
Register with the Information Commissioner.
Appoint a Data Protection Officer.
Put measures in place to make it easy for customers to obtain their rights.
A data protection policy might be split into 2 sections:
Section 1 - Customer Service
Businesses should have a policy and they should be prepared to give a copy to customers, on request.
To ensure accuracy, information should be obtained directly from the customer.
Customers should be given a clear opt-out check-box
Other policies should relate directly to the requirements of the DPA e.g. data should only be used for the purpose for which it was obtained.
Section 2 - Organisational Culture
All staff should be aware of the policy. Staff should understand that they are personally liable for the policy in cases that they work on.
Data should be accurate and up-to-date. Reasonable steps should be taken to ensure that this is the case.
Data should be destroyed after a specified length of time.
DPA insists that data should be kept secure - this includes backup.
Periodic checks should be made to ensure that the policy is being adhered to.
Software Copyright
BSA (Business Software Alliance) exists to make organisations aware of the law on copyright. Their advice on software management is:
Conduct an audit to detect illegal software and follow it up with spot checks.
Purchase sufficient licences and maintain records of licences held.. Network metering packages can be used to ensure that software is available across the network but only to a specified number of users at any one time.
All staff should be informed of the consequences of piracy. They could be asked to sign an agreement promising to observe copyright.
All software purchases should be channeled through a single point.
Health and Safety
Ignorance of the law is no defence and employees can sue their employers if reasonable care is not taken to protect their health and safety.
Employers should avoid incentive schemes that reward for working in an unhealthy way.
Workers should be encouraged to have an involvement in choosing furniture and office equipment. This encourages staff to take "ownership" of their workspace. It can lead to staff being better motivated and showing a more responsible attitude.
Employers should allow workers to take "microbreaks" every 5-10 minutes and longer breaks every hour or so.
Special equipment should be provided for workers who work long hours in front of a VDU.
Regular health and safety inspections should be carried out either by a company-designated Health and Safety Officer, or by outside consultants e.g. a professional ergonomist.
A Health and Safety Policy should include training. Policies can be reinforced through posters and memos.
Reading Suggestion: Sitting on the Job - Scott W Donkin, 1989
Audit Requirements
Companies must publish accounts their accounts every year and these accounts must be signed by an auditor who verifies that they are an accurate record.
The accounts show the current state of the business i.e. bank balances, other investments, machinery, stock, land, factories, warehouses and other buildings, money owed to the company and money which the company owes.
There is a temptation for companies to tamper with their accounts. A small businesses might want to undervalue itself to avoid paying tax and a large PLC might want to appear to be doing better than it actually is to boost the share price. The job of the auditor, therefore, is to protect the public in general and investors in particular by making sure that the company isn't "cooking the books".
The auditor can inspect any invoice (purchase invoices and sales invoices"), bank statements and any other transaction. It is very important that the company has all their records in good order.
An auditor should be able to follow any transaction or financial activity and trace it throughout its life within the organisation. This is called "following an audit trail" If the company has maintained good records, this should be very straightforward. However, with computer systems, it can become more complicated. Real-time processing systems are particularly complex. It is important that system developers consider the needs of auditors when designing systems. Auditors should be actively involved in the design stage.
A network should keep logs of all use, so that they can identify who was on a certain computer at any particular time. Unusual behaviour on the network should be logged. Many network security packages include audit controls that show what files each user accessed, when and from what station. It can also log unsuccessful attempts to log on and this should identify people who are trying out possible passwords (i.e. it might detect hackers).
Auditors themselves can use specialist software that will allow them to interrogate the data files, printing out a random sample group if required. It is also possible to generate exception reports to gather more information.
It is good practice to ensure that several people are involved in the processing of a transaction because this guards against fraud. The case of Nick Leeson illustrates how a computer system without proper controls can allow an individual to bring down an entire institution. As a result of this case, the liquidators of the bank are suing accountants who (allegedly) did not notice what was going on. See: http://news.bbc.co.uk/hi/english/business/newsid_1405000/1405209.stm
Case Study - Harold Shipman p.251 of the Heathcote textbook. An audit trail helped provide evidence that Shipman had altered the medical histories of his patients.