Introduction

Note 1:
This section is only relevant to businesses in the UK and the legislative jurisdiction is England and Wales.

Note 2:
The author is not a lawyer and does not hold himself out to be and is not qualified to provide legal advice and the commentary does not provide a comprehensive or complete statement of the law relating to fraud, contractual and other matters. It is intended only to highlight issues, which readers should consider.

Note 3:
Specialist legal advice should always be sought in relation to any particular circumstances.

Note 4:
The Fraud Act 2006 supersedes some of the details in this section. If this is the case, then it is the responsibility of the student to address this issue.

Within all businesses there are standards that can or must be applied to the way that work is carried out. These are typically used to implement or manage systems to a given standard (national or international), two examples of such standards are ISO 9000 (an international standard for quality systems) or BS 15000 (a British Standard for service management).

Additionally there are mandatory standards, which could include an optional standard being made mandatory by a contracting party or be mandatory for some other means (e.g. specific business requirements).

These standards often cover the application and management of appropriate security measures or fraud reduction techniques.

A number of businesses are regulated, and the regulations that apply to them often involve security or fraud reduction measures.

Within every jurisdiction there are a number of legislative requirements that must be met and these will apply either to all companies or to sub sets of companies meeting different criteria (e.g. Copyright, Designs and Patents Act applying to all companies and Data Protection Act only applies to those who process 'personal data'). Criminal law is what Parliament legislates as a crime and is enacted in Statutes.

Some of this legislation is only applicable to companies of a certain size, typically five or more people

From the viewpoint of using standards and the law as a form of 'punishment' the only possible options are of regulatory requirements and the law. These may be used together or separately.

A typical scenario below serves to explain this:

1. An insurance broker in the UK must be authorised by the FSA;

2. If the Firm's brokerage is more than £1m, as part of its application for authorisation it will have to confirm that it has information security measures equivalent to BS 7799 (now ISO 27001) in place;

3. But it has not got this level of information security in place when the forms are signed;

4. The Firm may be placed under supervision by the FSA until the issues are resolved or - if the breach is very bad - it may have its authorisation removed and so becomes unable to trade;

5. If the failure to have appropriate information security in place means that a client's insurance claim is not paid because the system was hacked into and the premiums misappropriated by an unconnected third party there may be a civil action against the Firm based on negligence;

6. If the hacker is tracked they may be prosecuted under the Computer Misuse Act;

7. If the hacker was 'in house' and corporate collusion was proven, then it could lead to criminal charges and certainly FSA investigation.

A detailed look at each area covered above is presented in the following chapters. Where much of the material has been covered previously (i.e. ISO 27001) readers should refer to the relevant part of the course for details.

An Introduction To Corporate Regulation and Standardization
Introduction Note 1: This section is only relevant to businesses in the UK and the legislative jurisdiction is England and Wales. Note 2: The author is not a lawyer and does not hold himself out to be and is not qualified to provide legal advice and the commentary does not provide a comprehensive or complete statement of the law relating to fraud, contractual and other matters. It is intended only to highlight issues, which readers should consider. Note 3: Specialist legal advice should always be sought in relation to any particular circumstances. Note 4: The Fraud Act 2006 supersedes some of the details in this section. If this is the case, then it is the responsibility of the student to address this issue. Within all businesses there are standards that can or must be applied to the way that work is carried out. These are typically used to implement or manage systems to a given standard (national or international), two examples of such standards are ISO 9000 (an international standard for quality systems) or BS 15000 (a British Standard for service management). Additionally there are mandatory standards, which could include an optional standard being made mandatory by a contracting party or be mandatory for some other means (e.g. specific business requirements). These standards often cover the application and management of appropriate security measures or fraud reduction techniques. A number of businesses are regulated, and the regulations that apply to them often involve security or fraud reduction measures. Within every jurisdiction there are a number of legislative requirements that must be met and these will apply either to all companies or to sub sets of companies meeting different criteria (e.g. Copyright, Designs and Patents Act applying to all companies and Data Protection Act only applies to those who process 'personal data'). Criminal law is what Parliament legislates as a crime and is enacted in Statutes. Some of this legislation is only applicable to companies of a certain size, typically five or more people From the viewpoint of using standards and the law as a form of 'punishment' the only possible options are of regulatory requirements and the law. These may be used together or separately. A typical scenario below serves to explain this: 1. An insurance broker in the UK must be authorised by the FSA; 2. If the Firm's brokerage is more than £1m, as part of its application for authorisation it will have to confirm that it has information security measures equivalent to BS 7799 (now ISO 27001) in place; 3. But it has not got this level of information security in place when the forms are signed; 4. The Firm may be placed under supervision by the FSA until the issues are resolved or - if the breach is very bad - it may have its authorisation removed and so becomes unable to trade; 5. If the failure to have appropriate information security in place means that a client's insurance claim is not paid because the system was hacked into and the premiums misappropriated by an unconnected third party there may be a civil action against the Firm based on negligence; 6. If the hacker is tracked they may be prosecuted under the Computer Misuse Act; 7. If the hacker was 'in house' and corporate collusion was proven, then it could lead to criminal charges and certainly FSA investigation. A detailed look at each area covered above is presented in the following chapters. Where much of the material has been covered previously (i.e. ISO 27001) readers should refer to the relevant part of the course for details.	Practitioner.Com: An Introduction to Corporate Regulation and Standardization
Return To An Introduction to Corporate Regulation and Standardization