Richard Austin: Austin Technology Law, Toronto, Ontario Phone




Скачать 349.38 Kb.
НазваниеRichard Austin: Austin Technology Law, Toronto, Ontario Phone
страница1/6
Дата28.02.2013
Размер349.38 Kb.
ТипДокументы
  1   2   3   4   5   6


UNDERSTANDING IT INDUSTRY BODIES AND REGULATORS


Richard Austin: Austin Technology Law, Toronto, Ontario
Phone
: W: (416) 429-1529 | M: (416) 505-9841
Email Address: richard@austintechnologylaw.ca


Ron Babin: Ted Rogers School of IT Management, Ryerson University, Toronto, Ontario
Phone - 416 979 5000 x2448; cell - 416 409 834
Email address: rbabin@ryerson.ca


Fraser Mann: Miller Thomson LLP, Toronto, Ontario
Phone: 416.595.8195
Email Address: fmann@millerthomson.com



Canadian IT Law Association Annual Conference

Montreal, Quebec (October 28-29, 2010)


TABLE OF CONTENTS


Part 1 – Sample Fact Pattern

Part 2 – Information Sheets re Government or Industry Bodies:

American National Standards Institute (ANSI)


British Standards Institute (BSI)


Canadian Standards Association (CSA)



Centre for Outsourcing Research and Education



International Institute of Business Analysis (IIBA®)

ISACA

International Association of Outsourcing Professionals


International Organization for Standardization (English) (ISO)

Information Technology Infrastructure Library (ITIL) and ISO 20000

National Institute of Standards and Technology (NIST)


Office of the Superintendent of Financial Institutions Canada - Outsourcing of Business Activities, Functions and Processes (OSFI)

Payment Card Industry Security Standards Council (PCI)

Project Management Institute (PMI)


Carnegie Mellon Software Engineering Institute (SEI)

Underwriters’ Laboratories (UL)

Uptime Institute (UI)


PART 1


SAMPLE FACT PATTERN


The fact pattern below has been developed to encourage discussion of how industry or regulatory bodies can affect information technology transactions. At each stage in the fact pattern set out below, we would like to consider the standards, guidelines, rules and regulations established by different industry and regulatory bodies that might influence the decisions, actions or operations of the parties, that may be referred to in the legal documents or that may impact the parties’ present or future liabilities.


  1. INTRODUCTION


IdeaCo is a Canadian software development company listed on the TSX. IdeaCo has developed an algorithm to be used in processing credit card transactions. The algorithm incorporates special fraud detection capabilities based on analyzing card holder transaction data to identify anomalies among transactions. IdeaCo’s business plan involves:


  1. incorporating the algorithm into a new application that, once integrated with IdeaCo’s existing Identity Management System, will be marketed as CCFD (for Credit Card Fraud Detection);




  1. contracting with a hosting service provider to host the application; and




  1. when CCFD has been installed at the hosting service provider’s premises, marketing its credit card processing services using CCFD to financial institutions initially in Canada but subsequently in the United States and Europe.




  1. APPLICATION DEVELOPMENT


IdeaCo recognizes that the development of CCFD, i.e. incorporating the algorithm into a new application that will be integrated with IdeaCo’s Identity Management System, represents a significant project: IdeaCo has retained a consultant (“Consultant”) who estimates that it will require a project team of 40 persons twelve months to design, develop, integrate and complete the testing of CCFD. The Consultant has recommended that, instead of attempting to complete the CCFD Project itself, IdeaCo issue an RFP for software development and integration services to select the right partner for the CCFD Project and that, in light of the size of the project, IdeaCo allow software developers from outside Canada to bid or to allow some of the development to be done off shore.


The Board of Directors of IdeaCo is interested in moving ahead with issuance of the RFP for the CCFD Project. However the Board is cautious because both of the last two large application development projects undertaken by IdeaCo were significantly behind schedule and over-budget. Moreover, the delays and cost overruns on these projects came as a surprise to the Board. IdeaCo did not achieve the revenue and earnings projections that it had provided to the market as a result of these delays and cost overruns, the Board was severely embarrassed and securities analysts were speculating about whether the company was properly managed. Therefore, the Board has indicated that it is only willing to proceed with the CCFD Project if it can obtain some assurances that:

  1. IdeaCo has appropriate procedures in place to manage the CCFD project;

  2. the CCFD Project will be completed on time and on budget;

  3. the CCFD application, once it is developed, will perform efficiently and without errors; and

  4. IdeaCo will be able to market its services to financial institutions initially in Canada and thereafter in the United States and Europe.


The Board of Directors has asked the Consultant for a report on:


1. How should IdeaCo manage the CCFD Project?


2. What standards, guidelines, practices and procedures should IdeaCo include in the RFP as mandatory or desirable terms with which bidders must comply to achieve the objectives established by the Board for the CCFD Project?


3. Are there any standards, guidelines, practices and procedures that IdeaCo should implement internally to increase the likelihood that the Board’s objectives are achieved?


  1. HOSTING THE APPLICATION


Eight months have passed. As a result of:


  1. the management and governance procedures implemented by IdeaCo;

  2. the application developer, ApplicationCo, selected by IdeaCo; and

  3. the reporting and other procedures implemented in the contract between IdeaCo and ApplicationCo;


the CCFD Project is on track. It appears that the design, development and testing of CCFD will be completed on time and very close to on budget. IdeaCo is now ready to turn to the next step in its business plan.


IdeaCo’s business plan involves IdeaCo hosting the application on the infrastructure of a third party service provider. IdeaCo will have the customer and contractual relationship with the financial institutions to which it will be offering its credit card processing services and IdeaCo will be responsible for applications support for the CCFD application. However the CCFD application will operate on the IT infrastructure of a third party service provider and over the telecommunications network to be provided and managed by the service provider. IdeaCo is expecting the third party service provider to supply all of the related hosting management services such as: (i) backup, archiving and disaster recovery services; and (ii) security services including a segmented security architecture, strong authentication, firewall management, anti-malware (end-point security) and security event log management.


The Board of Directors, still cautious about the CCFD Project, is insisting on taking a similar approach in proceeding to the next stage. The Board realizes that IdeaCo will be marketing its services to financial institutions and that the financial institutions will likely be concerned to obtain state of the art infrastructure offering high levels of service, reliability and security. IdeaCo will need to be able to manage the relationship with the hosting service provider effectively but also obtain the necessary assurances that the hosting service provider’s infrastructure will be based on current technology and robust security and that it will be maintained at current levels as technology and risk evolve.


The Board has asked the Consultant to report to it on:


1. How should IdeaCo manage its relationship with the third party hosting services provider? Are there any standards, guidelines, practices and procedures that IdeaCo should implement internally to increase the likelihood that IdeaCo’s relationship with whichever hosting service provider it ultimately selects is successful?

2. What standards, guidelines, practices and procedures should IdeaCo include in the RFP to be issued to hosting service providers as mandatory or desirable terms with which bidders must comply to achieve CCFD’s objectives?


IV. MARKETING SERVICES


A further six months have passed. The development of the CCFD application has been successful and the application is now installed on the infrastructure of IdeaCo’s hosting service provider, HostCo. IdeaCo is ready, it believes, to market its credit card processing services to financial institutions. However, before the Sales Department will receive approval to proceed, the IdeaCo Board has asked for a presentation on how IdeaCo should be managing the risks associated with offering credit card processing services to financial institutions in Canada, the United States and Europe.


The Board has asked the Consultant to report on:


1. What are the regulatory or industry issues that IdeaCo needs to be prepared to deal with in marketing its credit card processing services to financial institutions in Canada, the United States and Europe?


2. What standards, guidelines, practices and procedures should IdeaCo implement to manage the risks and liabilities associated with providing these credit card services to financial institutions?

PART 2

INFORMATION SHEET RE GOVERNMENT OR INDUSTRY BODY







Organization:


American National Standards Institute (ANSI)







Jurisdiction:


United States, with global influence







Nature of Organization:

(Government Regulatory Body, Educational Institution, Standards Setting Body, Arbitral body, Industry Organization)

“ANSI is a nonprofit, privately funded membership organization that coordinates the development of U.S. voluntary national standards and is the U.S. member body to the International Organization for Standardization (ISO) and, via the United States National Committee (USNC), the International Electro-technical Commission (IEC).


The Institute was founded in 1918, prompted by the need for an ‘umbrella’ organization to coordinate the activities of the U.S. voluntary standards system and eliminate conflict and duplication in the development process.”


In short, the ANSI is a U.S. body that standardizes the voluntary formation of industry standards.


There are approximately 9,500 American National Standards (ANS)


From ANSI website www.ansi.org







Function/Role/Purpose:

ANSI coordinates voluntary standards within the ICT industry, and many other industries including safety and health, telecommunications, petroleum, medical devices, etc.


The primary role of ANSI is to eliminate conflict and duplication in the standards development process. ANSI coordinates standards across more than 200 standards development organizations.


For example, the ANSI Health Care IT Standards Panel was established to develop consensus based standards for interoperability between various health care information technologies, in the United States.


Many of the ANSI standards are detailed technical standards, often defined from an engineering perspective. A search of the ANSI data base for IT standards produces over 3700 ANSI documents, ranging from Digital Image standards to Nanotechnology and Gigabit Ethernet standards.









Structure:

(Membership, shareholders, controlling parties)

Membership is comprised of nearly 1,000 businesses, professional societies and trade associations, standards developers, government agencies, and consumer and labour organizations.







Governance Structure:

Board of Directors – The Board of Directors is comprised of approximately 40 representatives of the ANSI membership and is responsible for governance oversight of the issues, properties and affairs of the Institute. Four Subcommittees of the Board are the Executive, Finance, Nominating and Audit subcommittees. Several other subcommittees oversee activities such as ISO coordination, regional ANSI actions, and education.

Board members elected for a three year term, representing industry standards bodies, government, industry and academia. (e.g. National Council of State Boards of Nursing, Consumer Product Safety Commission, Association of Home Appliance Manufacturers, National Fire Protection Association, Underwriters Laboratories, Inc., U.S. Department of Energy, National Institute of Standards and Technology, Oracle, IBM, Eastman Kodak, Microsoft, Purdue University, New York University).

A Standards Panel addresses the standards development needs and coordination issues of a particular industry sector. Two panels that would be of interest are the ID Theft Prevention and ID Management Standards Panel (IDSP) and the Healthcare Information Technology Standards Panel (HITSP)

A staff of about 90 administrators is responsible for ANSI operations.







History (including relationship to predecessor bodies)

  • ANSI was originally formed in 1918, when five engineering societies and three government agencies founded the American Engineering Standards Committee (AESC)

  • In 1928, the AESC became the American Standards Association (ASA)

  • In 1966, the ASA was reorganized and became the United States of America Standards Institute (USASI)

  • The present name was adopted in 1969. (source: Wikipedia)







General description of activities

  • Describe each activity separately

  • Include standards and certifications:

“The Institute oversees the creation, promulgation and use of thousands of norms and guidelines that directly impact businesses in nearly every sector: from acoustical devices to construction equipment, from dairy and livestock production to energy distribution, and many more. ANSI is also actively engaged in accrediting programs that assess conformance to standards – including globally-recognized cross-sector programs such as the ISO 9000 (quality) and ISO 14000 (environmental) management systems.” (Source: ANSI website)








Recent activities / events / publications

  • The Identity Theft Prevention and Identity Management Standards Panel (IDSP) is a cross-sector coordinating body whose objective is to facilitate the timely development, promulgation and use of voluntary consensus standards and guidelines that will equip and assist the private sector, government and consumers in minimizing the scope and scale of identity theft and fraud.

  • The Healthcare IT Standards Panel is charged with achieving a widely accepted and useful set of standards for widespread interoperability among healthcare software applications, as they will interact in a local, regional and national health information network for the United State.







Organizations performing the same function / role:

(i) in Canada; and

(ii) elsewhere.

Standards Council of Canada (SCC)

Canadian General Standards Board (CGSB)

Canadian Standards Association (CSA)

Underwriters Laboratories of Canada (ULC)

Measurement Canada

Telecommunications Standards Advisory Council of Canada

Institute for National Measurement Standards

International Organization for Standardization (ISO)


(note: ANSI has mapped several countries’ standards and conformity assessment systems, including Canada’s)







Sources of further Information:

ANSI website www.ansi.org

INFORMATION SHEET RE GOVERNMENT OR INDUSTRY BODY







Organization:


British Standards Institute (BSI)


(Source: http://www.bsigroup.com/)







Jurisdiction:


BSI standards and certifications are recognized in the UK and many parts of the world.







Nature of Organization:

(Government Regulatory Body, Educational Institution, Standards Setting Body, Arbitral body, Industry Organization)

-standards setting body







Function/Role/Purpose:

-sets innovative standards that are used throughout the globe

-provides all the information and training relating to standardization that businesses need to succeed in their competitive markets

-independently test and verify products to ensure that they are up to the job in terms of performance specification and safety







Structure:

(Membership, shareholders, controlling parties)

(Independent certification body)







Governance Structure:

Management Team (Chief Executive, Group Finance Director, Group HR Director, Director of Legal Affairs and Secretary, etc.)

Board of Directors







History (including relationship to predecessor bodies)

Sir John Wolfe-Barry - the man who designed London’s Tower Bridge - instigated the Council of the Institution of Civil Engineers to form a committee to consider standardizing iron and steel sections on 22 January 1901.


Subsequently, on 26 April 1901, the first meeting of the Engineering Standards Committee took place. As a result, the variety of sizes of structural steel sections was reduced from 175 to 113 and standardization was underway.


During the 1920s standardization spread to Canada, Australia, South Africa and New Zealand. Interest was also developing in the USA and Germany.


On 22 April 1929, the Engineering Standards Committee, (since 1918 the British Engineering Standards Association) was granted a Royal Charter. A supplemental Charter was granted in 1931 changing the name, finally, to The British Standards Institution.


1975 – 1997 Management systems standards

The world's first management systems quality standard, BS 5750, was published by BSI in 1979. In 1987, it was superseded by the ISO 9000 series of international standards which BS 5750 inspired.


BSI Group also began its international expansion, establishing BSI Americas in Reston, Virginia in 1991 and establishing its first Asian office in Hong Kong in 1995.


In January 2002, KPMG's ISO registration business in North America was acquired, making BSI Group the largest registration body in North America.

In 2003, BSI acquired 100 per cent of BSI Pacific Ltd, in order to consolidate the Group's penetration of the immense Greater China certification market.


In April 2009, BSI acquired the Supply Chain Security Division of First Advantage Corporation, USA and in May 2009 acquired Certification International S.r.l., providers of management systems assessment and certification in Italy. Subsequently, in August 2009, BSI acquired EUROCAT, the German healthcare certification and testing company.


(Source: http://www.bsigroup.com/en/About-BSI/About-BSI-Group/BSI-History/>)







General description of activities

  • describe each activity separately

Include standards and certifications:

-develops private, national and international standards

-certifies management systems and products

-provides testing and certification of products and services

-provides training and information on standards and international trade and

-provides performance management and supply chain management software solutions


BSI Standards in the areas of:

Accessible ICT; Biometrics; Data protection; Green IT; Information and records management; Information governance; Information security; IT in education; IT network security; IT service management – ITSM; Evidential weight and legal admissibility; Knowledge management; Software and systems engineering; Software asset management; Supply chain management & risk; Telecommunications; Universal Decimal Classification (UDC); Web design, accessibility and management


Standards (examples):

-Standard for data protection- BS 10012:2009

-Data Protection: Guidelines for the Use of Personal Data in Systems Testing

-Cabling, installation - BS EN 50173-1:2007+Amendment 1:2009

-Cabling, data centres - BS EN 50173-5:2007

-Data network installation - BS EN 50310:2006

-Information and documentation. Records management. General - BS ISO 15489-1:2001

-Secure destruction of confidential material. Code of practice - BS 8470:2006








Recent activities / events / publications

September 2009: BSI launches online data protection tool


June 2009: BSI publishes standard for the installation of audiovisual equipment







Organizations performing the same function / role:

(i) in Canada; and

(ii) elsewhere.

Canadian Standards Association (http://www.csa.ca)

[see description of Canadian Standards Association]


Underwriters’ Laboratories (UL) (http://www.ul.com/global/eng/)

[see description of Underwriters’ Laboratories]







Sources of further information:

http://www.bsigroup.com/



INFORMATION SHEET RE GOVERNMENT OR INDUSTRY BODY







Organization:


Canadian Standards Association (CSA)


(Source: http://www.csagroup.org/)







Jurisdiction:


CSA standards and certifications are recognized in Canada and many parts of the world.







Nature of Organization:

(Government Regulatory Body, Educational Institution, Standards Setting Body, Arbitral body, Industry Organization)

-standards setting body

-independent certification body.







Function/Role/Purpose:

- serves business, industry, government and consumers in Canada and the global marketplace

- develops standards, information products, sells publications and training services, and provides membership services

- CSA International provides product testing and certification services

- OnSpeX provides consumer product evaluations







Structure:

(Membership, shareholders, controlling parties)

Membership (open to the public; individuals, small and mid-sized companies, corporations, industry and government entities)







Governance Structure:

Management Team (President, CEO, Executive Vice President, Chief Science 8 Engineering Officer)

Board of Directors







History (including relationship to predecessor bodies)

1919 A federal charter formally creates the Canadian Engineering Standards Association (CESA).


1940 CESA becomes the official certification agency for all electrical equipment intended for sale or installation in Canada.


1944 CESA changes its name to the Canadian Standards Association to better reflect the breadth of its work.


1946 The CSA certification mark is born.


1996 On June 27, CSA and QMI launch World Wide Web sites on the Internet. CSA publishes Model Code for the Protection of Personal Information, a landmark standard that balances the legitimate need to know of government and business with the individual’s right to privacy. It would go on to become the basis of Canadian law and serve as a model for privacy initiatives at the international level.


1999 Within its new Water Products Lab in Toronto, CSA begins testing. The organization goes live with an enterprise resource planning (ERP) solution that responds to the challenges of Y2K and promises to build service capacity and bring tighter integration among its information systems and processes.


2002 CSA introduces new smart standards, innovative Web services and member education resources. CSA International starts Certification Gateway to provide customers with electronic access to their reports.


2007 CSA International hosts Lighting for Tomorrow, a design and technology competition designed to stimulate the market for high-efficiency residential lighting fixtures.


(Source: )







General description of activities

  • describe each activity separately

  • Include standards and certifications:

-develops standards

-provides and sells information products and publications about standards

-offers training and education services about standards

-offers membership services

-provides product testing and certification services to business, industry, government

-provides consumer product evaluations


CSA Product Certifications:

-CSA has developed harmonised standards with ISO in the form of Information Technology Standards ISO/IEC 1539-10999, 11000 to 14999, 15000 to Z243.310, including the following:

-ISO/IEC 1539-1 Programming Languages-Fortran-Part 1: Base Language

-ISO/IEC 1989 Programming Languages-COBOL

-ISO/IEC 2022 Character Code Structure and Extension Techniques

-ISO/IEC 2382-7 Vocabulary-Part 7: Computer Programming

-ISO/IEC 2382-8 Vocabulary-Part 8: Security

-ISO/IEC 2382-9 Vocabulary-Part 9: Data Communication

-ISO/IEC 6522 Programming Languages-PL/I General Purpose Subset

-ISO/IEC 7064 Security Techniques-Check Character Systems

-ISO/IEC 7185 Programming Languages-Pascal







Recent activities / events / publications

February 4, 2010 – CSA officially announces Canada's adoption and availability of the ISO 31000 Risk Management standard. CAN/CSA ISO 31000 Risk Management – Principles and Guidelines is a national standard that provides principles, framework, and process for managing risk in a transparent, systematic and credible manner. ISO 31000 is not specific to any country, industry or sector and can be used by any public, private or community enterprise, association, group or individual, and serve as an overarching guide for organizations and individuals to help incorporate internationally-recognized best practices for identifying and managing risks across financial, strategic, and operational areas.







Organizations performing the same function / role:

(i) in Canada; and

(ii) elsewhere.

ANSI - American National Standards Institute (formerly American Standards Association) (http://www.ansi.org)

-ANSI has served in its capacity as administrator and coordinator of the United States private sector voluntary standardization system for more than 90 years. Founded in 1918 by five engineering societies and three government agencies, the Institute remains a private, non-profit membership organization supported by a diverse constituency of private and public sector organizations.


International Organization for Standardization (http://www.iso.org)

-ISO is the world's largest developer and publisher of International Standards. ISO is a network of the national standards institutes of 163 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization that forms a bridge between the public and private sectors.


British Standards Institute (http://www.bsigroup.com)

[see description of the British Standards Institute]


Underwriters’ Laboratories (UL) (http://www.ul.com/global/eng/)

[see description of Underwriters’ Laboratories]







Sources of further information:

http://www.csagroup.org/



INFORMATION SHEET RE GOVERNMENT OR INDUSTRY BODY







Organization:

CENTRE FOR OUTSOURCING RESEARCH & EDUCATION (CORE)

(Source: http://www.core-outsourcing.org/home/index.php)







Jurisdiction:

Based in Canada







Nature of Organization:

(Government Regulatory Body, Educational Institution, Standards Setting Body, Arbitral body, Industry Organization)

-industry organization

-training and educational association







Function/Role/Purpose:

- research and education in the area of outsourcing

- development of industry best practices in the area of outsourcing







Structure:

(Membership, shareholders, controlling parties)

CORE is a non-profit organization. Membership is open to the general public; outsourcing professionals; industry organizations and government agencies)







Governance Structure:

Management team (President & CEO, Board Chair, Corporate Secretary )

Board of Directors







History (including relationship to predecessor bodies)

Founded by John Simke, C.A., a former partner of PricewaterhouseCoopers, who for 22 years as a management consultant, worked on change and performance improvement projects for large corporations and governments.  Through his career John has specialized in management innovations, in particular those that involve outsourcing, shared services, public-private partnerships and other forms of organizational collaboration.  

(Source: http://www.core-outsourcing.org/about/organization/board/index.php)







General description of activities

  • describe each activity separately

Include standards and certifications:

- offers executive education programs in outsourcing that are delivered in conjunction with business schools and management education organizations.

- offers the “Accredited Outsourcing Practitioner” designation to recognize individuals who have completed its program and who have demonstrable practical experience in the field of outsourcing.

- conducts independent research on outsourcing

- publishes several reports annually

- offers a database of outsourcing transactions for its members.

- conducts regular forums and conferences for professionals in the outsourcing field

- develops best practices

- provides a database Research@CORE (a compendium of content about outsourcing practices for the use of members)







Recent activities / events / publications

July 21, 2010 - CORE's 5th Annual Conference


July 09, 2010 – Webinar: Outsourcing Monitor - Will Cloud Transform Outsourcing


May 29, 2009 - CORE's 4th Annual Conference


April 21, 2009 - CORE's 2009 Healthcare Conference








Organizations performing the same function / role:

(i) in Canada; and

(ii) elsewhere.

International Association of Outsourcing Professionals

(http://www.outsourcingprofessional.com/)







Sources of further information:

http://www.core-outsourcing.org/home/index.php
  1   2   3   4   5   6

Похожие:

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconCourt of Appeal for Ontario McMurtry C. J. O., Catzman and Austin jj. A

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconIndo • Austin • New York • San Diego • Toronto • London

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconAustin • New York • Orlando • Atlanta ♦ San Francisco • Boston • Dallas • Toronto • London

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconAustin, John, Barrister-at-Law

Richard Austin: Austin Technology Law, Toronto, Ontario Phone icon1600 Bayview Avenue, Toronto. Ontario, Canada, M4G 3B7

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconJeff Austin, Hien Tran

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconBusiness address: The University of Texas at Austin

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconBusiness address: The University of Texas at Austin

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconBusiness address: The University of Texas at Austin

Richard Austin: Austin Technology Law, Toronto, Ontario Phone iconBusiness address: The University of Texas at Austin

Разместите кнопку на своём сайте:
Библиотека


База данных защищена авторским правом ©lib.znate.ru 2014
обратиться к администрации
Библиотека
Главная страница