Alan Calder on IT Governance, information security & ISO 27001

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

Commonly accepted best practice on password security is that passwords should be complex, changed frequently and never written down. Password complexity (8 alphanumeric characters, case sensitivity plus special characters) increases the level of difficulty associated with cracking it; password change regularity decreases the likelihood of the password, having been inadvertently revealed, being improperly used. The easiest way into a computer or network is, of course, via the password that has been written down and is stored somewhere convenient - on a post-it note under the keyboard, behind the screen or in an unlocked drawer….

And, of course, the more complex the password, the more frequently it has to be changed, the more likely users are to forget it - and to write it down. And we’re not just talking about business users here: our experience is that many seasoned IT and information security professionals resort to writing passwords down - not least because we increasingly combine regularity of change with increasing volume of passwords, each of which have different rules.

And it’s the different rules that make it difficult for one to use one strong password in all the applications and websites to which one has access.

So, there’s the information security manager’s dilemma when dealing with user system access - enforce frequent password changes, enforce complexity, block reversions from new to old passwords, block password sequencing and all those sensible things, and you increase the likelihood of passwords being written down thereby potentially making unauthorised system access even easier.

The solution, for me, is to insist on password complexity - but to enforce change only irregularly - certainly no more than once a quarter - and, perhaps, no more frequently than once per year.

The Data Protection Act (’DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t - over 800 organisations have reported data breaches in just the last two years - and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ’swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes - for free - all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

Warren Buffet encourages boards to develop meaningful penalties for executives who fail to fully and personally own risk control in their business.

He is, of course, right. In the UK, the Combined Code expects directors and the board to own risk and provides, in the Turnbull Guidance, comprehensive guidance on what is expected.

My impression is that, in the US, the CEO gets stratospheric compensation - and, the bigger and more complex the business, the more s/he gets paid. It seems wrong that the shareholder should stump up the funds for an acquisition, should see their investment savaged if the deal goes sour, have no real control over the acquisition strategy, get to pay the CEO more and more, but for there to be no real penalty for the CEO when s/he screws up - and being forced out with a big compensation package is no penalty.

The new Information Commissioner, Christopher Graham, has recognised that current penalties for breaching the UK Data Protection Act are derisory and has called for the introduction of prison sentences for reckless breaches.

Excellent.

But not enough - the ICO is only responding to pathetic sentences given to private investigators and others who actively and deliberately breached the DPA. As I have said on previous occasions, we need to go much further. The only way that we will develop a real culture of compliance is if directors of companies that breach the DPA are personally liable for fines and prison sentences for failing to ensure that their companies took adequate steps to comply with the DPA.

After all, if larger organisations took appropriate steps to protect personal data, it would be that much harder for the unscrupulous smaller operators to breach their security to illegally obtain data, wouldn’t it?

Some UK acquiring banks have a determined campaign in place right now to get all level 2,3 and 4 merchants to PCI DSS compliance by October. Larger merchants should all not be compliant, which means that hackers and fraudsters will logically turn their attention to smaller companies that may still be vulnerable. So, while PCI Compliance for smaller businesses will certainly create a resources challenge for them, it one to which they are simply going to have to rise - or face fines and penalties from the payment brands.

In Nevada, PCI compliance for all merchants who accept a Nevadan citizens payment card has now been made law with effect from 2010 - this is a major step forward in terms of bringing this compliance regime onto a statutory footing, and we shoudl expect to see the process gather pace.

One of the key problems faced by organisations that want to comply with the Data Protection Act is that the DPA doesn’t contain any detailed guidance on compliance - in essence, it is just a set of 8 principles. And the worst principle from a compliance perspective is Principle 7, which requires organisations to make appropriate technical and administrative arrangements to protect personal information. What is appropriate? And how would you prove it? For some years, ISO/IEC 27001 certification has been the most effective way of demonstrating DPA compliance, but the read across between the two standards is not that precise.

BS10012 (Data Protection: Specification for a Personal Information Management System), on the other hand, is a standard that is specifically written to meet DPA compliance needs. It is written as a specification (in other words, audits can be conducted against the standard and there is talk of a certification scheme) and it deals specifically and completely with the requirements of the DPA. It has just been published and every organisation that has personal information to protect should

1. Buy a copy, and compare actual practices with those described in the standard and,
2. Consider improving actual practices so that they conform to those described in the standard.

Here’s a link where you can get your own copy: http://www.itgovernance.co.uk/products/2542

It is certainly true that most of those involved in the creation of IT standards are from large organisations. It is also true - as Steve Burrows says - that it can be challenging for an SME to implement a standard such as the ISMS standard, ISO/IEC 27001, for information security management.

However, all standards are explicitly designed for organisations of all sizes. ISO/IEC 27001, for instance, is clear that its requirements should be implemented in a way that is appropriate for the organisation; certainly the selection of controls will be driven by a risk assessment and, if the management of an SME has a high appetite for risk, it won’t find itself selecting many controls.

The reality is that all organisations are subject to similar types of risks; an impact (like the loss of a server for a week) that could severely disrupt an SME might not even bother a larger, multinational organisation. Organisations need to select and implement controls that will protect them from impacts they wish to avoid - and the management system they put in place will be very similar to that put in place by a much larger organisation to manage much larger impacts.

The issue isn’t really the IT standards; the real issue is the resources that SMEs have available to tackle them. Few SMEs will have the capability to plan and carry out an appropriate implementation of something like an ISMS - which, of course, is why we developed our FastTrack ISO27001 Implementation Service for organisations that have 19 employees or fewer, and why our classic consultancy service (with its 100% guarantee) is helping more and more SMEs implement appropriately scaled information security management systems that enable them to cost-effectively meet customer compliance requirements and to challenge larger competitors in their space.

I made a presentation, earlier this week, at the BSi conference on IT Governance, which was held at the CBI conference centre at Centre Point in London. (I also chaired the conference). My presentation is available for download from our main website.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.