Alan Calder on IT Governance, information security & ISO 27001

According to Outlaw, a “global survey of 900 taxi drivers shows thousands of valuable mobile phones, PDAs and laptops are forgotten in taxis every day. Too often the devices are unsecured – and employers are urged to take responsibility.
Businesses are being urged to use the password and encryption facilities available on the recent crop of high memory capacity mobile smartphones to protect the data in the event of leaving the devices in the back of a cab.
In the last six months in London, 63,135 mobile phones, 5,838 PDAs and 4,973 laptops have been left in the city’s 24,000 licensed cabs. British cabbies also found a harp, a throne, £100,000 worth of diamonds, 37 milk bottles, a dog, a hamster, a suitcase from the fraud squad, and a baby.
In the past three and half years since the survey was first carried out there has been a sharp increase in the number of powerful, executive-focused mobile devices being forgotten in London taxis with 71% more laptops and 350% more PDAs being left than in 2001, which in the wrong hands could cause the owner and their company enormous damage.
The survey in London was conducted by TAXI, published by the Licensed Taxi Drivers Association, and mobile security experts Pointsec.”

One sometimes wonders why senior people – people considered mature enough to be issued with laptops, mobile phones and PDAs – are so incapable of looking after valuable data assets – their wilful negligence in relation to data protection and privacy regulation, as well as to confidentiality requirements, suggests the time is coming when people who lose one of these devices should be disciplined.

Thank heavens for the taxi drivers, who apparently re-united 80% of people with their cellphones and 96% of people with their laptops and PDAs. I hope they charged extra!

I have talked frequently about the fact that CIOs have to change their perspective from worrying about the IT system to worrying about the business. Well, here comes the revolution: Gartner has surveyed 1,400 CIOs and found that this shift is expected to be one of the big developments of 2006. The problem will be that, while CIOs will be under pressure to become far more engaged with customers, finance and overall business efficiency, they don’t necessarily know how to talk business. Their CEOs will have to help them – which might even mean that the CEOs learn more about IT!

Congratulations to Attenda on gaining their ISO 27001 certification from the BSI. This makes them one of the first UK businesses to announce this achievement. For a managed services business having this in place is a must, so well done to them for being onto it quickly.

India has also seen its first ISO 27001 certification and the base of ISMS certifications did actually double last year – the total was 1,000 in December 2004, and it had reached 2,050 or so by early January 2006. I’d bet that there will be another 1,500 to 2,000 successful certifications this year – truly an increasingly essential standard.

In parallel, according to the United Kingdom Acceditation Service the number of accredited Certification Bodies in the UK for Information Security Management Systems has apparently risen over the past few months from half a dozen to 17, a clear sign that the issue is developing its own momentum – and good news, I hope, in terms of prices staying competitive!

What is IT governance? What does it include or exclude? Who is responsible for it? These questions are frequently asked in the Blogosphere and elsewhere. Right now it’s the subject of some interesting discussion at Andrew Clifford’s IT Toolbox blog, which includes a good post by Andrew and some quality observations from others. However, the answers are less elusive than some debate suggests.

IT governance does have a formal definition: “IT governance is a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.” (IT Governance: Guidelines for Directors, p20.)

Because it deals with all aspects of governance of IT, it includes system governance. Andrew is absolutely correct in identifying that there are significant systems issues – and I would argue that these issues exist primarily because of an absence of IT governance, in the sense that the organizational governance framework has failed to consider what information and, therefore, what systems requirements the organization will have.

IT governance should be owned by the board. It’s not an IT management responsibility any more than financial governance is a financial functional responsibility. Governance is the board’s job. The board is quite capable of governing IT, if it would only put its mind to it. There are a number of respectable IT governance frameworks that reflect this fundamental principle, including CobiT, the Australian Standard AS 8015:2005 and the IT Governance framework identified in ‘IT Governance Today: a Practitioner’s Handbook’.

ISO 27001 is becoming a hot topic. Since we began providing eBooks and online guidance about certification last October when the new standard was published we’ve seen traffic to our website rise by over 30%, and sales of our guides and toolkits are well ahead of expectations.

To make this information more widely available in a convenient format we are now offering our guides as printed books. The Case for ISO 27001 is a plain-English book designed to give non-technical directors an understanding of why information security is a C-Suite responsibility and how their companies need to respond to the IT security threat. Nine Steps to Success – an ISO 27001 Implementation Overview is a practical guide for IT security project managers that provides a rigorous process through which compliance and certification can be achieved without delay.

The books are priced at £29.95 each and are available from leading online booksellers, including Amazon, Waterstones, Barnes & Noble, Borders, FT Books, The Guardian Bookshop and Telegraph Books. They can also be bought directly from us here.

Alex Scoble at Computerworld flags up an interesting item in Whitedust’s paper on Future Trends of Malware. This is a worthwhile – if lengthy – read and brings home to any doubters just how pernicious and rapidly evolving the IT security threat is. The article does quite a nice job of summarising and in part quantifying the current malware situation. Its predictions for 2006 and beyond include a major rise in mobile malware, open source malware and various other new developments.

Not too surprising that Computerworld’s recent survey of 338 IT executives found that security is their number 1 project priority for the year ahead!

ISO 27001 is of course an ideal solution to businesses that need to ensure they comply with Sarbanes Oxley IT control requirements. I’ll be doing a webinar on 25 January in collaboration with Compliance Online to discuss precisely how the standard draws together CobiT, ITIL and ISO 17799 to create the necessary multi-layered solution. Topics to be covered will include:

* Current and future governance and compliance requirements
* The role of enterprise risk management
* Linkages and similarities between state, national and international regulations
* Why the traditional approach to regulatory compliance no longer works
* Business risks arising from legal contradictions, overlaps and loopholes
* Scale and impact on corporate brand, market position and share value of regulatory failure
* Key governance requirements of directors
* Role of best practice frameworks Linkage between compliance requirements and best practice frameworks
* Background and history of CobiT, ITIL and ISO 17799 – similarities and differences
* Importance of the CobiT/ITIL/ISO17799 joint framework
* Benefits of deploying this best practice framework
* Critical success factors in deploying this framework

For more information or to make a booking, click here.

Just when you thought the IT security plate was sufficiently full, here’s the next big thing to digest: security convergence.

Given the rising tide of internet crime and international terrorist activity, companies are beginning to think about how to bring together the separate strands of IT security and physical security’. I’ve written before about the importance of taking a holistic approach to information security (including in my books about implementing information security management systems) and a very thorough article here at CSO Online reflects the experience of several major US organisations.

Of course, not every company has the scale or nature to require a Chief Security Officer on the board. However, it IS the interests of every company to have a coherent approach to ensuring overall security and business continuity. Becoming ISO 27001-compliant is the starting point for any business serious about managing IT security risks, but there are undoubtedly lessons in this article for SMBs as well as multinationals.

Expect to hear a lot more about this topic in 2006.

Computerworld says that security specialists will be in hot demand in 2006 – no, really?! Hardly surprising, given the relentless pace at which internet threats are developing. What’s interesting is how supply and demand are currently working – salaries offered to security specialists are lower than of late because of the large number of people who have gained certifications in the past couple of years. Inevitably, these highs and lows will smooth out over time, but in the short term it means that interviews for security posts are going to get tougher as more people vie for each post. That’s hard luck for candidates but good news for the IT governance cause (assuming that firms are sifting for the right qualities) – the better the quality of mid level recruit now, the deeper the bench of talent when it comes to selecting the next generation of CIOs who can genuinely champion IT governance in the boardroom.

Timely advice here from Doug Schweitzer at Computerworld, re the importance of making sure your new Christmas tech toys are all internet-secure. With laptops, iPods, et al now a gift of choice for all ages, it is really important to make sure that the lucky recipients of your gifts properly understand how to protect themselves. Don’t assume that everyone knows about viruses, hackers, trojans, etc., because the figures show that an alarming number of people still blunder on unaware. We’ll be addressing this issue in the coming months with a new issue of our IT security guide for the home user, ‘Internet Highway Code’. More on that soon.