Alan Calder on IT Governance, information security & ISO 27001

I have blogged previously about how simple USB storage devices pose a serious threat to corporate IT security. This article from Computerworld shows how the issue is escalating with the advent of the iPod as THE must-have accessory. Not only is an iPod a neat way to store you music, it is potentially also a great way to remove other data without permission and to introduce malware (knowingly or otherwise).

Unsurprisingly, Apple were not prepared to comment on whether they would be stepping up iPod security in light of this. It naturally falls to companies to make sure that they have policies and procedures in place to address this gaping vulnerability. However…

Eric Ouellet, vice president of research for security at Gartner Inc. in Stamford, Conn., said that only about 10% of enterprises have any policies dealing with removable storage devices.

Oh dear.

Symantec has brought out its ninth Internet Security Threat Report, providing a pretty comprehensive overview of the most recent trends. Here are some of the highlights, which underline that companies have to protect themselves against increasingly deliberate, professionally and financially-motivated attacks.

* The new threat landscape is shown to be increasingly dominated by attacks and malicious code that are used to commit cybercrime, criminal acts that incorporate a computer or Internet component. Attackers have moved away from large, multipurpose attacks on network perimeters and toward smaller, more focused attacks on client-side targets.
* Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud, for financial gain.
* For the fifth consecutive reporting period, the Microsoft® SQL Server Resolution Service Stack Overflow Attack was the most common attack, accounting for 45% of all attacks.
* The average number of denial of service (DoS) attacks detected per day was 1,402, an increase of 51% from the first half of 2005.
* Financial services was the most frequently targeted industry.

Following the launch of our end-to-end IT Governance Framework, here’s a news item that underlines why it is necessary. Mercury Interactive, which develops governance packages, has done research that shows that only 2 percent of businesses are rolling out IT governance across the organisation. OK – good statistic, and doubtless the budgetary constraints that Mercury complains of are factors here. However, I don’t agree that the answer is necessarily just to shovel more of the IT budget into the open pockets of ‘catch-all’ vendors.

The reality is the IT governance is too complex and multifaceted for one or even a couple of smart vendors to be able to solve, no matter how much cash you give them. Instead, companies should look to understand how the various best practice tools already out there can be made to work more in synch with each other and with corporate strategy. That is what our IT Governance Framework is there for – and it’s free.

IT governance is a broad topic involving multiple disciplines, including information technology, risk management, project management, strategy, intellectual property, business design and compliance. Pity the poor IT governance professional trying to draw together the various responsibilities and tools relating to each area. Up to this point no single tool has provided a full picture of IT governance. In fact, collectively, existing tools have often given a confusing impression that actually hinders the purpose of IT governance: to equip boards with information and levers for directing, evaluating and monitoring how well IT supports their core businesses.

To address this problem we have just launched a new IT Governance Framework. It isn’t yet another tool – there are more than enough of those. Instead, it sets out an end-to-end process for integrating the IT governance roles and tools that apply to an organisation’s boardroom, executive and IT department functions. To our knowledge this is the first framework of its type in the world and should significantly help IT governance practitioners communicate to their colleagues what has to be done. Being generous souls we are making this available free of charge.

The IT Governance Framework is based upon our popular management book ‘IT Governance Today – A Practitioner’s Handbook’. It provides the basis for the forthcoming IT Governance Toolkit, which will provide a comprehensive suite of policies, procedures and task sheets to enable organisations to implement a comprehensive IT governance system that genuinely aligns IT with corporate strategy. We plan to release this in Q2 2006 so watch this space.

News in that a school in the States is teaching its students about IT security. I have mixed feelings about this – great that it is happening, yet at the same time, how can we have got to 2006 and this is a news story? As has been reported already, this year sees the 20th anniversary of the discovery of the first computer virus. In IT terms, 20 years is Forever. How can it be that schools are only now beginning to address this vital skill? Plaudits to the school in question for doing this (and making some PR capital of it too), but a big raspberry to national governments (particularly our own in the UK) for not doing enough to put this on the agenda. ‘IT Security Skills or woolly lessons in Citizenship – which is more important? Discuss.’

Symantec have released a report saying that corporate IT vulnerabilities are hitting record levels, with 1,900 discovered in the past six months, the equivalent of 10 per day.

Interestingly, they are calling for companies to adopt precisely the sort of multi-layered response that an ISO 27001 ISMS is designed to create:

“People have to move beyond the idea that they can hide behind the firewall. You have to have integrated defenses.”

Following on from the last post below, here is the proof. The IT Governance Institute is gearing up to release its 2006 Global Status Report, which was supposed to be available for free downloading from late February – presumably out any day now. It gave a sneak preview to ZDNet Asia, which revealed some striking variations in boardroom awareness of IT issues. Unsurprisingly, India scores highly – it has been interesting to note that many of the recently announced ISO 27001 certifications have been from Indian businesses – but Japan is weird: only 26 percent of respondents from there reported that IT is discussed regularly (or more often) by the board, compared to 63 percent of respondents worldwide – but Japan has the highest number of successful ISO 27001 certifications in the world, and ISO 27001 certification requires some strategic board input.

Generally, the ITGI is encouraged by progress since its last global survey in 2003. However, there remains a lot to do before most directors should sleep too easily at night:

‘The study also found that CEOs are responsible for governance over IT in only 24 percent of the organizations surveyed. As in 2003, CEOs and business executives are still hesitant to discuss IT governance. Shareholders should worry about this, because boards and CEOs are ultimately responsible for IT risk management and oversight over all major assets–including IT. Instead, the study found that CIOs are responsible for IT governance in 33 percent of organizations, and nobody is responsible in 6 percent of organizations.’

The Business Software Alliance believes that the private sector is waking up to IT security issues. In a survey of IT decisionmakers they found a greater proportion are now concerned about the potential harm to their business from downtime and security breaches. Good news, but tellingly only 22% of non-IT specialist directors were felt to be exerting pressure on the IT security issue. There’s a long way to go before generalist directors come to recognize IT security as a vital executive responsibility.