Alan Calder on IT Governance, information security & ISO 27001

In his ComputerWeekly blog David Lacey gives welcome airtime to the need for ISO security certification to be the cornerstone of an enterprise security programme. With organisations like Camelot, Misys, Nokia, The Co-operative Bank, COLT, Serious Fraud Office and Halifax Bank of Scotland already certified in the UK, we are surely going to see a wave of others following suit.

David notes that “closing the loop”, as he puts it, is presently quite a manual and time-intensive process, and muses on what the future might bring for managing the compliance process. I am pleased to say that at the forthcoming Infosecurity Europe show we will announce at least part of the answer, in the shape of the world’s first automated ISO 27001 compliance management system, which we have developed jointly with Gael, the UK’s leader in compliance management technologies.

Many other, complementary systems will doubtless follow, which will be excellent news for all of us concerned about information security management. Not only will these further simplify the task of building a best practice ISMS, but, crucially, they should make it far easier to uphold compliance after certification.

Getting to grips with best practice information security and governance often involves a steep learning curve, and this is a challenge facing more and more people: as infosecurity and governance become increasingly mainstream topics, so a wider range of professionals are being drawn into their ambit.

To help break the journey down into more manageable steps we are launching a new series of pocket book books under the headings Practical Information Security and Practical Governance. The range will ultimately include 13 titles and we have begun by launching three infosecurity guides that complement each other very well:

‘ISO 27001 – A Pocket Guide’ is ideal for organisations that are contemplating an information security management system, about to embark on an implementation, or simply wish to raise awareness of infosecurity among their employees. It succinctly covers the basics, including:

* An explanation of information security and how it can be managed using a globally recognised approach
* The factors that need to be considered in designing an information security regime
* What investments might be necessary to deliver a consistent level of assurance and how to gain maximum value from the available budget
* How to pursue and demonstrate compliance with the ISO 27001 standard

The book is written by my colleague Steve Watkins, a leading author, educator and consultant on information security management. Priced at £7.95/US$15.73/€11.82 it is available in softcover and e-book formats here.

‘A Dictionary of Information Security Terms, Abbreviations and Acronyms’ is a new book that Steve and I have written together. It is an invaluable resource for people grappling with security terminology for the first time. Rather than a dry technical dictionary, it is written in an accessible style that enables managers and novices to quickly grasp the meaning of terms such as ‘bluesnarfing’, ‘DDoS’, ‘pharming’ and ‘zombie’. The Dictionary is priced at £9.95/US$19.68/€14.79 and available in softcover and e-book formats here.

‘ISO 27001 Assessments Without Tears’ provides a helpful primer for organisations preparing to have their infosecurity regime independently assessed. It describes the assessment process, gives guidance on preparation and how to work with the auditor, and, if needed, advises on what to do if the auditor finds fault with any aspect of a system. Written by Steve Watkins, the book is priced at £5.95/US$11.77/€8.84 and available in softcover and e-book formats here.

Further pocket books will be introduced over coming months in the Practical Governance series and will address the following topics:

* Information Security Governance
* A Directors’ Guide to the UK Combined Code and Turnbull Report
* Sarbanes-Oxley
* BASEL 2
* Regulatory Compliance
* The Integrated Management System
* IT Governance
* Information Governance
* Project Governance
* Enterprise Risk Management

Watch this space!

Wise words on the topic of business continuity on ComputerWeekly’s website this week. The Business Continuity Institute’s Bill Crichton has stressed that continuity cannot simply be delivered by investing in the right piece of recovery kit. What is required is a far more all-embracing approach that involves policies, procedures and training, just as much as technology.

As I have written before, people often procrastinate over DR/BC measures because they don’t know where to start. The idea of a ‘fix-all’ recovery system may seem deceptively alluring. However, what is much more relevant is a good overview of the disaster landscape and a starter set of checklists, all of which is contained in our recently published book ‘Business Continuity and Disaster Recovery’, which is already proving very popular. This in turn equips the reader with the knowledge to decide which technology investments may genuinely help their continuity planning.

One of the great virtues of an information security management system is that it helps steer you around the pitfalls of your own preconceptions. By having a rigorous process that reaches across the organisation and involves people at every level it becomes easier to spot vulnerabilities that you never knew were there. For example, Doug Schweitzer on ComputerWorld highlights that the modern office copier contains a hard drive that retains a record of the images it handles – how many people realise that? How many businesses have measures in place to ensure that vital data doesn’t just walk off the premises when a copier is upgraded? When technology evolves so quickly a best practice ISMS is an absolute must.

ZDNet reports that new research from IDC is predicting a sixfold increase in the amount of digital information created over the next four years, which could have serious implications for compliance and IT departments.

The report, entitled ‘The Expanding Digital Universe’, says that much of the data created through new tools and applications will be subject to compliance rules such as Sarbanes-Oxley, Basel II and other legislation. IDC warns that companies will have to improve their IT infrastructure to make sure that their compliance strategies can cope with this rising tide of data.

What is just as important, I would argue, is to have in place the compliance processes that can satisfy this web of regulatory demands. An ISMS built according to ISO 27001 provides just the tool to achieve this, which explains why certification is being pursued by more and more companies.

Nationwide, the building society, has been heavily fined by the UK´s financial regulator for weak data security following the theft from an employee’s home of a laptop containing confidential data of almost 11 million customers. In light of the lax security that made this possible, and the fact that the Nationwide did not start an investigation until three weeks after the theft, the building society was fined £980,000.

The size of this fine should send a clear message not only to banks and building societies but to businesses in all sectors: customer data is a top priority and businesses that fail to put in place appropriate security measures can expect harsh penalties. This is a wake up call that must be heard and we will hopefully see many more businesses stepping up their infosecurity compliance as a result.

In addition to our existing expert guides and toolkits, which make ISO 27001 compliance and certification accessible and affordable for most businesses, we are presently working on a new software solution that will simplify matters even further – expect more news at Infosecurity Europe next month.

One of the most worrying things I encounter time and again is how seldom growing businesses have proper disaster recovery plans in place. Statistically, few businesses that suffer a major data loss or business interruption survive for more than a year afterwards, and small businesses are the most vulnerable as they simply don´t have the resources to bounce back.

The issue for business owners, and also senior executives from larger enterprises, is usually a lack of time to learn about the subject from scratch. People know it is important, but as they don´t know where to start they procrastinate – which is fine until one morning their business is on the line.

I´m pleased to say that we have just launched a new book that I really believe could come to the rescue of such companies. ‘Disaster Recovery & Business Continuity’ is written specifically as a quick guide for small businesses and time poor executives who need to master the key facts in a hurry. It summarises best practice in a clear and jargon-free manner, meaning that readers can quickly get the right measures implemented in their own business.

Each of its 16 chapters is written in a Question & Answer format with real world examples providing helpful illustration throughout. Further resources are provided in the appendices, including templates, checklists and information on training. The book’s contents are applicable to organisations based anywhere in the world.

The book is priced at just £29.95/US$59.25/€44.52 and is available online here and in leading bookshops. It is considerably cheaper than a full scale business interruption, so there can be no excuses for not getting your house in order at last!