Alan Calder on IT Governance, information security & ISO 27001

It’s amazing how social trends can often make people do the most stupid things. Sales of paper shredders have gone through the roof of late because the public has woken up to the identity theft risks of making personal data available to strangers. So far so good – an entirely intelligent response. So what makes often the very same people put all of their personal data online instead through social networking sites like Facebook?! As this article rightly points out, this is an open invitation to phishing scams that can become far more targeted and convincing to the individual. I have no doubt that news stories of the first Facebook scam victims will be just around the corner.

If you are going to use sites like this the important thing is to be very circumspect about what you reveal about yourself. You should share the bare minimum at all times. Of course, the really smart move is not to get involved in the first place (which sounds like a killjoy’s view right up until someone empties your bank account for you).

David Lacey has spelt out some of the real financial impact that business face when they suffer ‘data leakage’. In the case of TK Maxx he speculates that the cost could actually run into billions, rather than the mere $5m they have provided for to date. He breaks out a sobering list of costs that businesses face for being slack on data security:

“…for example the costs of investigations, remedial work, lost customers, loss of brand value, additional regulatory demands, fines, lawsuits, PR costs, and the costs of re-issuing credit cards. Not to mention the overall impact on e-Business from customers switching to cash payments.”

He then rounds off his post as follows:

“The risks and impact will continue to rise until organisations achieve much higher levels of security, including tighter platform and network security, better staff awareness and more aggressive auditing and monitoring of operational processes.”

Until more business are certificated to ISO 27001, in other words.

It is interesting to note that the “spin-free” new administration of Gordon Brown may be making moves to sweep the NHS IT reform programme under the carpet. The recent resignation of the forthright Richard Granger at Connecting for Health has removed a lightning rod for the project and it is now reported that two of its most vocal government supporters have been moved to other roles.
Here is the striking thing: OGC (Office of Government Commerce) is the developer and owner of two world-recognised best practice frameworks: Prince2, for managing IT programmes and IT projects, and ITIL, for IT Service Management. Prince2 was developed to help government IT projects come in on time, to budget and on specification. ITIL focuses on the need to understand customer (i.e. user requirements) and to develop and deliver services that align with business needs. Both are part of a normal IT governance framework, and both have quite signally failed in the NHS Connecting for Health programme.

We’ve seen Grainger go, and others moved on, but we haven’t seen any overt attempt to rectify the governance failures that led to the current parlous situation in which a national project is behind timetable, over budget and not meeting specification. A delivery-focused government would start off by overhauling the governance framework put in place for this framework, not just on changing faces – maybe Brown and his ministers need a lesson – from one of their own departments – on how these things should be done.