Alan Calder on IT Governance, information security & ISO 27001

The recent report from the House of Lords Science and Technology select committee into ‘Personal internet security’ highlights the fact that businesses are not doing enough to protect their customers from the dangers of e-crime and on-line fraud. Clearly this is not exactly a ground breaking conclusion; however it is certainly an important one.

The report emphasises my long held views that organisations need to take action to protect valuable data. ISO 27001, the information security standard, is the benchmark for first-rate information security and certification is the best method of protection an organisation can have. Organisations should get certified to ISO 27001 as soon as possible in order to protect their customers as well as themselves.

Surely it is time that the National High Tech Crime Unit (NHTCU) was re-banded in order to tackle e-crime effectively and hopefully deter those responsible. Since it was disbanded and absorbed into the new Series Organised Crime Agency (SOCA) there has generally been nowhere that e-crime can be reported to and local police forces are often ill equipped to deal with e-crime especially where the perpetrator is based in some other jurisdiction. For example: e-crime can be committed by people based in Russia, who have stolen the credit card of people in the US and are now using it to purchase from a site owned by a UK company but hosted on a Canadian server. This simple example illustrates just how vitally important a co-ordinated national police approach is to dealing with e-crime. PCI DSS will not be enough, on its own. The complexities of e-crime need a dedicated unit, so bring back the NHTCU!

Meanwhile, whilst organisations are making the necessary changes to protect sensitive information, individuals should also take action to protect themselves and the ‘Internet Highway Code’ is the benchmark here. It sets out ten straightforward, no-nonsense, plain English rules for staying safe online and arms anyone using a computer with the knowledge of how to avoid all the problems that make the newspaper headlines.

Any organization based or operating in the United States needs to be prepared for possible lawsuits. Under the recently amended Federal Rules of Civil Procedure organizations face tough new requirements for preserving their electronically stored information, such as email and word-processingdocuments, so that it can swiftly be produced in the event of a lawsuit. However, even though legal demands are common for larger organizations, it appears that very few are ready for these new E-Discovery rules, leaving the majority open to costly fines and adverse rulings.

According to ESG Research, 91 percent of organizations with over 20,000 employees have been through an E-Discovery event in the past 12 months. However, amazingly, a recent survey of corporate attorneys by Pike and Fisher revealed that only 7 percent feel that their companies are ready to meet these new requirements.

Therefore, to help corporations adapt to the new requirements, we called on Bradley J Schaufenbuel, senior manager in IT Risk and Security at Zurich Financial Services in Illinois, to write ‘E-Discovery and the Federal Rules of Civil Procedure’ as the latest in our series of Practical IT Governance pocketguides. Over 68 pages, he provides an easily absorbed account of the background and detailsof the new rules and explains what organizations must do immediately to ready themselves for possible future lawsuits. It’s a must for any US organization preparing for the stark realities of life.The book is priced at $29.95 and in softback hard copy and may be ordered for shipping here; alternatively, an e-book version may be purchased for immediate download here.