Alan Calder on IT Governance, information security & ISO 27001

It is an easy thing to criticise ‘another failed government IT programme’. As with anything, it is only the failures that make the headlines and seldom the successes. I would therefore like to make amends by highlighting the news reported by ZDNet that the initial roll-out of electronic passports by the Identity and Passport Service has been judged a success by the Public Accounts Committee. Specifically, it has been lauded by MPs as an “excellent example of successful project management and procurement” and the Office of Government Commerce has been urged to spread the lessons learned from the project across government.

The OGC, of course, originated and owns the respected Prince2 project management methodology, as well as that for Managing Successful Programmes. It’s good to see them using their own methodologies but it is sad that others in the public sector don’t. So, the OGC might like to start with the Department of Health, where moves to introduce a lamentably poor online recruitment system for junior doctors were recently abandoned. In commenting on this failure, Health Minister Ben Bradshaw made what seems to me an extraordinary statement, saying, “If new or national systems [for doctor recruitment] are to be used in the future, they must be rigorously tested and agreed with doctors, the NHS and others involved.” This truly seems spellbindingly obvious and so rudimentary a requirement of any project manager that I am stunned it ranks a mention.

To be balanced, therefore, I should say it is terrific that there are clearly many pools of excellence in the public sector when it comes to IT project management; equally, there are some areas in which the level of professionalism is so low as to be positively alarming. Let us hope that the OGC can have more success than it has had in the past in spreading the knowledge of effective project and programme management so that junior medics and the taxpayer are spared future fiascos quite as amateur as the doctors recruitment system.

Once upon a time, there was only BS7799 for information security - now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use - and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.

Perhaps - but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice - but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate - to go alongside their ISO27001 and ISO20000 certificates, no doubt.

Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?

On the face of it, I find the call by British MPs for the appointment of an Identity Fraud Tsar a very good thing. Under the proposals of the All Party Group on Identity Fraud this new role would provide a point of coordination between the Government, police and private sector. Given the pervasiveness of this type of crime it is good to see our legislators being – comparatively – on the ball. I am also glad to see them highlighting, as I have done previously, the great potential risk that people put themselves in by divulging all sorts of personal details on social networking sites like Facebook and MySpace (surely a candy store for any online fraudster).

This report follows the recent recommendations by the House of Lords Science & Technology Select Committee, which called for various overdue measures to tackle the broader issue of e-crime. As I noted previously, this was a well considered work that has made many positive contributions. Again, therefore, plaudits to our parliamentarians for recognising the importance of these issues.

However, the job of ID Fraud Tsar or any other measure to tackle e-crime is of little value if it is poorly resourced. The Home Office says it has “done much” to combat identity fraud, including tougher criminal penalties, better co-ordination in prosecuting fraudsters, more powers to share data about frauds and public awareness campaigns. However, this story from ComputerWeekly today suggests the good work of the Lords and Commons is falling on deaf ears at HM Treasury, which hold the all-important purse strings. In its latest Comprehensive Spending Review the government has promised to throw £11 million – not much, frankly – at three fraud-fighting bodies, but has made no apparent provision to do anything about e-crime.

Let us hope, therefore, that amid the many millions generously directed into health and other public services, some may be found for this vital area. If not, any newly appointed Tsar will end up a figurehead unable to do very much at all.

Part of our business is advising companies that wish to become ISO27001 certificated and we are delighted that two clients recently passed their independent audits with flying colours. Gemserv is an independent consultancy in the energy sector while Easynet is a network management and hosting company owned by BSkyB. In each case we worked with them to scope and set the critical path for their compliance project, provide the necessary training for their in-house project team and then act as on-call coach throughout their risk assessment, risk treatment and pre-audit phases.

From working with various firms we have identified the several factors that determine how quickly they will succeed in achieving ISO27001 compliance. To any organisation about to embark on this process we make the following strong recommendations:

1. Get senior management buy-in from the outset - if you don’t, you won’t get the money, time and resources you need and will find it harder to get other colleagues to play their part.
2. Establish a project board, including a senior sponsor and a well qualified project manager, and a motivated project team to run the process day-to-day.
3. Choose and use a good project management methodology - the compliance process reaches right through the organisation and has many interlocking parts; if you don’t keep a tight grip it can quickly slip out of your control.
4. Communicate and train at every level - not only does your project team need to be given the skills and knowledge for their task, but all your other colleagues need to understand what is being delivered and why. If not, your work may quickly unravel.
5. Lastly, recognize that there is no end point to the project - becoming certificated is just the start; you have to make the information security management system an ongoing part of your business and broadcast this message consistently from the start.

The following is possibly the most arresting opening paragraph I have yet read in a security article:

‘The wave of cyberprobes or cyberattacks against Pentagon networks and government computer systems in France, Germany, New Zealand and the United Kingdom this summer appears to emanate from China, but no one in authority in the Defense Department or any of the other countries that have been victimized seems willing to finger the Chinese government or military as the culprit.’

While this sounds like a Tom Clancy thriller it is a serious account of a new front in the online battle, something that both governments and businesses need to be aware of. Military and industrial espionage are alive and well, and it is entirely plausible that businesses and even sovereign states will use the Internet both to gather intelligence and weaken their opposition.

This is a realization that would be worth spreading in the workplace. It can be hard to get all your colleagues to do their bit in safeguarding information assets. If more of them realized the nature of the foe they might feel more motivated to help out - we’re not just facing a threat from bored teenagers, but also from deadly serious criminals and even state agencies. If that sounds a little farfetched this article is worth a read, and BS25999 as a core component of an information security strategy makes real sense!