Alan Calder on IT Governance, information security & ISO 27001

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

The Realtime IT Compliance blog carried a significant post the other day - the first signs of US civil lawsuits against companies losing customer data.

In this case, it is a $54 million claim against Best Buy for losing a customer’s laptop, but watch this space for similar lawsuits for other forms of data loss and leakage - this is just the beginning.

Organisations taking a lax approach to data security are about to find out just how costly this can be for them. Such cases attract plenty of headlines, so sloppy businesses will have to start making much greater provisions for brand and reputational damage. We like to think that mature executive teams can be self-policing when it comes to looking after their customers, but too often takes a potentially ruinous fine to focus their minds on the issue.

The alternative is to protect your customers and your own interests by adopting a best practice Information Security Management System. ISO27001 is the answer but remains an alien concept to many directors - perhaps a few courtroom pay days are just what we need.

I read in ComputerWeekly that the House of Lords Science & Technology Committee is to re-open its inquiry into e-crime and the security of personal data, apparently due to the Government’s “vacuous, idle and irrelevant” response to its initial recommendations.

I am dismayed that, after what was a well considered report, so little has been done by this Government. It is at least a little heartening that their Lordships are not mincing their words about their disapproval. Perhaps this time we may see a little more action as a result? - I wonder. Time will tell, but one would think that the spate of data loss disasters, most notably the HMRC lost discs fiasco, would give the Government ample incentive to finally stop sitting on its hands.

As I wrote at the time of the Committee’s first report, ISO27001 needs to lie at the heart of the Government’s response to this challenge. It is high time that our our political leaders put their money where their mouths are and made the Standard compulsory across all departments.

I have written before about the uncertain leadership and consequent weak governance at the top of the NHS IT reform programme. Yesterday, we heard that director general Richard Granger has indeed finally left his role. But as to who takes over, we learn the following:

“There will be no direct replacement for Granger, but the DoH [Department of Health] will begin the process of filling two new positions over the next two weeks.”

What an extraordinary state of affairs, particularly given that Granger’s departure had been so well telegraphed. It beggars belief that in what is supposedly a cornerstone of the government’s reform programme, the issue of leadership comes as such an apparent afterthought.

For those boardrooms still slow to grasp the strategic importance of IT governance and information security, the BBC offers a nice simple graph to bring home the scale of the challenge. It comments:

“Reports vary but some estimates suggest there were five times as many variants of malicious programs in circulation in 2007 compared to 2006.”

Some are talking of 2008 as the year of ISO27001, something we have been loudly advocating for the past several years. With threats growing as they are, let us hope that many more companies finally hear the message.

We have seen a lot of media interest this week in the poll we recently did on the issue of IT governance, which underlined how few boards currently have their arms around this important responsibility. Some of the articles to appear so far include ComputerWeekly, CIO and IT Week. The media obviously understands the importance of this issue - now we just need board directors to catch on too.

Our key finding was that only 12 percent of businesses take IT governance seriously enough to exercise oversight via a properly constituted board committee. How on earth can this be, when even the most technophobic director will concede that IT is the engine powering most businesses today. If you have an audit committee to manage your financial governance, how can you fail to have an IT governance committee too?

Just as with an audit committee, an IT committee needs a mix of independent and executive directors, and must provide the focus for the board’s deliberations on technology. Especially when so few directors are technologically qualified, this is something that every mid to large size organisation should have. It is high time that investors and regulators start applying pressure for these measures to be adopted, because firms clearly aren’t doing it themselves.

For those who are ready to step up to the plate, our popular book ‘IT Governance: Guidelines for Directors’ is perhaps a good starting point.