Alan Calder on IT Governance, information security & ISO 27001

“Almost £300m worth of public-sector IT projects have been binned in the UK, sparking accusations that the government is embarking on the schemes without proper thought.“

I guess that what our government needs is access to a good project and programme management framework, something that recognises all the common reasons for IT project failure, and which enables organisations to avoid having to re-invent approaches that have already been tried and tested.

I’d like to recommend that they start with a project management methodology called PRINCE2 and then follow through by investigating a programme management methodology called MSP – Managing Successful Programmes. These programmes were both pulled together by a UK government department, and the IP is still owned by the OGC – who, I’m sure, would be delighted to learn that someone else in the government actually uses these programmes.

I’ve been of the view, for some time, that effective corporate information security will only come to pass when company directors are prosecuted, fined and jailed for failures to implement and maintain effective information security management systems.

Here are two stories that rather illustrate the point:

• Companies not evaluating security policies efficiently (if at all)
• Companies mostly unprepared to prevent data leaks over email

And it’s all actually quite straightforward – implement ISO27001, obey the Data Protection Act, and have happy customers, staff and regulators!

I think it’s a great pity – but clearly unavoidable – that the FSA has arrived at the view that it will have to fine individual board-level executives of retail banks if it is to get them to take adequate measures to protect customers’s information. I think this is excellent news – particularly the clear statement that ‘FSA wants to avoid executives palming off overall security responsibilities onto the IT department. Chief executives, compliance officers and board-level IT directors could all be held responsible.’

One would have thought that banks might have spotted that protecting customer information might be a fundamental part of customer care in this identity-theft age but, then again, I guess we might have expected banks to have spotted that it might not make sense to lend someone of limited income 130% of the already-inflated value of a house. 

A number of UK banks have been – or are about to be – taken into public ownership. The UK government doesn’t exactly have a great track record (eg HMRC, MOD, etc) when it comes to protecting personal data, either. So we have to hope that the FSA will have the courage to fine the government-appointed directors of nationalised banks where they fail to ensure their organisation takes adequate steps to protect personal data – or the protection of personal data in the UK will just become even more difficult.

When financial markets appear to be in free fall, many organisations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist any more? (And, from what we’ve seen over the last few weeks, the ‘might not exist tomorrow’ possibility should be a very real planning scenario for all but the world’s best-capitalised banks).

Well, in the UK, the Information Commissioner is unlikely to cease caring – already identified as “setting the political and administrative agendas for the protection of personal data in this century in the UK” and for “firmly disciplining politicians, civil servants, the media and business folk into line”, he’s unlikely to allow data protection to take a back seat at exactly the moment that spammers are expected to take advantage of bank buyouts to launch new phishing scams.

However, we’re talking here about banks who were unable to identify or adequately manage some rather more obvious risks to their business (like, if you lend someone 130% of the value of his collateral, and if his current cashflow is insufficient to pay the interest let alone repay the principle, how do you expect to survive?) than those around personal data. So, if you’re a bank customer, it might not be wise to hope that, in the midst of all this turmoil, your personal data will be adequately protected. The facts speak for themselves: US organisations are on track to report at least 680 data breaches by the end of 2008, affecting more than 30 million records.

It is clearly the case that, with personal data, one can only rely on oneself to protect it!

Apparently, we’re today kicking off the UK National Identity Fraud Prevention Week – and research for RSA reveals wide-spread disbelief (as in, 90% of Britons) that their personal data are safe with banks and retailers, and half the people think that not enough is done to protect these personal details.

That’s better than I thought! Let me explain: in today’s insecure world, everyone has to be concerned about his or her own personal data – this is a critical personal asset that needs safeguarding. And, for far too long, people have simply not been adequately concerned about this issue. Clearly, this is changing – let’s hope that, as more people learn about the poor care exercised by data controllers in the UK, they get better at insisting that adequate steps are taken - and voting with their feet where they are dissatisfied with the standard of care. 

From an organisational point of view, of course, it’s not hard to respond to the findings of this research – take adequate steps, today, to comply with the Data Protection Act in the UK, or whatever data protection legislation applies in your business jurisdiction. If you accept payment cards, PCI DSS compliance should be a given. And, for every organisation, ISO27001 is the best practice standard for securing information – and this week would be a good week to get started on an ISO27001 project!

Well, that’s a relief – the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective – it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.

Virgin is a strong brand, so a welter of stories describing Virgin Media’s breach of the Data Protection Act, when it lost an unencrypted disc containing the details of some 3,000 customers, would not have been part of the PR strategy. As a result of a simple management failure – not requiring the encryption of all portable media that contain personal data – it now finds its name and brand logo alongside statements that Virgin Media has been guilty, ‘scolded, ‘reprimanded‘, ‘slammed‘ and ‘rapped‘ for inadequately protecting its customers’ data. Not a pretty outcome!

There is a simple way to avoid this sort of damage - encrypt all portable media! We wrote about this in our Data Breaches Report 2008 and, after the HMRC fiasco, one would have thought that all organisations would, at least, have carried out the encryption part of our recommendations.

I’ve always thought organisations that sell their ‘software solutions’ entirely on the basis of Fear, Uncertainty and Doubt should on principle be shunned by all right-thinking CIOs and IT managers. Of course, there is a certain amount of FUD that software solutions have to combat, but sales should primarily be made to deliver quantifiable returns on investment (and I recognise that is not always an easy calculation).

It’s therefore a pleasure to see that Microsoft and Washington State’s Attorney General have filed lawsuits against scam artists who frighten consumers into buying useless software, and I hope these scam organisations are stopped.

The scary message, though, is this: ‘A recent report from North Carolina State University showed that most internet users are unable to tell the difference between genuine and fake pop-up messages. “This study demonstrates how easy it is to fool people on the web,” said co-author Dr Michael S Wogalter, professor of psychology. Despite being told some of the messages were fake, people hit the OK button 63% of the time.’ 

In other words, FUD will sadly be an effective sales tactic for so long as people allow themselves to be duped. Awareness and training become an ever more essential aspect of preparing people – consumers and employees – for what they will find on the Web.