Alan Calder on IT Governance, information security & ISO 27001

I find that I wrote this, a couple of years ago, in IT Governance – Guidelines for Directors: “Basel 2 seeks to achieve its goal of strengthening the international financial system through three pillars. Pillar 1 aims to align a bank’s minimum capital requirements more closely to its actual risk of economic loss, aiming to establish an explicit capital charge for a ‘bank’s exposures to the risk of losses caused by failures in systems, processes, or staff or that are caused by external events,’^[1] Those banks whose approaches to measuring, managing and controlling their operational risk exposures are appropriate to the risk area will have lower capital requirements. While Pillar 2 allows for supervisory review of banks’ risk management processes, Pillar 3 explicitly sets out to enhance transparency in banks’ public reporting in order to ‘leverage the ability of market discipline to motivate prudent management’.”

So, what on earth was the point of Basel II?

It rather looks to me as though:

• Pillar 1 was a bust, or we wouldn’t have had Northern Rock, RBS, HBOS, Citi, etc;
• Pillar 2 – well, the supervisory reviews of banks’ risk management processes clearly haven’t been that hot, or someone might have spotted that lending someone 125% of the value of the already inflated value of their property on repayment terms that in some cases exceeded their monthly gross earnings wasn’t exactly a demonstration of effective risk management – or that the creation of opaque, deliberately over-complex CDOs and other instruments wasn’t an attempt at clarity (to say nothing of the cynical appointment to the regulatory authority’s board of someone responsible for firing one of the few risk managers who actually appears to have been doing their job in drawing attention to the bank’s failure to manage risk effectively) – and, as for
• Pillar 3 – well, I guess ‘Sir’ Fred Goodwin’s £650k annual pension (after early retirement!) is a good example of market discipline motivating prudent management, isn’t it? And I bet that no-one would even consider removing the knighthoods that this collection of pretend bankers were awarded, will they?

So, maybe BASEL II was really just an excuse for a lot of central bankers to get together for dinner on a regular basis?

[1] BIS Press Release, 26 June 2004

I did a presentation earlier this week at NITES, in Ireland.  My topic was data protection and governance. I took the opportunity to make a number of linked points:

1. We already have data protection legislation in the EU and US;
2. These regulations don’t have any real teeth;
3. Most company boards – particularly  in the financial sector – and public sector managements simply don’t care about data security – there are no rewards for doing a good job and no meaningful penalties for failure;
4. The Health and Safety Executive in the UK has a budget and staffing levels about 20 times higher than does the Information Commissioner, as well as powers to inspect and fine, so it’s hardly surprising that health and safety regulation shows progress and data protection doesn’t (remember, too, that our ICO’s tiny budget, the majority of which is provided by company registration fees, has to cover DPA compliance as well as FOI and Environmental Regulation compliance!) 
5. We care more about people using mobile phones while driving than we do about companies losing thousands/millions of sensitive personal records – we jail people for sending text messages while driving but do nothing about company directors whose reckless disregard of data protection regulations endangers the financial future of vast numbers of ordinary consumers;
6. It’s time for data security to be given proper emphasis – by which I mean custodial sentences for CEOs and senior civil servants whose organisations recklessly disregard the DPA – with ‘reckless disregard’ having characteristics like unencrypted laptops or USB sticks and failure to conform to BS10012 (when it is finalised and launched),
7. We also need a pan-European data breach directive, that requires companies who fail to protect personal data to meet in full the costs of restitution for those affected as well as paying substantial financial penalties (and, possibly, jail time for directors – see my earlier point).
8. It’s time for us, the consumers whose personal data is so regularly abused, to start demanding – through all the channels open to us – that our elected representatives start taking this subject seriously and enact legislation that will actually have teeth, and commit the level of financial support that will enable those teeth to bite.

You are welcome to download a copy of my NITES presentation: nites-feb-09.