Alan Calder on IT Governance, information security & ISO 27001

I wish I was surprised that most staff of most companies are not aware of the new penalties available to the ICO in respect of reckless breaches of the DPA. Of course, there may be an argument that most staff in most companies don’t need to be aware, because their organisations are already in complete compliance with the DPA. I would be surprised, though…..

Anyway, we just launched a set of staff awareness posters, specifically to help with raising staff awareness around specific Data Protection Act issues. We hope they help improve awareness of critical responsibilities around protecting personal data and preventing identity theft.

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

Commonly accepted best practice on password security is that passwords should be complex, changed frequently and never written down. Password complexity (8 alphanumeric characters, case sensitivity plus special characters) increases the level of difficulty associated with cracking it; password change regularity decreases the likelihood of the password, having been inadvertently revealed, being improperly used. The easiest way into a computer or network is, of course, via the password that has been written down and is stored somewhere convenient – on a post-it note under the keyboard, behind the screen or in an unlocked drawer….

And, of course, the more complex the password, the more frequently it has to be changed, the more likely users are to forget it – and to write it down. And we’re not just talking about business users here: our experience is that many seasoned IT and information security professionals resort to writing passwords down – not least because we increasingly combine regularity of change with increasing volume of passwords, each of which have different rules.

And it’s the different rules that make it difficult for one to use one strong password in all the applications and websites to which one has access.

So, there’s the information security manager’s dilemma when dealing with user system access - enforce frequent password changes, enforce complexity, block reversions from new to old passwords, block password sequencing and all those sensible things, and you increase the likelihood of passwords being written down thereby potentially making unauthorised system access even easier.

The solution, for me, is to insist on password complexity – but to enforce change only irregularly - certainly no more than once a quarter – and, perhaps, no more frequently than once per year.

The Data Protection Act (‘DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t – over 800 organisations have reported data breaches in just the last two years – and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ‘swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes – for free – all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

Warren Buffet encourages boards to develop meaningful penalties for executives who fail to fully and personally own risk control in their business.

He is, of course, right. In the UK, the Combined Code expects directors and the board to own risk and provides, in the Turnbull Guidance, comprehensive guidance on what is expected.

My impression is that, in the US, the CEO gets stratospheric compensation – and, the bigger and more complex the business, the more s/he gets paid. It seems wrong that the shareholder should stump up the funds for an acquisition, should see their investment savaged if the deal goes sour, have no real control over the acquisition strategy, get to pay the CEO more and more, but for there to be no real penalty for the CEO when s/he screws up – and being forced out with a big compensation package is no penalty.