Alan Calder on IT Governance, information security & ISO 27001

Zurich Insurance UK not only lost 46,000 customer records, it took one year to discover the loss. The fact that the loss took place during what should have been a routine outsourcing operation just makes the matter worse. At £2.27m (reduced from £3.25m by agreeing to early settlement), the Zurich Insurance UK data loss works out to have cost the company nearly £50 per record – and that’s without the management time spent on dealing with the FSA investigation and the undoubted negative publicity which the report will generate.

The basics of data protection are still obvious: first, you have to be aware of the fact that you are in possession of personal data, and you have to be aware of how and where it is being processed. Then you have to take some basic steps: apply encryption, apply access control policies, apply secure transmission and receipt procedures (surely, after the HMRC CD-Rom fiasco most organisations would have got to grips with this idea?) and don’t allow personal data to be downloaded to USBs or other portable devices.

I covered exactly these basics at the most recent Data Privacy & Laws conference (video due out shortly, apparently) and the general response was: wouldn’t it be nice if we could get top management to understand that this is what we need to do? Well, perhaps £2.27m will help financial companies focus (although the long history of fines on financial sector companies for failing to protect personal data argues otherwise) better on this key responsibility of theirs.

The UK’s Financial Services Authority (FSA) this week fined Royal Bank of Scotland Group £5.6m for ‘failing to have adequate [IT] systems and controls in place to prevent breaches of UK financial sanctions’. The Australian IT News quite rightly identifies this as a massive failure in IT governance – which, of course, it is.

IT governance is defined as “a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.“ (IT Governance: a Pocket Guide)

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA; it could have gone on to say something like: ‘RBSG’s Board of Directors evidently does not have in place any formal process for ensuring that it’s IT infrastructure supports and enables its compliance to UK laws and regulations or the achievement of its strategies and objectives,’ but it didn’t. That, nevertheless, appears to be the case.

It always seems to me a pity that organisations have to be pushed, by substantial fines, to do things that have significant business benefits – but there we are!

King III has now been in force for about 4 months in South Africa. Judge Mervyn King made the point, at a recent ITWeb conference, that “one of the most critical interdependences is IT, because it’s technology that is going to save the planet“. We call this Green IT, and believe that energy-efficient IT management must become a core part of IT strategy in the future.

Risk management becomes ever more important, as more and more IT is outsourced – but there is more to IT risk management than simply disaster recovery or supply chain management. Increasingly, IT risk, information risk, project risk and business continuity risk must be considered as part of a coherent approach that identifies and seeks to mitigate all forms of unacceptable strategic and operational risk to the organisation; that, of course, is what IT governance is really about.

While Forrester’s recent report says that Green IT initiatives persist, in spite of budget cut backs and other challenges facing IT teams today, the reality is more likely to be that savvy IT leaders recognise that Green IT initiatives can make a substantial contribution to reducing the direct cost of running the IT infrastructure.

Gary Hird, for instance, has led the John Lewis Partnership’s Green IT strategy for some time and he talks about JLP went about this in Green IT in Practice, now in its second edition.  It’s a fascinating and practical description of how one large retail organisation set about driving down its IT costs, reducing its carbon footprint and meeting customer requirements.

Other writers have also addressed these issues: George Spafford focused on the Governance of Green IT, which has a particular focus on managing energy consumption. The recent emergence of EN16001 should give a boost to those looking for a structured approach to energy management.

There is lots of information, advice – and case studies – available for organisations that want to tackle Green IT.

There’s a few more things I dislike about the Kindle – the naff little ‘key board’, for one, which doesn’t make for easy typing; the failure to number book pages for another – why does Amazon think it’s useful to use a page referencing system that is totally different from that which has been used for books since before Gutenberg?

And the Kindle’s automatic screen rotation is really annoying – if you lie on your side (reading on a beach, for instance) the screen can’t make up its mind which way to orientate itself and so keeps changing from landscape to portrait!

And try reading a book that has genealogies and other reference material, where you want to flip back and forth between different pages and sections (for instance, reading Wolf Hall, where supporting information is quite useful) – it’s just too hard!