Alan Calder on IT Governance, information security & ISO 27001

The UK’s Financial Services Authority (FSA) this week fined Royal Bank of Scotland Group £5.6m for ‘failing to have adequate [IT] systems and controls in place to prevent breaches of UK financial sanctions’. The Australian IT News quite rightly identifies this as a massive failure in IT governance - which, of course, it is.

IT governance is defined as “a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.“ (IT Governance: a Pocket Guide)

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA; it could have gone on to say something like: ‘RBSG’s Board of Directors evidently does not have in place any formal process for ensuring that it’s IT infrastructure supports and enables its compliance to UK laws and regulations or the achievement of its strategies and objectives,’ but it didn’t. That, nevertheless, appears to be the case.

It always seems to me a pity that organisations have to be pushed, by substantial fines, to do things that have significant business benefits - but there we are!

King III has now been in force for about 4 months in South Africa. Judge Mervyn King made the point, at a recent ITWeb conference, that “one of the most critical interdependences is IT, because it’s technology that is going to save the planet“. We call this Green IT, and believe that energy-efficient IT management must become a core part of IT strategy in the future.

Risk management becomes ever more important, as more and more IT is outsourced - but there is more to IT risk management than simply disaster recovery or supply chain management. Increasingly, IT risk, information risk, project risk and business continuity risk must be considered as part of a coherent approach that identifies and seeks to mitigate all forms of unacceptable strategic and operational risk to the organisation; that, of course, is what IT governance is really about.

While Forrester’s recent report says that Green IT initiatives persist, in spite of budget cut backs and other challenges facing IT teams today, the reality is more likely to be that savvy IT leaders recognise that Green IT initiatives can make a substantial contribution to reducing the direct cost of running the IT infrastructure.

Gary Hird, for instance, has led the John Lewis Partnership’s Green IT strategy for some time and he talks about JLP went about this in Green IT in Practice, now in its second edition.  It’s a fascinating and practical description of how one large retail organisation set about driving down its IT costs, reducing its carbon footprint and meeting customer requirements.

Other writers have also addressed these issues: George Spafford focused on the Governance of Green IT, which has a particular focus on managing energy consumption. The recent emergence of EN16001 should give a boost to those looking for a structured approach to energy management.

There is lots of information, advice - and case studies - available for organisations that want to tackle Green IT.

I’ve recently added both a Kindle and an iPad to my collection of eBook readers. I’ve been using the Sony eBook reader since 2009 and thought it would be useful to compare the leading products as this area of hardware hots up. All eBook readers can carry more eBooks than you are likely to want to read in a month, and all eBook readers substantially reduce the effort required to carry today’s massive tomes around.

The Kindle, from Amazon, has two major strengths and a couple of significant weaknesses. The most impressive aspect is the Whispernet technology - the worldwide roaming 3G application which lets you search Amazon.com directly from the Kindle, and with one click to select, purchase and download books directly to the eBook reader. This is a brilliant innovation. The fact that browsing speeds are, relatively speaking, quite slow (3G doesn’t match most broadband connections for speed) and that searching for books isn’t as simple as doing it through a web browser are minor drawbacks in comparison to the overall facility of direct purchase and download.

The other big advantage is its size - you get a large screen, which means that you get more text on the screen in front of you than with the Sony Pocket. More text means fewer page turns, which means fewer clicks on the neatly placed ‘next page’ button. Size, though, is the first big draw back of the Kindle - unlike a book, the Kindle is not something that you can drop into a pocket, or a beachbag - it’s a chunky item, very slightly smaller than A4 in size and quite heavy. Of course, it’s a bit neater than today’s 500+ page book, but that doesn’t make it easy to cart about.

The second big limitation is that you are, effectively, limited to reading books available from Amazon. While it appears to be technically possible to transfer other eBooks and pdfs to the KIndle, it’s not a simple process and is one which still eludes me. The eBook selection on Amazon.com isn’t that great, to be frank - and far more useful selections of popular eBooks are available from retailers like Waterstones - but, of course, you can’t download a Waterstone’s eBook to your Kindle reader.

The Kindle is, in effect, a tool for buying and reading eBooks that are sold by Amazon.com. It is designed so that you can’t use it to buy eBooks from Amazon’s competitors. If Amazon was giving it away for free, as a device to encourage you to purchase eBooks from Amazon, there would be a justification for getting one - but it is a relatively expensive and very limited product. On this basis, the Kindle simply doesn’t compete with alternatives like the Sony eBook Reader - which is not only lightweight and pocket-sized, but with which you can purchase eBooks from any retailer or publisher, download and read them, and with which you can also read pdfs and other electronic documents from almost any source. As a practical, workaday tool, I would take the Sony eBook reader over the Kindle any day! 

I’ve just taken delivery of an iPad, so will be talking about that in due course.

As the UK enters its new age of austerity, with public sector organisations finding draconian budget cuts, one must fear that citizens’ personal data will be increasingly at risk. The UK public sector (led by the NHS) has never been that amazingly good at protecting personal and sensitive information, as newspaper articles and the Information Commissioner’s website regularly attest.

The ICO has just taken enforcement action against three councils who failed to protect personal information, including information about children. The council’s failings were all pretty standard: unencrypted USB sticks, unencrypted laptops, inadequate staff training and inadequate supervision. These are all relatively simple - if costly - to remedy; the basics - essential DPA policies and procedures should all of course be in place already.

What still seems to be missing, though, is a real committment, on the part of public authorities, to taking the business of data protection seriously - I guess that we’ll actually need to see a series of £500k fines being levied before we see the majority of organisations raising their game on the field of protecting their citizens.

A new AIIM study on SharePoint takeup has recently been published. This report builds on their survey of a year ago. Barb Mosher, writing about the AIIM report on CMS, draws this conclusion from the two surveys:

“SharePoint 2007 will be in use for a while to come, and SharePoint 2010 will likely see even more uptake by organizations for a number of reasons. The problems related to SharePoint, whether it’s 2007 or 2010, are not going to change. Not because of the platform itself, but because the strategy, planning and governance that are required to implement it are still not being taken seriously.

What will we see in surveys run next year? The way it looks now, nothing that different than this year or the year before.”

And that tends to be the story where project level governance is concerned: those organisations that plan ahead, that put in place methods for dealing with the wide range of SharePoint issues - from ghost sites through to backup failures - will usually end up with robust, effective and useful SharePoint services. Effective SharePoint governance really can be the difference between success and failure - both short and long term - with a SharePoint deployment. For this reason, Microsoft publish guidance on SharePoint Governance, and our own SharePoint Governance Toolkit helps with MOSS implementations.

I’ve always believed that board support is essential for information security management projects to succeed across a business. I’ve also always recognised that not all security professionals naturally have the sales skills that are necessary to successfully pitch information security initiatives to boards of directors many of whom, themselves, combine sales skills with quite short attention spans. I originally wrote The Case  for ISO27001 to provide, in one place, the wide range of arguments that could be made in favour of an organisation adopting ISO27001 as the standard for its information security management system.

I’ve just written another book, Selling Information Security to the  Board, as a primer for those interested in developing their sales skills. The book originated in a presentation, Infosecurity As A Mindset: Selling IT To The Board, that I did at Infosec 2010 on exactly the same subject, and is (I hope) the first in a small collection of books and other products that are designed to expand the range of support available to IT professionals who, as part of their role, have to get management buy-in to an IT or information security project.

THE KING CODE OF GOVERNANCE PRINCIPLES (known as KING 3 or KING III) is still (in my opinion) the most advanced and useful of the world’s corporate governance codes. I’m a particular admirer of the fact that the King Committee included coverage of IT Governance in the Code, identified frameworks such as CObIT and the international standard ISO/IEC 38500 as providing useful starting points, and set out seven specific IT governance principles for company directors to follow.

I obviously agree with the King Committee that there is no ‘one size suits all’ approach to IT governance, and that every organisation has to develop its own approach to the subject, extracting those elements that will be useful to it from the existing frameworks and standards. That, after all, is the one of the driving thoughts behind the Calder-Moir framework - that, and the belief that one should be able to intelligently draw simultaneously on more than one framework. I’ve been particularly encouraged by the number of South African companies that have turned to our IT Governance Framework Toolkit to help them implement IT governance in their organisations.

The ITG Social Media Governance toolkit helps organisations create an effective governance structure around their social media activities. Social media is, for many organisations, a critical part of how they speak to customers, partners and stakeholders; for others, social media are a dangerous distraction.

Dealing effectively with social media requires a joined-up approach that is aligned with the objectives and risk appetite of the business - a governance approach. I strongly believe that today’s organisations will serve themselves better by adopting social media within their corporate communications strategy, embracing the culture and distinctive attributes of social media and, through effective social media governance, ensuring that the risks are controlled - not simply avoided.

The Data Protection Act (’DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t - over 800 organisations have reported data breaches in just the last two years - and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ’swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes - for free - all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?