Alan Calder on IT Governance, information security & ISO 27001

News in Information Age that is simultaneously encouraging and puzzling: according to the Economist Intelligence Unit (presumably, rather than the ‘Economics Intelligence Unit’ the article credits):

“…globalisation and increasing competition in markets worldwide is driving senior managers to demand a closer alignment of IT to business goals. The research indicates that 69% of senior IT and business executives expect the primary role of IT, traditionally cost efficiency, to be elevated to that of enabling revenue growth within three years.”

However, the report talks of a ‘fissure’ between CEOs and board directors, who are supposedly pushing for this transformation in the role of IT, and CIOs and IT managers who are apparently dragging their feet.

This strikes me as odd, given that shift is inevitable and surely a golden opportunity for the IT function to secure the long sought-after guaranteed place at the top table. The evolution in the role of the CIO is about to go into fast-forward – let’s hope enough people are ready for it.

You would think that, after a number of years banking with an institution – putting money in every day, writing cheques, doing transfers, that sort of thing – that the institution would know who you were? Well, you would, wouldn’t you?

Apparently not.

Our foreign business is growing rapidly and we need to open a US$ bank account – while we can deposit US$ cheques to our sterling account, it’s expensive and it costs again when we want to pay suppliers in US$. Anyway, our sterling corporate bank account and one of the director’s personal bank accounts are at the same branch of a national bank. Have been for years. We just want to add a corporate US$ account to our accounts there.

No can do, says the Bank. Although we know you, we don’t know you – not for foreign currency accounts, anyway. So, here are some new forms for you to fill in and please, when you’ve filled in them in, we need all the officers and directors of the company to come into the branch, bringing their personal identification, and to identify themselves to the bank officials. We know you’ve got nothing else to do during the business day. It’s the Anti-Money Laundering regulations, you see.

Is that the same AML regulations that have enabled alleged terrorists to fund a series of aborted and actual atrocities?

I sat in, a few days ago, on a client interview with a network services provider. They were looking to finalise their choice of a company to support their substantial small network, of about 500 PCs. The provider’s offering was based on a primarily offsite, remote monitoring and response service; clearly, they expected to patch directly into the servers in our client’s data centre.
So I asked them to tell us a bit about how they managed information security. They have very good firewalls and anti-everything software, they told me, and they were very secure. ‘That’s cool,’ says I, ‘but I’m interested in your overall management system. Are you, for instance, cerficated against any international standards for information security management?’
There was a short silence.
Then their senior manager present said: ‘Sure, although I don’t remember specifically which. BS15000, or something, I think.’
‘Hmm,’ says I, ‘ BS15000 is the now withdrawn British Standard for IT Service Management. It does have an information security aspect to it, but it’s not an information security management standard per se.’
‘Oh, it is,’ says he.
‘Well,’ says I, ‘ can I suggest that you check, when you get back to the office, as to what standard you’re certificated against, whether or not your certification is still valid, and what the scope of the standard is?’
We got a telephone call from them today.
‘It is actually BS7799-2. We’re about to re-certificate to the international version of the standard, ISO27001. It is about IT Security, as I said, and the scope of the system is the Head Office IT services.
‘So your network service centre is outside the scope of your Information Security Management System, is it?’
‘Um, it appears that way, but our security is still very good.’
I explained that our client was in the process of implementing a management system that would meet the requirements of the standard and that ISO27001 certification was therefore a pre-requisite for any suppliers seeking remote access privileges.
He rang off.
So I didn’t need to tell him that our client had decided, immediately after the meeting, that there would be little point in further considering a supplier who so clearly couldn’t respond to such an obvious security c0ncern from a potential client.
Just one example of how ISO 27001 certification – with an appropriate scope – could have helped a client win a substantial new contract – although they would have had to ensure their new business teams knew what was going on!

I have talked frequently about the fact that CIOs have to change their perspective from worrying about the IT system to worrying about the business. Well, here comes the revolution: Gartner has surveyed 1,400 CIOs and found that this shift is expected to be one of the big developments of 2006. The problem will be that, while CIOs will be under pressure to become far more engaged with customers, finance and overall business efficiency, they don’t necessarily know how to talk business. Their CEOs will have to help them – which might even mean that the CEOs learn more about IT!

If anyone is asking what all the fuss is about ISO 27001, ISMS and all the rest of it, this article from SC Magazine should make them stop and think. Apparently, 1 in 4 Americans won’t be shopping online this Christmas because of security fears. On the upside, the article reveals that many consumers are taking sensible and active steps to protect themselves online. However, there is clearly a long way to go, and all that caution from millions of shoppers is bound to have a negative impact on prosperity in general. If this is true of the IT savvy United States, you can bet it is just as true elsewhere around the globe.

Where does ISMS fit into this? ISO 27001 is precisely the kind of confidence building measure that businesses need to put in place to make society more at ease with e-commerce. Getting certified is great for a company at the individual level (reducing business risks, reassuring customers, providing a competitive advantage), but it is also vitally important for society as a whole. We all know that the Internet is a long way from realising its full potential as a creator of wealth and improver of life quality; what more companies have to realise is that ISO 27001 is one of the vital building blocks that will help us reach that goal.

Shareholders in Primark, a UK budget fashion retailer, would have been concerned when they heard about the fire that, overnight on 2 November, destroyed its offices, distribution centre and a substantial part of the stock, just at the start of the busy pre-Christmas period. Shares in ABF Foods, its parent company, declined about 2% in early trading the next morning.

The shares, however, quickly recovered and then went up. Why?

According to Times Online: “the shares moved back into positive territory following ABF assurances that it was fully insured for stock loss and disruption and that it had moved swiftly to repair its supply chain.”

Clearly, the board of ABF had, at some point, decided about an appropriate level of stock loss insurance and, even more importantly, had made adequate business continuity arrangements that would enable the business to continue trading in spite of a major disaster such as this one.

Is business continuity planning a major board governance responsibility? You bet!

Anyone contrasting the different levels of preparedness of city and state authorities to deal with hurricanes Katrina and Rita can’t have failed to notice that, for instance, Galveston in Texas was somewhat better prepared to handle the imminent disaster than was New Orleans. Sure, the experience of Katrina in New Orleans galvanised everyone from the White House down, but there’s no way that Galveston’s level of continuity and disaster recovery planning could have been put in place in the interval between Katrina’s strike and Rita’s emergence.

This is a good context within which to ask the question: “Is business recovery planning a key governance responsibility?”

Governance is, in a sense, about the preservation and stewardship of an organization. Boards of directors are supposed to be uninvolved in the day-to-day struggle to turn an honest penny and, therefore, to be in the ideal position to take a strategic view of the risks faced by the organization. And continuity risks – which range from ‘Acts of Nature’ through terrorist attacks to IT system failure – have to fall within the range of issues to be considered. Most continuity risks are characterised by a combination of relative unlikelihood and possibly catastrophic impact.

In my book, that makes business continuity planning (here is a collection of resources) a key board responsibility. The sad truth is that very few boards address it properly and that, consequently, most organizations that experience a continuity-threatening event don’t survive – they might struggle on for a year or so but they ultimately fail. Continuity planning is key to the long term survival of all organizations – both big and small.

Galveston treated it as a critical governance responsibility and made appropriate contingency plans far in advance – so should you.

Final settlement of the WorldCon case, which involved eleven outside directors contributing rather more than they received as compensation for their stewardship of the company and guardianship of the interests of their shareholders, was announced today. The directors’ settlement, announced back in March involved them paying, between them, a total of $20.25 million from their own pockets – and this is in addition to the amounts paid out to the creditors and shareholders under the board’s Directors’ and Officers’ insurance policy.

What does this mean for corporate governance generally, and for IT governance specifically? Well, it clearly establishes the outside directors of a company as a legitimate, attractive target for aggrieved creditors and shareholders when a company goes bankrupt. Given the increasing extent to which organizations are dependent on IT – and the extent to which a significant IT failure can now impact the long term competitiveness and viability of any organization – it’s not going to be long before the expectation of transparency around general corporate governance extends to IT governance.

Sure, SOX has already transformed the early awareness of the need for proper IT governance, that was created by the Turnbull report in the UK, into a far more significant board issue. Let’s hope it doesn’t take a significant IT failure, leading to a corporate collapse, before boards really get to grips with their responsibilities. Reality suggests otherwise, though.

No, really, that’s what the Times of London claimed, in an article today, was the reason given by a Delhi Call Centre’s Head of Personnel for taking on someone who allegedly collected and sold account holder identity details. Addresses, passwords, credit card security codes, the works – and he said he could get 2,000 such details a month!

The Head of Personnel apparently had no qualms in taking him on, even though they hadn’t got any of the required three references. The reason that a company has clear rules on things like references, and rigorous cv scrutiny and checks, is that a significant percentage of people lie on their cvs and and at interviews. Organizations dealing with confidential information have an obligation to apply basic recruitment discipline – the principles of which pre-date the Internet.

Information security depends on people, process and technology – working together. When one component fails, there’s a hole – and the bad guys exploit holes ruthlessly. As this one Head of HR has found out.

“I wasn’t fussed about the reference because I thought he had vision,” she said. No lie!

Will she keep her own job after so egregious a breach of basic personnel procedures?

I read a scary article in the UK’s Computing News last week – it reported that the EU Commission is launching a ‘five-year technology strategy to foster economic growth and job creation’ and goes on to say that, in order to make the EU the most competitive knowledge economy in the world, the EU strategy focuses on ‘regulation, R&D, and closing the digital divide.’

Now, the scary thing is that someone, somewhere, not only believes that regulation is a critical leg of a triune strategy to boost competitiveness, but also believes that we’re all going to buy into it. The only thing that regulation does is restrict competiveness, as the highly regulated and determinedly sclerotic economies of old Europe have been demonstrating for some time. Of course, some people do very well out of regulation – a major part of the BS7799 business is to do with demonstrating compliance with the regulation – so I shouldn’t complain!