Alan Calder on IT Governance, information security & ISO 27001

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

I watched the Congressional clash of ideology and pragmatism play itself out in the US stockmarkets yesterday and through Asia overnight.  While I’m not entirely clear on the point of a vote that avoids spending $700 bn but triggers a $1 Trillion stockmarket slide, I am clear that the financial disaster will negatively impact the real economy. Even though this month’s Fortune magazine argued that, in the real (US) economy, there was no evidence of a recession, I can’t see how a combination of restricted credit, devalued assets, deleveraged businesses, increased unemployment, and reduced output can translate into anything other than a downturn.

While I largely agree with the analysis in this blog: Impact of the Economic Crisis on Security, I do think that Boards and IT management teams have it within their power to avoid the traditional knee-jerk response to a crisis, which is usually to cut investment, cut training, and cut corners. The key strategic fact is that IT is now fundamental to both survival and success - and, in a tougher economic climate, those organisations that more effectlvely leverage their information and IT investment are likely to be those organisations that are still standing at the end of the shake out. Of course, I’m only talking here about those organisations that have a living, breathing enterprise risk management framework - as we’ve seen, those who substitute hope for objective risk management get to go bust.

Put another way, effective IT governance will, in many instances, be the difference between success and failure.

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

Ian Kerr’s Computer Weekly article on the human dimension to infosecurity has good and bad points. He correctly highlights how critical it is to address employee behaviour within a security strategy - the smartest technological defences are of little help if your staff leave the front door wide open, whether by accident or design. However, he significantly misstates the way in which ISO 27001 tackles this in its specification for a best practice ISMS.

In fact, one out of 11 control sections (containing nine controls) of ISO 27001’s list of controls deals specifically with HR, and many of the others - such as password management and user access controls - also deal explicitly with the human component of threats. I would say that ISO 27001, when properly implemented, provides an extremely strong safeguard against ‘human weakness’ and insider/outsider attacks.

Wise words on the topic of business continuity on ComputerWeekly’s website this week. The Business Continuity Institute’s Bill Crichton has stressed that continuity cannot simply be delivered by investing in the right piece of recovery kit. What is required is a far more all-embracing approach that involves policies, procedures and training, just as much as technology.

As I have written before, people often procrastinate over DR/BC measures because they don’t know where to start. The idea of a ‘fix-all’ recovery system may seem deceptively alluring. However, what is much more relevant is a good overview of the disaster landscape and a starter set of checklists, all of which is contained in our recently published book ‘Business Continuity and Disaster Recovery’, which is already proving very popular. This in turn equips the reader with the knowledge to decide which technology investments may genuinely help their continuity planning.

Buncefield, as Grainne Gilmore makes clear in a Times article today, is a wake up call for all those businesses - large and small - that don’t already have fully thought-through and tested business continuity, disaster recovery and contingency plans.

Directors and top management are responsible for the survival of their businesses. Identifying and planning to deal with the full range of potential risks is a fundamental part of that responsibility.

It’s too late to start preparing when disaster strikes - today, when nothing looks as though it’s about to happen, is the best time to start. And our business continuity web page is the best place to make that start.

Shareholders in Primark, a UK budget fashion retailer, would have been concerned when they heard about the fire that, overnight on 2 November, destroyed its offices, distribution centre and a substantial part of the stock, just at the start of the busy pre-Christmas period. Shares in ABF Foods, its parent company, declined about 2% in early trading the next morning.

The shares, however, quickly recovered and then went up. Why?

According to Times Online: “the shares moved back into positive territory following ABF assurances that it was fully insured for stock loss and disruption and that it had moved swiftly to repair its supply chain.”

Clearly, the board of ABF had, at some point, decided about an appropriate level of stock loss insurance and, even more importantly, had made adequate business continuity arrangements that would enable the business to continue trading in spite of a major disaster such as this one.

Is business continuity planning a major board governance responsibility? You bet!

Anyone contrasting the different levels of preparedness of city and state authorities to deal with hurricanes Katrina and Rita can’t have failed to notice that, for instance, Galveston in Texas was somewhat better prepared to handle the imminent disaster than was New Orleans. Sure, the experience of Katrina in New Orleans galvanised everyone from the White House down, but there’s no way that Galveston’s level of continuity and disaster recovery planning could have been put in place in the interval between Katrina’s strike and Rita’s emergence.

This is a good context within which to ask the question: “Is business recovery planning a key governance responsibility?”

Governance is, in a sense, about the preservation and stewardship of an organization. Boards of directors are supposed to be uninvolved in the day-to-day struggle to turn an honest penny and, therefore, to be in the ideal position to take a strategic view of the risks faced by the organization. And continuity risks - which range from ‘Acts of Nature’ through terrorist attacks to IT system failure - have to fall within the range of issues to be considered. Most continuity risks are characterised by a combination of relative unlikelihood and possibly catastrophic impact.

In my book, that makes business continuity planning (here is a collection of resources) a key board responsibility. The sad truth is that very few boards address it properly and that, consequently, most organizations that experience a continuity-threatening event don’t survive - they might struggle on for a year or so but they ultimately fail. Continuity planning is key to the long term survival of all organizations - both big and small.

Galveston treated it as a critical governance responsibility and made appropriate contingency plans far in advance - so should you.