Alan Calder on IT Governance, information security & ISO 27001

The Data Protection Act (’DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t - over 800 organisations have reported data breaches in just the last two years - and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ’swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes - for free - all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

The new Information Commissioner, Christopher Graham, has recognised that current penalties for breaching the UK Data Protection Act are derisory and has called for the introduction of prison sentences for reckless breaches.

Excellent.

But not enough - the ICO is only responding to pathetic sentences given to private investigators and others who actively and deliberately breached the DPA. As I have said on previous occasions, we need to go much further. The only way that we will develop a real culture of compliance is if directors of companies that breach the DPA are personally liable for fines and prison sentences for failing to ensure that their companies took adequate steps to comply with the DPA.

After all, if larger organisations took appropriate steps to protect personal data, it would be that much harder for the unscrupulous smaller operators to breach their security to illegally obtain data, wouldn’t it?

Some UK acquiring banks have a determined campaign in place right now to get all level 2,3 and 4 merchants to PCI DSS compliance by October. Larger merchants should all not be compliant, which means that hackers and fraudsters will logically turn their attention to smaller companies that may still be vulnerable. So, while PCI Compliance for smaller businesses will certainly create a resources challenge for them, it one to which they are simply going to have to rise - or face fines and penalties from the payment brands.

In Nevada, PCI compliance for all merchants who accept a Nevadan citizens payment card has now been made law with effect from 2010 - this is a major step forward in terms of bringing this compliance regime onto a statutory footing, and we shoudl expect to see the process gather pace.

One of the key problems faced by organisations that want to comply with the Data Protection Act is that the DPA doesn’t contain any detailed guidance on compliance - in essence, it is just a set of 8 principles. And the worst principle from a compliance perspective is Principle 7, which requires organisations to make appropriate technical and administrative arrangements to protect personal information. What is appropriate? And how would you prove it? For some years, ISO/IEC 27001 certification has been the most effective way of demonstrating DPA compliance, but the read across between the two standards is not that precise.

BS10012 (Data Protection: Specification for a Personal Information Management System), on the other hand, is a standard that is specifically written to meet DPA compliance needs. It is written as a specification (in other words, audits can be conducted against the standard and there is talk of a certification scheme) and it deals specifically and completely with the requirements of the DPA. It has just been published and every organisation that has personal information to protect should

1. Buy a copy, and compare actual practices with those described in the standard and,
2. Consider improving actual practices so that they conform to those described in the standard.

Here’s a link where you can get your own copy: http://www.itgovernance.co.uk/products/2542

It is certainly true that most of those involved in the creation of IT standards are from large organisations. It is also true - as Steve Burrows says - that it can be challenging for an SME to implement a standard such as the ISMS standard, ISO/IEC 27001, for information security management.

However, all standards are explicitly designed for organisations of all sizes. ISO/IEC 27001, for instance, is clear that its requirements should be implemented in a way that is appropriate for the organisation; certainly the selection of controls will be driven by a risk assessment and, if the management of an SME has a high appetite for risk, it won’t find itself selecting many controls.

The reality is that all organisations are subject to similar types of risks; an impact (like the loss of a server for a week) that could severely disrupt an SME might not even bother a larger, multinational organisation. Organisations need to select and implement controls that will protect them from impacts they wish to avoid - and the management system they put in place will be very similar to that put in place by a much larger organisation to manage much larger impacts.

The issue isn’t really the IT standards; the real issue is the resources that SMEs have available to tackle them. Few SMEs will have the capability to plan and carry out an appropriate implementation of something like an ISMS - which, of course, is why we developed our FastTrack ISO27001 Implementation Service for organisations that have 19 employees or fewer, and why our classic consultancy service (with its 100% guarantee) is helping more and more SMEs implement appropriately scaled information security management systems that enable them to cost-effectively meet customer compliance requirements and to challenge larger competitors in their space.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

It’s great that Hector Sants has said that “delivery of supervision has to be done in partnership with responsible firms, shareholders and auditors.” (It’s a pity that Sants is inconsistent, but that’s another matter.)
The thing is, he’s not exactly saying anything new. I summarised the current position last year in my book on Corporate Governance (the square brackets are my current interpolations):

Institutional Shareholders

The Combined Code [UK Combined Code on Corporate Governance – in place for 10 years] also requires institutional shareholders to interact proactively and objectively with the companies in which they are invested. There are three main principles for institutional shareholders to observe: 

1. Institutional shareholders should enter into a dialogue with companies based on the mutual understanding of objectives. (E.1)
2. When evaluating companies’ governance arrangements, particularly those relating to board structure and composition, institutional shareholders should give due weight to all relevant factors drawn to their attention. (E.2)
3. Institutional shareholders have a responsibility to make considered use of their votes. (E.3)

The Combined Code explicitly recommends that institutional investors should not accept a ‘box-ticking’ approach to corporate governance, and that their consideration of disclosures made by the company in relation to the Code should take into account the “size and complexity of the company and the nature of the risks and challenges it faces” (supporting principle to E.2)

The Combined Code recommends (supporting principle to E.1) that City [ie investing] institutions should follow “The Responsibilities of Institutional Shareholders and Agents – Statement of Principles”, which were drawn up by the Institutional Shareholders’ Committee (ISC)^[1], whose associations represent virtually all UK institutional investors.

The principles were the first comprehensive statement of best practice governing the responsibilities of institutional shareholders and investment managers in relation to the companies in which they invest. 

“They aim to secure value for ultimate beneficiaries – pension scheme members and individual savers – through consistent monitoring of the performance of those companies. This is to be backed up by direct engagement where appropriate.  The principles make it clear that if companies persistently fail to respond to concerns, institutional shareholders and investment managers, ISC members will vote against the Board at general meetings.

The principles set out best practice for institutional shareholders and investment managers, under which they will:

· Maintain and publish statements of their policies in respect of active engagement with the companies in which they invest;
· Monitor the performance of and maintain an appropriate dialogue with those companies;
· Intervene where necessary;
· Evaluate the impact of their policies; and
· In the case of investment managers, report back to the clients on whose behalf they invest.”^[2]

What’s the reality? 

The reality is that active shareholder engagement has – in both London and New York - been extremely limited; after all, the management fees they were earning from ignoring the real risks being run by the companies in which they were invested supported an exciting personal life style. The real victims are the ordinary folk who fell for the polished pitch of the fund managers, who sold so effectively the idea that managing cash is so difficult and complex that ordinary people can’t do it. (An ordinary person said, on a panel interview programme here a couple of weeks ago: ‘I can’t run a bank; can I get a £695k pa pension?’). It’s all very well asking the institutional investors to exercise their governance responsibilities responsibly, but they too have their fingers in the till.

So, isn’t it time we taught basic financial risk management to ordinary people? I know this might require breaking the centuries-old link between financiers and politicians, but perhaps that might start a move toward a society in which those who produce the cash don’t have it conned out of them…..sorry, that’s a bit hopeful…

As I see it, those organisations that survived 2008 are only going to get through 2009 if they manage cash really carefully. Cash management is only useful if it takes into account the full range of possible risks faced by the organisation. Simply hanging onto cash, not paying creditors and avoiding all expense and investment, is not the same as managing cash - because, even in a recession, there are business opportunities and growth prospects and those organisations that manage their cash effectively are able to prepare themselves to handle the range of possibilities - both on the upside and the downside.

Effective risk management tends only to happen in well-governed organisations; where risk management has failed (such as in our banks, the Big Three auto manufacturers and so on) it doesn’t take long to spot that their governance framework must also have been ineffective - not least if the organisation has had to beg for a support package from central Government.

I think that governance and risk management are going to be key themes in 2009 for the world’s better organisations; for all the rest, those for whom governance is just about box-ticking, 2009 will bring much more  box-ticking, because regulatory authorities are not going to allow a repetition of 2008’s ‘perfect storm’, which means that compliance requirements are going to increase.

Of course, box-ticked governance will still be the poor relation of more constructive, fully engaged governance and risk management models that boards - under the guidance of an independent Chairman - deploy to manage the risks faced by the organisation in the difficult economic climate we all face this year.

I kind of hope that those organisations that eschew proper governance will go bust quickly, and get out of the way of the rest of us.

The essential difference between the US and the UK models of corporate governance is that, in the UK, there is a clear understanding of how board rooms work combined with a flexible, principles-based approach while, in the US, corporate governance is essentially an expensive compliance activity that gives CEOs a level of autonomy that allows them, sooner or later to wreck their companies - and the economy.

The usual situation, in a US-listed company, is that the CEO is also the Chairman of the Board; in the UK, this is highly unusual and, whenever it happens, there is a furore amongst investors and in the press.

The usual practice, in the UK, is that the board is chaired by an independent director, who is usually non-executive and who is genuinely independent - and it is recognised that, once a Chairman has been in situ for too long, he (or she) ceases to be independent. The CEO - however mighty, however well-rewarded - reports to the Chairman and, when the CEO fails in his role, the Chairman is responsible for ensuring that appropriate action is taken to ‘drop the pilot.’  The UK board is made up of a majority of independent directors and, in larger companies, there will usually be a recognised ’senior director’ whose role it is to ensure that the Chairman doesn’t ‘go native’ and who would be expected to lead the board’s annual review of the Chairman’s performance.

US CEOs talk of themselves serving ‘at the pleasure of the board’; of course, this doesn’t really mean much as it is usually the CEO who chairs the board which, itself, is usually made up of ‘outside’ directors with whom the CEO has personal relationships. CEOs of US American companies are therefore usually in place for far too long and, because there is no genuinely independent control over their compensation packages, are hugely overpaid. (I’m never that impressed by a CEO offering to take a $1 salary for a year - it would be so much more impressive if he also volunteered to return 50% or more of the previous year’s multi-million dollar over-compensation to the company.)

While the UK corporate governance model doesn’t always protect UK shareholders from incompetence or stupidity on the part of their boards, it does at least help UK companies avoid a situation where their CEOs turn up in Parliament with a begging bowl, having flown there on parallel private jet flights. One would have thought that any Chairman worth his or her salt would immediately have sacked a CEO who is so far removed from reality that, when asked the direct question on camera about whether they would immediately dispose of the private jet and return home by commercial airline, he couldn’t even come up with a plausible response.

And, while the world has clearly been living beyond its means for far too long, it’s also clear that the US cult of the CEO ego is right at the heart of the huge, ill-considered, crazy bets that their companies have taken - and as a result of which we all now face a long, hard few years.

The US now needs a corporate governance code that resembles the UK’s Combined Code; in the UK, in the meantime, we need to get on with improving our own performance. We also need institutional shareholders tough and determined enough to insist on board changes when their boards are destroying the investments for which they have a fiduciary responsibility.

I’ve been of the view, for some time, that effective corporate information security will only come to pass when company directors are prosecuted, fined and jailed for failures to implement and maintain effective information security management systems.

Here are two stories that rather illustrate the point:

• Companies not evaluating security policies efficiently (if at all)
• Companies mostly unprepared to prevent data leaks over email

And it’s all actually quite straightforward - implement ISO27001, obey the Data Protection Act, and have happy customers, staff and regulators!