Alan Calder on IT Governance, information security & ISO 27001

Zurich Insurance UK not only lost 46,000 customer records, it took one year to discover the loss. The fact that the loss took place during what should have been a routine outsourcing operation just makes the matter worse. At £2.27m (reduced from £3.25m by agreeing to early settlement), the Zurich Insurance UK data loss works out to have cost the company nearly £50 per record - and that’s without the management time spent on dealing with the FSA investigation and the undoubted negative publicity which the report will generate.

The basics of data protection are still obvious: first, you have to be aware of the fact that you are in possession of personal data, and you have to be aware of how and where it is being processed. Then you have to take some basic steps: apply encryption, apply access control policies, apply secure transmission and receipt procedures (surely, after the HMRC CD-Rom fiasco most organisations would have got to grips with this idea?) and don’t allow personal data to be downloaded to USBs or other portable devices.

I covered exactly these basics at the most recent Data Privacy & Laws conference (video due out shortly, apparently) and the general response was: wouldn’t it be nice if we could get top management to understand that this is what we need to do? Well, perhaps £2.27m will help financial companies focus (although the long history of fines on financial sector companies for failing to protect personal data argues otherwise) better on this key responsibility of theirs.

As the UK enters its new age of austerity, with public sector organisations finding draconian budget cuts, one must fear that citizens’ personal data will be increasingly at risk. The UK public sector (led by the NHS) has never been that amazingly good at protecting personal and sensitive information, as newspaper articles and the Information Commissioner’s website regularly attest.

The ICO has just taken enforcement action against three councils who failed to protect personal information, including information about children. The council’s failings were all pretty standard: unencrypted USB sticks, unencrypted laptops, inadequate staff training and inadequate supervision. These are all relatively simple - if costly - to remedy; the basics - essential DPA policies and procedures should all of course be in place already.

What still seems to be missing, though, is a real committment, on the part of public authorities, to taking the business of data protection seriously - I guess that we’ll actually need to see a series of £500k fines being levied before we see the majority of organisations raising their game on the field of protecting their citizens.

A new AIIM study on SharePoint takeup has recently been published. This report builds on their survey of a year ago. Barb Mosher, writing about the AIIM report on CMS, draws this conclusion from the two surveys:

“SharePoint 2007 will be in use for a while to come, and SharePoint 2010 will likely see even more uptake by organizations for a number of reasons. The problems related to SharePoint, whether it’s 2007 or 2010, are not going to change. Not because of the platform itself, but because the strategy, planning and governance that are required to implement it are still not being taken seriously.

What will we see in surveys run next year? The way it looks now, nothing that different than this year or the year before.”

And that tends to be the story where project level governance is concerned: those organisations that plan ahead, that put in place methods for dealing with the wide range of SharePoint issues - from ghost sites through to backup failures - will usually end up with robust, effective and useful SharePoint services. Effective SharePoint governance really can be the difference between success and failure - both short and long term - with a SharePoint deployment. For this reason, Microsoft publish guidance on SharePoint Governance, and our own SharePoint Governance Toolkit helps with MOSS implementations.

The Information Commissioner’s Office (ICO) has received over 1,000 reports of data breaches or losses since it was set up, and has issued a stern reminder that organisations must ensure that data is well protected. The biggest culprit is the NHS. The ICO’s Security Breaches Report shows the breakdown of breaches.

As we’ve said on our website (Data Protect Act Penalties), sooner or later the ICO will start levying fines for egregious breaches of the DPA - it would make sense to get one’s DPA compliance house in order before that happens, wouldn’t it? Simply buying and using the tools in our DPA Compliance Toolkit would prepare most organisations to face the worst!

The ITG Social Media Governance toolkit helps organisations create an effective governance structure around their social media activities. Social media is, for many organisations, a critical part of how they speak to customers, partners and stakeholders; for others, social media are a dangerous distraction.

Dealing effectively with social media requires a joined-up approach that is aligned with the objectives and risk appetite of the business - a governance approach. I strongly believe that today’s organisations will serve themselves better by adopting social media within their corporate communications strategy, embracing the culture and distinctive attributes of social media and, through effective social media governance, ensuring that the risks are controlled - not simply avoided.

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

The Data Protection Act (’DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t - over 800 organisations have reported data breaches in just the last two years - and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ’swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes - for free - all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

The new Information Commissioner, Christopher Graham, has recognised that current penalties for breaching the UK Data Protection Act are derisory and has called for the introduction of prison sentences for reckless breaches.

Excellent.

But not enough - the ICO is only responding to pathetic sentences given to private investigators and others who actively and deliberately breached the DPA. As I have said on previous occasions, we need to go much further. The only way that we will develop a real culture of compliance is if directors of companies that breach the DPA are personally liable for fines and prison sentences for failing to ensure that their companies took adequate steps to comply with the DPA.

After all, if larger organisations took appropriate steps to protect personal data, it would be that much harder for the unscrupulous smaller operators to breach their security to illegally obtain data, wouldn’t it?

Some UK acquiring banks have a determined campaign in place right now to get all level 2,3 and 4 merchants to PCI DSS compliance by October. Larger merchants should all not be compliant, which means that hackers and fraudsters will logically turn their attention to smaller companies that may still be vulnerable. So, while PCI Compliance for smaller businesses will certainly create a resources challenge for them, it one to which they are simply going to have to rise - or face fines and penalties from the payment brands.

In Nevada, PCI compliance for all merchants who accept a Nevadan citizens payment card has now been made law with effect from 2010 - this is a major step forward in terms of bringing this compliance regime onto a statutory footing, and we shoudl expect to see the process gather pace.

One of the key problems faced by organisations that want to comply with the Data Protection Act is that the DPA doesn’t contain any detailed guidance on compliance - in essence, it is just a set of 8 principles. And the worst principle from a compliance perspective is Principle 7, which requires organisations to make appropriate technical and administrative arrangements to protect personal information. What is appropriate? And how would you prove it? For some years, ISO/IEC 27001 certification has been the most effective way of demonstrating DPA compliance, but the read across between the two standards is not that precise.

BS10012 (Data Protection: Specification for a Personal Information Management System), on the other hand, is a standard that is specifically written to meet DPA compliance needs. It is written as a specification (in other words, audits can be conducted against the standard and there is talk of a certification scheme) and it deals specifically and completely with the requirements of the DPA. It has just been published and every organisation that has personal information to protect should

1. Buy a copy, and compare actual practices with those described in the standard and,
2. Consider improving actual practices so that they conform to those described in the standard.

Here’s a link where you can get your own copy: http://www.itgovernance.co.uk/products/2542