Alan Calder on IT Governance, information security & ISO 27001

The ICO has just issued two more fines for breaches of the DPA. Ealing and Hounslow councils are, between them, paying up £150,000 of money they probably don’t have to spare for the theft of just two laptops from an employee’s home.

There are three key learning points from this most recent set of fines:

1. Laptops must be encrypted – the ICO said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.” Our free Technical Briefing Paper describes clearly what has to be done to encrypt laptops and portable devices.

2. You cannot hand your data protection responsibilities over to a third party – you must have a clear contract in place, with the right of audit, and you must take action to ensure that your third party contractor complies with its responsibilities. The ICO said: ““The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected.”

3. Lax data protection practices will lead to fines. The ICO’s statement concluded with this warning: “Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”

And the fines are just the monetary tip of the iceberg: before the fine is even issued, there is an investigation to endure, there is highly damaging PR and you still end up having to comply with the DPA anyway. So the sensible thing is to comply in advance of a breach – because, sooner or later, every organisation has a breach.

The process of becoming compliant is straightforward: carry out a gap analysis to identify where your actual practices are deficient against the requirements of the DPA, create an action plan to close the gap, and execute that plan. We created a DPA Compliance Tooolkit specifically to put everything required for this process in one place. It costs £100. If both Ealing and Harrow had purchased – and deployed – their own copy of the toolkit, it might have saved them a joint £150,000. Not a bad return on investment!

According to an article published today, local councillors must register with the ICO if they process personal data in their constituency offices. Apparently 6,000 are already registered and another 13,000 could and should. Of course, registration with the ICO is just the start – once registered, they also have to comply with the DPA. Compliance is relatively straightforward – the problem is that most organisations, particularly smaller ones, leave compliance until after they’ve been breached and then have to deal with all the sad repercussions of negative press coverage and distressed constituents. The penalties for compliance failures are potentially very significant.

The UK’s National Security Strategy (published 18 Oct 2010) identifies that, for the next five years, the four highest priorty risks faced by the UK are those arising from

• International terrorism;
• cyber attack;
• international military crises; and
• major accidents or natural hazards.

The reality, of course, is that international terrorists have an identifiable cyber capability, and any international military crisis is also likely to have an important element of cyber threat. And, as the information on which we depend to respond to almost any major national accident is stored in electronic information systems, you might argue that cyber risk is the most important risk facing the UK today. 

Cybersecurity standards

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO27001 is the most significant international best practice standard available to any organisation that wants an intelligently organized and structured framework for tackling its own cyber risks. ISO27001, as a specification for an ISMS, is clear and precise; it also lists 133 key security controls that should be at the heart of any organisation’s approach to securing its information assets.

Many organisations, though, think it makes sense to implement ISO27001 without ever seeking external certification. The increased focus, at a national level, on responding appropriately to cyber risks undermines this approach – increasingly, organisations will want to know that their supply chain is resilient against cyber attack. Supplier audits can consume a lot of time, and an accredited ISO27001 certificate is clear evidence that an organisation has taken proper security steps and has obtained independent verification that these steps are in line with recognised international best practice.

For the Forth Valley NHS Board, the answer is now a resounding ‘Yes’. Of course, it should have been a ‘Yes’ before there was a data breach, and before sensitive patient details were put at risk. However, the Board has now recognised (and has formally committed to ensure) that the only USB sticks available for use by Board staff should be issued by the Board, and that these USB sticks should all be encrypted.

It is, in today’s world of portable media, a basic security step. ISO27001 control A.10.7.1 specifically deals with management of removable media and any organisation implementing this control must (amongst other things) use encryped memory sticks – which can be purchased with USB-resident encryption, so that they are simple to deploy and use in the workplace.

One of the most frequent questions I’m asked by CEOs is: “But what’s the real bottom-line benefit of more effective information security, or of an ISO27001-certificated Information Security Management System?”

One real benefit is the effective information security protects the bottom line. The reason you put money in a bank, is to protect it. The reason that you secure information, is to protect it – and the company that is responsible for the information. 

The recent security breach at ACS: Law has been widely reported. A law firm appears to have broken a basic law (the Data Protection Act), is now apparently under investigation by the Information Commissioner and by the Solicitors Regulation Authority and, in addition to the possibility of a fine of up to £500k, it faces unquantifiable current and future damage to its reputation, brand and future business. It’s not always clear that firms subject to this level of challenge will survive the resulting storms.

So, what might effective information security actually have cost ACS: Law? Well, a Web Application Penetration Test might have set them back £3k; implementation of an ISO27001 ISMS in a firm of this size might only have required an investment of about £10k (with another £3k or so for certification). Of course, effective information security also requires top management commitment as well as the deployment of internal time and resource – but, when you’re implementing an ISMS, you’re in control of the process. When you’re responding to a serious breach, you’re not.

Let me put it another way: an investment of about £20k, plus internal effort, might have been sufficient to prevent financial damages that could be somewhere between 10 and 100 times greater than the investment – or more. That’s the point about ‘unquantifiable damages’.

Prevention, in information security, is always better than cure.

Zurich Insurance UK not only lost 46,000 customer records, it took one year to discover the loss. The fact that the loss took place during what should have been a routine outsourcing operation just makes the matter worse. At £2.27m (reduced from £3.25m by agreeing to early settlement), the Zurich Insurance UK data loss works out to have cost the company nearly £50 per record – and that’s without the management time spent on dealing with the FSA investigation and the undoubted negative publicity which the report will generate.

The basics of data protection are still obvious: first, you have to be aware of the fact that you are in possession of personal data, and you have to be aware of how and where it is being processed. Then you have to take some basic steps: apply encryption, apply access control policies, apply secure transmission and receipt procedures (surely, after the HMRC CD-Rom fiasco most organisations would have got to grips with this idea?) and don’t allow personal data to be downloaded to USBs or other portable devices.

I covered exactly these basics at the most recent Data Privacy & Laws conference (video due out shortly, apparently) and the general response was: wouldn’t it be nice if we could get top management to understand that this is what we need to do? Well, perhaps £2.27m will help financial companies focus (although the long history of fines on financial sector companies for failing to protect personal data argues otherwise) better on this key responsibility of theirs.

As the UK enters its new age of austerity, with public sector organisations finding draconian budget cuts, one must fear that citizens’ personal data will be increasingly at risk. The UK public sector (led by the NHS) has never been that amazingly good at protecting personal and sensitive information, as newspaper articles and the Information Commissioner’s website regularly attest.

The ICO has just taken enforcement action against three councils who failed to protect personal information, including information about children. The council’s failings were all pretty standard: unencrypted USB sticks, unencrypted laptops, inadequate staff training and inadequate supervision. These are all relatively simple – if costly – to remedy; the basics – essential DPA policies and procedures should all of course be in place already.

What still seems to be missing, though, is a real committment, on the part of public authorities, to taking the business of data protection seriously – I guess that we’ll actually need to see a series of £500k fines being levied before we see the majority of organisations raising their game on the field of protecting their citizens.

A new AIIM study on SharePoint takeup has recently been published. This report builds on their survey of a year ago. Barb Mosher, writing about the AIIM report on CMS, draws this conclusion from the two surveys:

“SharePoint 2007 will be in use for a while to come, and SharePoint 2010 will likely see even more uptake by organizations for a number of reasons. The problems related to SharePoint, whether it’s 2007 or 2010, are not going to change. Not because of the platform itself, but because the strategy, planning and governance that are required to implement it are still not being taken seriously.

What will we see in surveys run next year? The way it looks now, nothing that different than this year or the year before.”

And that tends to be the story where project level governance is concerned: those organisations that plan ahead, that put in place methods for dealing with the wide range of SharePoint issues – from ghost sites through to backup failures – will usually end up with robust, effective and useful SharePoint services. Effective SharePoint governance really can be the difference between success and failure – both short and long term – with a SharePoint deployment. For this reason, Microsoft publish guidance on SharePoint Governance, and our own SharePoint Governance Toolkit helps with MOSS implementations.

The Information Commissioner’s Office (ICO) has received over 1,000 reports of data breaches or losses since it was set up, and has issued a stern reminder that organisations must ensure that data is well protected. The biggest culprit is the NHS. The ICO’s Security Breaches Report shows the breakdown of breaches.

As we’ve said on our website (Data Protect Act Penalties), sooner or later the ICO will start levying fines for egregious breaches of the DPA – it would make sense to get one’s DPA compliance house in order before that happens, wouldn’t it? Simply buying and using the tools in our DPA Compliance Toolkit would prepare most organisations to face the worst!

The ITG Social Media Governance toolkit helps organisations create an effective governance structure around their social media activities. Social media is, for many organisations, a critical part of how they speak to customers, partners and stakeholders; for others, social media are a dangerous distraction.

Dealing effectively with social media requires a joined-up approach that is aligned with the objectives and risk appetite of the business - a governance approach. I strongly believe that today’s organisations will serve themselves better by adopting social media within their corporate communications strategy, embracing the culture and distinctive attributes of social media and, through effective social media governance, ensuring that the risks are controlled – not simply avoided.