Alan Calder on IT Governance, information security & ISO 27001

One of the most frequent questions I’m asked by CEOs is: “But what’s the real bottom-line benefit of more effective information security, or of an ISO27001-certificated Information Security Management System?”

One real benefit is the effective information security protects the bottom line. The reason you put money in a bank, is to protect it. The reason that you secure information, is to protect it – and the company that is responsible for the information. 

The recent security breach at ACS: Law has been widely reported. A law firm appears to have broken a basic law (the Data Protection Act), is now apparently under investigation by the Information Commissioner and by the Solicitors Regulation Authority and, in addition to the possibility of a fine of up to £500k, it faces unquantifiable current and future damage to its reputation, brand and future business. It’s not always clear that firms subject to this level of challenge will survive the resulting storms.

So, what might effective information security actually have cost ACS: Law? Well, a Web Application Penetration Test might have set them back £3k; implementation of an ISO27001 ISMS in a firm of this size might only have required an investment of about £10k (with another £3k or so for certification). Of course, effective information security also requires top management commitment as well as the deployment of internal time and resource – but, when you’re implementing an ISMS, you’re in control of the process. When you’re responding to a serious breach, you’re not.

Let me put it another way: an investment of about £20k, plus internal effort, might have been sufficient to prevent financial damages that could be somewhere between 10 and 100 times greater than the investment – or more. That’s the point about ‘unquantifiable damages’.

Prevention, in information security, is always better than cure.

Zurich Insurance UK not only lost 46,000 customer records, it took one year to discover the loss. The fact that the loss took place during what should have been a routine outsourcing operation just makes the matter worse. At £2.27m (reduced from £3.25m by agreeing to early settlement), the Zurich Insurance UK data loss works out to have cost the company nearly £50 per record – and that’s without the management time spent on dealing with the FSA investigation and the undoubted negative publicity which the report will generate.

The basics of data protection are still obvious: first, you have to be aware of the fact that you are in possession of personal data, and you have to be aware of how and where it is being processed. Then you have to take some basic steps: apply encryption, apply access control policies, apply secure transmission and receipt procedures (surely, after the HMRC CD-Rom fiasco most organisations would have got to grips with this idea?) and don’t allow personal data to be downloaded to USBs or other portable devices.

I covered exactly these basics at the most recent Data Privacy & Laws conference (video due out shortly, apparently) and the general response was: wouldn’t it be nice if we could get top management to understand that this is what we need to do? Well, perhaps £2.27m will help financial companies focus (although the long history of fines on financial sector companies for failing to protect personal data argues otherwise) better on this key responsibility of theirs.

As the UK enters its new age of austerity, with public sector organisations finding draconian budget cuts, one must fear that citizens’ personal data will be increasingly at risk. The UK public sector (led by the NHS) has never been that amazingly good at protecting personal and sensitive information, as newspaper articles and the Information Commissioner’s website regularly attest.

The ICO has just taken enforcement action against three councils who failed to protect personal information, including information about children. The council’s failings were all pretty standard: unencrypted USB sticks, unencrypted laptops, inadequate staff training and inadequate supervision. These are all relatively simple – if costly – to remedy; the basics – essential DPA policies and procedures should all of course be in place already.

What still seems to be missing, though, is a real committment, on the part of public authorities, to taking the business of data protection seriously – I guess that we’ll actually need to see a series of £500k fines being levied before we see the majority of organisations raising their game on the field of protecting their citizens.

A new AIIM study on SharePoint takeup has recently been published. This report builds on their survey of a year ago. Barb Mosher, writing about the AIIM report on CMS, draws this conclusion from the two surveys:

“SharePoint 2007 will be in use for a while to come, and SharePoint 2010 will likely see even more uptake by organizations for a number of reasons. The problems related to SharePoint, whether it’s 2007 or 2010, are not going to change. Not because of the platform itself, but because the strategy, planning and governance that are required to implement it are still not being taken seriously.

What will we see in surveys run next year? The way it looks now, nothing that different than this year or the year before.”

And that tends to be the story where project level governance is concerned: those organisations that plan ahead, that put in place methods for dealing with the wide range of SharePoint issues – from ghost sites through to backup failures – will usually end up with robust, effective and useful SharePoint services. Effective SharePoint governance really can be the difference between success and failure – both short and long term – with a SharePoint deployment. For this reason, Microsoft publish guidance on SharePoint Governance, and our own SharePoint Governance Toolkit helps with MOSS implementations.

The Information Commissioner’s Office (ICO) has received over 1,000 reports of data breaches or losses since it was set up, and has issued a stern reminder that organisations must ensure that data is well protected. The biggest culprit is the NHS. The ICO’s Security Breaches Report shows the breakdown of breaches.

As we’ve said on our website (Data Protect Act Penalties), sooner or later the ICO will start levying fines for egregious breaches of the DPA – it would make sense to get one’s DPA compliance house in order before that happens, wouldn’t it? Simply buying and using the tools in our DPA Compliance Toolkit would prepare most organisations to face the worst!

I agree entirely with John Verry’s description of today’s drivers for the adoption of ISO27001, which we expect to become more widely adopted over the next 15 years than ISO9001 is today (there are currently about 1 Million ISO9001 certifications worldwide).

“Driven to ISO 27001 … Driven by ISO 27001″ – presented by John Verry, principal consultant at Pivot Point Security (Hamilton, NJ) to the Unisys Community of Practice Group on June 15, 2010, focuses on three “pain” points driving organizations to the ISO-27001 framework as a simple and logical response. Verry cites the “cloud economy”, a “flatter world” and the growth of increasingly ambiguous and overlapping information security regulations as the main factors – and then explores how and why ISO 27001 is poised to change information security.

We’ve been working on ISO27001 since its inception and our unique, and uniquely comprehensive and integrated range of ISO27001 books, tools and resources is designed to help organisations around the world use this standard in their businesses – drawing on advice, tools, guidance, training or consultancy as required.

ISACA has, apparently, published research that identifies the 5 top social media risks faced by organisations today. I’ve said, previously, that organisations should embrace social media as part of their marketing and communications strategy, and that a governance approach to social media is necessary. The IT Governance social media governance toolkit is, of course, specifically designed to give organisations all the tools that they might need to govern this area effectively – and includes detailed user guidance for all the key areas of social media activity that might be important.

This interesting article explains why old-fashioned crime – robbing a bank, say – has now gone online. It’s quicker, easier, and safer for the criminal. That does mean that organisations have to take care to protect themselves against cyber-criminals – and the steps that can be taken range from the simple (see 10 Rules of Information Security for the Smaller Business) to the sophisticated (implementing a best-practice Information Security Management System based on ISO27001, for instance).

At the very least, anyone with corporate responsibilities should have a reasonable understanding of cybercrime – as well as of cyberterrorism and its close cousin, cyberwar. There is a wide range of issues that today fall under the heading of White Collar Crime, and which need attention. Your business is at risk – finding out about the risks is a good first step to taking appropriate action!

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

Commonly accepted best practice on password security is that passwords should be complex, changed frequently and never written down. Password complexity (8 alphanumeric characters, case sensitivity plus special characters) increases the level of difficulty associated with cracking it; password change regularity decreases the likelihood of the password, having been inadvertently revealed, being improperly used. The easiest way into a computer or network is, of course, via the password that has been written down and is stored somewhere convenient – on a post-it note under the keyboard, behind the screen or in an unlocked drawer….

And, of course, the more complex the password, the more frequently it has to be changed, the more likely users are to forget it – and to write it down. And we’re not just talking about business users here: our experience is that many seasoned IT and information security professionals resort to writing passwords down – not least because we increasingly combine regularity of change with increasing volume of passwords, each of which have different rules.

And it’s the different rules that make it difficult for one to use one strong password in all the applications and websites to which one has access.

So, there’s the information security manager’s dilemma when dealing with user system access - enforce frequent password changes, enforce complexity, block reversions from new to old passwords, block password sequencing and all those sensible things, and you increase the likelihood of passwords being written down thereby potentially making unauthorised system access even easier.

The solution, for me, is to insist on password complexity – but to enforce change only irregularly - certainly no more than once a quarter – and, perhaps, no more frequently than once per year.