Alan Calder on IT Governance, information security & ISO 27001

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

The Data Protection Act (’DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t - over 800 organisations have reported data breaches in just the last two years - and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ’swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes - for free - all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

Some UK acquiring banks have a determined campaign in place right now to get all level 2,3 and 4 merchants to PCI DSS compliance by October. Larger merchants should all not be compliant, which means that hackers and fraudsters will logically turn their attention to smaller companies that may still be vulnerable. So, while PCI Compliance for smaller businesses will certainly create a resources challenge for them, it one to which they are simply going to have to rise - or face fines and penalties from the payment brands.

In Nevada, PCI compliance for all merchants who accept a Nevadan citizens payment card has now been made law with effect from 2010 - this is a major step forward in terms of bringing this compliance regime onto a statutory footing, and we shoudl expect to see the process gather pace.

One of the key problems faced by organisations that want to comply with the Data Protection Act is that the DPA doesn’t contain any detailed guidance on compliance - in essence, it is just a set of 8 principles. And the worst principle from a compliance perspective is Principle 7, which requires organisations to make appropriate technical and administrative arrangements to protect personal information. What is appropriate? And how would you prove it? For some years, ISO/IEC 27001 certification has been the most effective way of demonstrating DPA compliance, but the read across between the two standards is not that precise.

BS10012 (Data Protection: Specification for a Personal Information Management System), on the other hand, is a standard that is specifically written to meet DPA compliance needs. It is written as a specification (in other words, audits can be conducted against the standard and there is talk of a certification scheme) and it deals specifically and completely with the requirements of the DPA. It has just been published and every organisation that has personal information to protect should

1. Buy a copy, and compare actual practices with those described in the standard and,
2. Consider improving actual practices so that they conform to those described in the standard.

Here’s a link where you can get your own copy: http://www.itgovernance.co.uk/products/2542

I made a presentation, earlier this week, at the BSi conference on IT Governance, which was held at the CBI conference centre at Centre Point in London. (I also chaired the conference). My presentation is available for download from our main website.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

As I see it, those organisations that survived 2008 are only going to get through 2009 if they manage cash really carefully. Cash management is only useful if it takes into account the full range of possible risks faced by the organisation. Simply hanging onto cash, not paying creditors and avoiding all expense and investment, is not the same as managing cash - because, even in a recession, there are business opportunities and growth prospects and those organisations that manage their cash effectively are able to prepare themselves to handle the range of possibilities - both on the upside and the downside.

Effective risk management tends only to happen in well-governed organisations; where risk management has failed (such as in our banks, the Big Three auto manufacturers and so on) it doesn’t take long to spot that their governance framework must also have been ineffective - not least if the organisation has had to beg for a support package from central Government.

I think that governance and risk management are going to be key themes in 2009 for the world’s better organisations; for all the rest, those for whom governance is just about box-ticking, 2009 will bring much more  box-ticking, because regulatory authorities are not going to allow a repetition of 2008’s ‘perfect storm’, which means that compliance requirements are going to increase.

Of course, box-ticked governance will still be the poor relation of more constructive, fully engaged governance and risk management models that boards - under the guidance of an independent Chairman - deploy to manage the risks faced by the organisation in the difficult economic climate we all face this year.

I kind of hope that those organisations that eschew proper governance will go bust quickly, and get out of the way of the rest of us.

The Top Ten Predictions for Green IT in 2009 are based on Gartner’s view that the combination of economic meltdown and Obama’s commitment to eco-friendly policies will drive a signficant increase in Green IT activities and investment in 2009. Our recent Best Practice Report (Green IT: Reality, Benefits and Best Practices) focused on the economic benefits that corporations can derive from embracing Green IT - not just in terms of customer take up (and, frankly, I suspect that a ‘green label’ won’t attract much of a price premium in recessionary economies - watch organic farmers, for instance, reduce their organic output to match the reduced budgets of their customers) but, far more importantly, in terms of cost-reduction. Green IT in 2009 will be interesting to boards of directors because of the opportunity for significant reductions in power and utility costs.

Some evidence is emerging that that ISO/IEC 38500, the best practice standard for IT governance, is catching on. We’ve certainly seen steady demand for copies of the ISO38500 standard itself, as well for the ISO38500 Pocket Guide and, more importantly, the ISO38500 IT Governance Framework Toolkit.

Regarding Liken’s survey, Rowlands says, “We were impressed by the strength of support for ISO/IEC: 38500. Against the unfolding economic panorama, could it be that this is a more suitable measure of corporate IT governance and a catalyst for sound asset management?

“Cost savings and efficient usage seem now to be the primary drivers as organisations place a greater emphasis on controlling software and hardware usage rather than managing inventory and licensing.”

“ISO38500 is a catch-all IT governance standard and it’s much more attainable for a lot of businesses and it will give the directors of those businesses a sense that they are doing things the right way.”

In a nutshell, ISO38500 provides practical, straightforward guidance for directors as to how they should go about ensuring that their IT operations are doing the right things - and doing the right things, cost-effectively, is going to be a critical component for all organisations of surviving the tough economic conditions that we are currently experiencing.

“Almost £300m worth of public-sector IT projects have been binned in the UK, sparking accusations that the government is embarking on the schemes without proper thought.“

I guess that what our government needs is access to a good project and programme management framework, something that recognises all the common reasons for IT project failure, and which enables organisations to avoid having to re-invent approaches that have already been tried and tested.

I’d like to recommend that they start with a project management methodology called PRINCE2 and then follow through by investigating a programme management methodology called MSP - Managing Successful Programmes. These programmes were both pulled together by a UK government department, and the IP is still owned by the OGC - who, I’m sure, would be delighted to learn that someone else in the government actually uses these programmes.