Alan Calder on IT Governance, information security & ISO 27001

Research giant Forrester has identified the need for Social Media Governance as the starting point for adopting social technologies in organisations. Social Media Governance is a complex topic – it starts with adopting a social media policy but it does then have to deal with a comprehensive range of headline issues such as:

• Social Media User Guidelines
• Roles & Responsibilities
• Metrics & Monitoring
• Records Management 
• Legal Guidance
• Communications Policy
• Branding & (Corporate) Style Guide
• Training

Security is a major area and should be linked with any ISO27001 or other ISMS that the organisation has in place. Key areas for the information security team to address include:

• Acceptable Use Policy
• User Name and Password Management
• Classification 
• Anti-malware
• Backup
• Incident Management
• Monitoring
• Privacy

And, finally, there probably need to be specific user guidelines or work instructions that cover, in some detail, at least the following social media activities:

• Blogging
• Facebook
• LinkedIn and LinkedIn Groups
• Instant Messenger – Organizational IM
• Instant Messenger – Third Party IM allowed
• Skype
• Twitter
• YouTube

The social media framework that we use in our own organisation is based on ITGP Social Media Governance Toolkit. These templates have made our life much easier and, of course, our own experience and that of our customers is then fed back into further improvements in the templates.

There were, according to the most recently published ISO certification survey, nearly 13,000 organisations worldwide certified to ISO27001 by the end of 2009. This is an increase of about 40% over the number certified the year before and reflects what I have said on many occasions – the number of certificates will go up exponentlally as more and more organisations work their way through their initial PDCA cycles, often lasting a year or more, prior to their first successful certification audit.

And, as organisations turn to their supply chains and partners, looking for equivalent approaches to information security management, so the pressure for compliance mounts on every organisation that has confidential, valuable or personal information to look after. 

Cyber risks, which emerge from the UK’s recently published National Defence Strategy  as the most critical risk facing the UK economy over the next five years, are best defended against by deploying ISO27001 – which is why the standard is increasingly known as the ‘Cyber Security Standard’. The fact that ISO27001 is also international best practice for meeting a wide range of information, computer and data security regulations and laws makes its ever more rapid adoption inevitable.

Zurich Insurance UK not only lost 46,000 customer records, it took one year to discover the loss. The fact that the loss took place during what should have been a routine outsourcing operation just makes the matter worse. At £2.27m (reduced from £3.25m by agreeing to early settlement), the Zurich Insurance UK data loss works out to have cost the company nearly £50 per record – and that’s without the management time spent on dealing with the FSA investigation and the undoubted negative publicity which the report will generate.

The basics of data protection are still obvious: first, you have to be aware of the fact that you are in possession of personal data, and you have to be aware of how and where it is being processed. Then you have to take some basic steps: apply encryption, apply access control policies, apply secure transmission and receipt procedures (surely, after the HMRC CD-Rom fiasco most organisations would have got to grips with this idea?) and don’t allow personal data to be downloaded to USBs or other portable devices.

I covered exactly these basics at the most recent Data Privacy & Laws conference (video due out shortly, apparently) and the general response was: wouldn’t it be nice if we could get top management to understand that this is what we need to do? Well, perhaps £2.27m will help financial companies focus (although the long history of fines on financial sector companies for failing to protect personal data argues otherwise) better on this key responsibility of theirs.

The UK’s Financial Services Authority (FSA) this week fined Royal Bank of Scotland Group £5.6m for ‘failing to have adequate [IT] systems and controls in place to prevent breaches of UK financial sanctions’. The Australian IT News quite rightly identifies this as a massive failure in IT governance – which, of course, it is.

IT governance is defined as “a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.“ (IT Governance: a Pocket Guide)

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA; it could have gone on to say something like: ‘RBSG’s Board of Directors evidently does not have in place any formal process for ensuring that it’s IT infrastructure supports and enables its compliance to UK laws and regulations or the achievement of its strategies and objectives,’ but it didn’t. That, nevertheless, appears to be the case.

It always seems to me a pity that organisations have to be pushed, by substantial fines, to do things that have significant business benefits – but there we are!

King III has now been in force for about 4 months in South Africa. Judge Mervyn King made the point, at a recent ITWeb conference, that “one of the most critical interdependences is IT, because it’s technology that is going to save the planet“. We call this Green IT, and believe that energy-efficient IT management must become a core part of IT strategy in the future.

Risk management becomes ever more important, as more and more IT is outsourced – but there is more to IT risk management than simply disaster recovery or supply chain management. Increasingly, IT risk, information risk, project risk and business continuity risk must be considered as part of a coherent approach that identifies and seeks to mitigate all forms of unacceptable strategic and operational risk to the organisation; that, of course, is what IT governance is really about.

While Forrester’s recent report says that Green IT initiatives persist, in spite of budget cut backs and other challenges facing IT teams today, the reality is more likely to be that savvy IT leaders recognise that Green IT initiatives can make a substantial contribution to reducing the direct cost of running the IT infrastructure.

Gary Hird, for instance, has led the John Lewis Partnership’s Green IT strategy for some time and he talks about JLP went about this in Green IT in Practice, now in its second edition.  It’s a fascinating and practical description of how one large retail organisation set about driving down its IT costs, reducing its carbon footprint and meeting customer requirements.

Other writers have also addressed these issues: George Spafford focused on the Governance of Green IT, which has a particular focus on managing energy consumption. The recent emergence of EN16001 should give a boost to those looking for a structured approach to energy management.

There is lots of information, advice – and case studies – available for organisations that want to tackle Green IT.

As the UK enters its new age of austerity, with public sector organisations finding draconian budget cuts, one must fear that citizens’ personal data will be increasingly at risk. The UK public sector (led by the NHS) has never been that amazingly good at protecting personal and sensitive information, as newspaper articles and the Information Commissioner’s website regularly attest.

The ICO has just taken enforcement action against three councils who failed to protect personal information, including information about children. The council’s failings were all pretty standard: unencrypted USB sticks, unencrypted laptops, inadequate staff training and inadequate supervision. These are all relatively simple – if costly – to remedy; the basics – essential DPA policies and procedures should all of course be in place already.

What still seems to be missing, though, is a real committment, on the part of public authorities, to taking the business of data protection seriously – I guess that we’ll actually need to see a series of £500k fines being levied before we see the majority of organisations raising their game on the field of protecting their citizens.

A new AIIM study on SharePoint takeup has recently been published. This report builds on their survey of a year ago. Barb Mosher, writing about the AIIM report on CMS, draws this conclusion from the two surveys:

“SharePoint 2007 will be in use for a while to come, and SharePoint 2010 will likely see even more uptake by organizations for a number of reasons. The problems related to SharePoint, whether it’s 2007 or 2010, are not going to change. Not because of the platform itself, but because the strategy, planning and governance that are required to implement it are still not being taken seriously.

What will we see in surveys run next year? The way it looks now, nothing that different than this year or the year before.”

And that tends to be the story where project level governance is concerned: those organisations that plan ahead, that put in place methods for dealing with the wide range of SharePoint issues – from ghost sites through to backup failures – will usually end up with robust, effective and useful SharePoint services. Effective SharePoint governance really can be the difference between success and failure – both short and long term – with a SharePoint deployment. For this reason, Microsoft publish guidance on SharePoint Governance, and our own SharePoint Governance Toolkit helps with MOSS implementations.

The Information Commissioner’s Office (ICO) has received over 1,000 reports of data breaches or losses since it was set up, and has issued a stern reminder that organisations must ensure that data is well protected. The biggest culprit is the NHS. The ICO’s Security Breaches Report shows the breakdown of breaches.

As we’ve said on our website (Data Protect Act Penalties), sooner or later the ICO will start levying fines for egregious breaches of the DPA – it would make sense to get one’s DPA compliance house in order before that happens, wouldn’t it? Simply buying and using the tools in our DPA Compliance Toolkit would prepare most organisations to face the worst!

I’ve always believed that board support is essential for information security management projects to succeed across a business. I’ve also always recognised that not all security professionals naturally have the sales skills that are necessary to successfully pitch information security initiatives to boards of directors many of whom, themselves, combine sales skills with quite short attention spans. I originally wrote The Case  for ISO27001 to provide, in one place, the wide range of arguments that could be made in favour of an organisation adopting ISO27001 as the standard for its information security management system.

I’ve just written another book, Selling Information Security to the  Board, as a primer for those interested in developing their sales skills. The book originated in a presentation, Infosecurity As A Mindset: Selling IT To The Board, that I did at Infosec 2010 on exactly the same subject, and is (I hope) the first in a small collection of books and other products that are designed to expand the range of support available to IT professionals who, as part of their role, have to get management buy-in to an IT or information security project.