Alan Calder on IT Governance, information security & ISO 27001

ISACA has, apparently, published research that identifies the 5 top social media risks faced by organisations today. I’ve said, previously, that organisations should embrace social media as part of their marketing and communications strategy, and that a governance approach to social media is necessary. The IT Governance social media governance toolkit is, of course, specifically designed to give organisations all the tools that they might need to govern this area effectively – and includes detailed user guidance for all the key areas of social media activity that might be important.

THE KING CODE OF GOVERNANCE PRINCIPLES (known as KING 3 or KING III) is still (in my opinion) the most advanced and useful of the world’s corporate governance codes. I’m a particular admirer of the fact that the King Committee included coverage of IT Governance in the Code, identified frameworks such as CObIT and the international standard ISO/IEC 38500 as providing useful starting points, and set out seven specific IT governance principles for company directors to follow.

I obviously agree with the King Committee that there is no ‘one size suits all’ approach to IT governance, and that every organisation has to develop its own approach to the subject, extracting those elements that will be useful to it from the existing frameworks and standards. That, after all, is the one of the driving thoughts behind the Calder-Moir framework - that, and the belief that one should be able to intelligently draw simultaneously on more than one framework. I’ve been particularly encouraged by the number of South African companies that have turned to our IT Governance Framework Toolkit to help them implement IT governance in their organisations.

This interesting article explains why old-fashioned crime – robbing a bank, say – has now gone online. It’s quicker, easier, and safer for the criminal. That does mean that organisations have to take care to protect themselves against cyber-criminals – and the steps that can be taken range from the simple (see 10 Rules of Information Security for the Smaller Business) to the sophisticated (implementing a best-practice Information Security Management System based on ISO27001, for instance).

At the very least, anyone with corporate responsibilities should have a reasonable understanding of cybercrime – as well as of cyberterrorism and its close cousin, cyberwar. There is a wide range of issues that today fall under the heading of White Collar Crime, and which need attention. Your business is at risk – finding out about the risks is a good first step to taking appropriate action!

The idea of applying the governance concept to the deployment and use of SharePoint within organisations does, at one level, seem odd- it seems a very detailed level for the application of concept which is fundamentally about how the board governs the use of ICT within the organisation.

Microsoft Office SharePoint Server (MOSS) is an immensely useful collaboration and information sharing tool for organisations, teams and workgroups. However, poorly governed SharePoint deployments can create significant holes in organisational information structures as well as exposing the organisation and its information to a wide range of risks.

 Maximising value from your SharePoint deployment requires a joined−up approach that is aligned with the communication objectives and risk controls of the business − a governance approach. Microsoft introduced the idea of SharePoint governance with MOSS 2007 and has applied it to MOSS 2010 as well. The ITGP SharePoint Governance kit starts with the excellent Microsoft work and then goes substantially further, in terms of providing a practical and useful set of templates and tools that can integrate into any information security management system or IT Governance Framework.

The ITG Social Media Governance toolkit helps organisations create an effective governance structure around their social media activities. Social media is, for many organisations, a critical part of how they speak to customers, partners and stakeholders; for others, social media are a dangerous distraction.

Dealing effectively with social media requires a joined-up approach that is aligned with the objectives and risk appetite of the business - a governance approach. I strongly believe that today’s organisations will serve themselves better by adopting social media within their corporate communications strategy, embracing the culture and distinctive attributes of social media and, through effective social media governance, ensuring that the risks are controlled – not simply avoided.

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

The Data Protection Act (‘DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t – over 800 organisations have reported data breaches in just the last two years – and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ‘swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes – for free – all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

Some UK acquiring banks have a determined campaign in place right now to get all level 2,3 and 4 merchants to PCI DSS compliance by October. Larger merchants should all not be compliant, which means that hackers and fraudsters will logically turn their attention to smaller companies that may still be vulnerable. So, while PCI Compliance for smaller businesses will certainly create a resources challenge for them, it one to which they are simply going to have to rise – or face fines and penalties from the payment brands.

In Nevada, PCI compliance for all merchants who accept a Nevadan citizens payment card has now been made law with effect from 2010 – this is a major step forward in terms of bringing this compliance regime onto a statutory footing, and we shoudl expect to see the process gather pace.

One of the key problems faced by organisations that want to comply with the Data Protection Act is that the DPA doesn’t contain any detailed guidance on compliance – in essence, it is just a set of 8 principles. And the worst principle from a compliance perspective is Principle 7, which requires organisations to make appropriate technical and administrative arrangements to protect personal information. What is appropriate? And how would you prove it? For some years, ISO/IEC 27001 certification has been the most effective way of demonstrating DPA compliance, but the read across between the two standards is not that precise.

BS10012 (Data Protection: Specification for a Personal Information Management System), on the other hand, is a standard that is specifically written to meet DPA compliance needs. It is written as a specification (in other words, audits can be conducted against the standard and there is talk of a certification scheme) and it deals specifically and completely with the requirements of the DPA. It has just been published and every organisation that has personal information to protect should

1. Buy a copy, and compare actual practices with those described in the standard and,
2. Consider improving actual practices so that they conform to those described in the standard.

Here’s a link where you can get your own copy: http://www.itgovernance.co.uk/products/2542

I made a presentation, earlier this week, at the BSi conference on IT Governance, which was held at the CBI conference centre at Centre Point in London. (I also chaired the conference). My presentation is available for download from our main website.