Alan Calder on IT Governance, information security & ISO 27001

Another day, another (damning) survey.

A recent report from Big Brother Watch “uncovered more than 1000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care.
Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.
Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.”

This survey is just the latest in a long series of reports and news releases that all point at the same three inadequacies: 

• Leicestershire City Council lost an unencrypted USB stick containing personal information of 80 children;
• a Scottish advocate whose unencrypted laptop (containing personal data of individuals involved in cases she was working on) was stolen while she was on holiday;
• An ASCL employee had a laptop containing unencrypted personal data stolen from home;
• Holly Park School in London had an unencrypted laptop stolen from an unlocked office at the school;
• Two London Housing Associations allowed details of thousands of their tenants to find their way onto an unencrypted USB stick belonging to one of their contractors – which was then left in a pub!;
• Southwark council ‘misplaced’ - for two years – an unencrypted laptop containing the personal information of 7,200 people – which was then found on a skip;
• A survey revealed that 17,000 USB sticks were left in dry cleaners during 2010!

The list goes on – as I identified yesterday, nearly 50% of breaches reported to the ICO elate to lost, unencrypted laptops or USB sticks. And it appears that the number of (so far) unreported losses may exceed those reported.

And the position on encrypting laptops and USB sticks is clear. According to the ICO’s Acting Head of Enforcement, Sally Anne Poole:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

There are three things that every organisation must do as a matter of course:

1. Ensure that all laptops – or at least all laptops that might at some point contain personal information – have boot-level, FIPS 140-2 encryption software installed;
2. Ensure that all USB sticks that come onto corporate premises, or which are used by staff and contractors, are also encrypted to FIPS 140-2;
3. Ensure that all staff – managers as well as front line staff – have adequate training and awareness around their responsibilities for protecting personal data.

Any organisation can do these three things. It isn’t hard.

My own company has tried to make it easy for our customers. We’ve provided specific DPA classroom training as well as a comprehensive DPA Compliance Documentation Toolkit for some years.

We’ve now gone a step further, and identified appropriate laptop encryption software, as well as appropriate CESG-approved encrypted USB sticks, and we’re supplying both – in single units or in bulk – directly from our UK website and service centre. We’ve also developed a unique DPA e-Learning Staff Awareness course that can be deployed across the largest organisation and which will ensure (with necessary evidence) that staff have received the core awareness training they need.

We carried out an analysis of the data breach cases which led to the UK’s Information Commissioner extracting an undertaking from the organisation concerned. Over the last 18 months (May 2010 – mid-November 2011), this is the breakdown of 85 cases:

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning - this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.

Surrey County Council’s recent £120k fine from the Information Commissioner was for failing, on three separate occassions, to assess and address the security risks of sending sensitive personal information by email. In each case, highly sensitive information ended up in the wrong hands by mistake – and the fine wasn’t for the mistake, it was for failing to realise that sometimes emails are mis-directed and takin appropriate steps to control the risks.

And that’s one of the important points about the Data Protection Act – it expects organisations to assess risks to personal information, and then to take appropriate administrative, technical and organisational steps to control the identified risks. In the case of sending sensitive information by email, it should by now be self-evident that mistakes sometimes happen and that applying encryption to such emails, as a standard, should be as much a default information security control as applying encryption to laptops and mobile media and USB Sticks.

“‘IT departments make the mistake of ignoring social media at one extreme or banning it at the other, when what they really need is a risk based strategy’, says Gartner research director Julie Short.”

She is of course correct. I’ve been arguing, since the appearance of Instant Messenger as a killer social media application, that it’s a mistake for IT departments to simply lock down or prohibit the use of new media and communications channels in the enterprise.

There are three reasons for this.

The first is that stopping people using applications which they already know will make communication quicker, easier, more dynamic and more effective makes IT departments appear Luddite - which is not exactly in line with what one might expect from that part of the business which is in charge of technology-based competitiveness.

The second is that good people will mostly tend to go and work for organisations that use technologies that they know about, rather than being forced to operate with outdated tools. And those organisations that limit themselves to recruiting from amongst the less ambitious will tend, over time, to destroyed by those who are more future-orientated.

The third, of course, is that we live and work in a fast-moving Internet world; organisations that prohibit or over-control use of social media technologies are cutting themselves out of competition and, eventually, out of business.

I recognise that there are risks – to the confidentiality, integrity and availability of information – in the unbridled use of new social media within an enterprise. A risk-based strategy involves identifying specific risks, adopting appropriate policies, selecting and enforcing relevant controls, and reviewing and monitoring activity. We made all of these tools available in our Social Media Governance Toolkit, on the basis that what most organisations want today is to deploy the controls and get on with exploiting the social media channel, rather than having to re-invent the social media policy wheel.

Gartner says that “IT & business leaders must face the fact that social colloboration is already a reality.” I agree. As a company, we have been working with social media in its varying, evolving forms for a number of years. This blog, for instance, has been in existence for five or six years – it’s never been a blog-a-day blog, but I’ve been writing about issues in and around information security and IT Governance irregularly for a long time. We published a Web 2.0 Best Practice Report in July 2008 and coined the phrase ‘Threat 2.0′ to describe the combination of threats to confidentiality, integrity and availability of date posed by the explosion in social media.

As a company, we’ve been producing the IT Governance blog for a couple of years, have a twitter feed (which we’ve just made the default way of ensuring that everyone inside the company is able to stay on top of our own news and developments), an IT Governance on Facebook page and a large number of topic-related IT Governance LinkedIn groups, all sitting under a single IT Governance profile.

We’ve grappled with social media for many years, from the early excitement of each of the ‘next big things’ through to the period of mainstream adoption, where issues like employee accountability, corporate resilience, privacy, compliance, confidentiality, data integrity and archiving are being taken increasingly seriously by business, IT and compliance leaders in organisations large and small across the world.

Our Social Media Governance Toolkit was developed out of a combination of our own experience, research and identification of existing good practice across the Internet. It continues to be informed by both internal and external feedback from actual use and we continue to make upgrades available to customers who have already purchased their own copy.  For instance, we will shortly be sending out a LinkedIn Group Policy template, reflecting our own experience with the need to ensure that LinkedIn Groups continue to be useful forums for exchanging information in a reasonably informal (but unspammed) environment.

We hope, as increasing numbers of organisations deploy our Social Media Governance Toolkit (or similar policies and practices), that we will between us keep the ‘free interchange’ aspect of the Internet working effectively.

According to an article published today, local councillors must register with the ICO if they process personal data in their constituency offices. Apparently 6,000 are already registered and another 13,000 could and should. Of course, registration with the ICO is just the start – once registered, they also have to comply with the DPA. Compliance is relatively straightforward – the problem is that most organisations, particularly smaller ones, leave compliance until after they’ve been breached and then have to deal with all the sad repercussions of negative press coverage and distressed constituents. The penalties for compliance failures are potentially very significant.

For the Forth Valley NHS Board, the answer is now a resounding ‘Yes’. Of course, it should have been a ‘Yes’ before there was a data breach, and before sensitive patient details were put at risk. However, the Board has now recognised (and has formally committed to ensure) that the only USB sticks available for use by Board staff should be issued by the Board, and that these USB sticks should all be encrypted.

It is, in today’s world of portable media, a basic security step. ISO27001 control A.10.7.1 specifically deals with management of removable media and any organisation implementing this control must (amongst other things) use encryped memory sticks – which can be purchased with USB-resident encryption, so that they are simple to deploy and use in the workplace.

I’ve recently added both a Kindle and an iPad to my collection of eBook readers. I’ve been using the Sony eBook reader since 2009 and thought it would be useful to compare the leading products as this area of hardware hots up. All eBook readers can carry more eBooks than you are likely to want to read in a month, and all eBook readers substantially reduce the effort required to carry today’s massive tomes around.

The Kindle, from Amazon, has two major strengths and a couple of significant weaknesses. The most impressive aspect is the Whispernet technology – the worldwide roaming 3G application which lets you search Amazon.com directly from the Kindle, and with one click to select, purchase and download books directly to the eBook reader. This is a brilliant innovation. The fact that browsing speeds are, relatively speaking, quite slow (3G doesn’t match most broadband connections for speed) and that searching for books isn’t as simple as doing it through a web browser are minor drawbacks in comparison to the overall facility of direct purchase and download.

The other big advantage is its size – you get a large screen, which means that you get more text on the screen in front of you than with the Sony Pocket. More text means fewer page turns, which means fewer clicks on the neatly placed ‘next page’ button. Size, though, is the first big draw back of the Kindle - unlike a book, the Kindle is not something that you can drop into a pocket, or a beachbag – it’s a chunky item, very slightly smaller than A4 in size and quite heavy. Of course, it’s a bit neater than today’s 500+ page book, but that doesn’t make it easy to cart about.

The second big limitation is that you are, effectively, limited to reading books available from Amazon. While it appears to be technically possible to transfer other eBooks and pdfs to the KIndle, it’s not a simple process and is one which still eludes me. The eBook selection on Amazon.com isn’t that great, to be frank – and far more useful selections of popular eBooks are available from retailers like Waterstones – but, of course, you can’t download a Waterstone’s eBook to your Kindle reader.

The Kindle is, in effect, a tool for buying and reading eBooks that are sold by Amazon.com. It is designed so that you can’t use it to buy eBooks from Amazon’s competitors. If Amazon was giving it away for free, as a device to encourage you to purchase eBooks from Amazon, there would be a justification for getting one – but it is a relatively expensive and very limited product. On this basis, the Kindle simply doesn’t compete with alternatives like the Sony eBook Reader - which is not only lightweight and pocket-sized, but with which you can purchase eBooks from any retailer or publisher, download and read them, and with which you can also read pdfs and other electronic documents from almost any source. As a practical, workaday tool, I would take the Sony eBook reader over the Kindle any day! 

I’ve just taken delivery of an iPad, so will be talking about that in due course.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

Virgin is a strong brand, so a welter of stories describing Virgin Media’s breach of the Data Protection Act, when it lost an unencrypted disc containing the details of some 3,000 customers, would not have been part of the PR strategy. As a result of a simple management failure – not requiring the encryption of all portable media that contain personal data – it now finds its name and brand logo alongside statements that Virgin Media has been guilty, ‘scolded, ‘reprimanded‘, ‘slammed‘ and ‘rapped‘ for inadequately protecting its customers’ data. Not a pretty outcome!

There is a simple way to avoid this sort of damage - encrypt all portable media! We wrote about this in our Data Breaches Report 2008 and, after the HMRC fiasco, one would have thought that all organisations would, at least, have carried out the encryption part of our recommendations.