Comments for Alan Calder on IT Governance, information security & ISO 27001

Comment on Prison for DPA breaches by Mike Stephenson

Mike Stephenson — Wed, 06 Jan 2010 13:27:29 +0000

I think both the previous comments have a point and I have expanded my view on this issue on my own blog at http://stemi08.wordpress.com/

Comment on The US Corporate Governance Model is Broken by Colin

Colin — Sat, 26 Dec 2009 05:31:04 +0000

Alan - Do you have any empirical evidence to show that UK companies are better managed than US companies? If so, do you have any empirical evidence to show that the reforms you suggest - separating the Chair from the CEO position and adopting the UK model - would actually meaningfully change governance at US companies? I’ve seen some interesting articles from Harvard Business which might suggest otherwise.

http://hbr.org/product/building-the-best-boards-hbr-article-collection/an/6948-PDF-ENG

Comment on Prison for DPA breaches by An Information Manager

An Information Manager — Thu, 17 Dec 2009 13:55:36 +0000

I could not disagree more.

Information is created and disseminated by individuals, not their managers or directors. If the misuse of personal information is to be stopped we need to address the lack of knowledge and concern at the lowest levels in organisations. I have often experienced this.

What you are suggesting here is tantamount to the finance functions ignoring financial training and allowing staff do what they wish with their companies financial assets; and then blaming / jailing their FD for the fraud that ensues.

Sanctions against directors will help with only the grossest corporate breaches of the DPA. For real and lasting change basic end user training and consequences for individual breaches is what is really needed.

Comment on IT Standards for the Rest of Us by Overwhelming IT Frameworks « Managing IT Risk

Overwhelming IT Frameworks « Managing IT Risk — Mon, 26 Oct 2009 21:20:32 +0000

[...] controls need to be scaled to the actual risk and value which they deliver in your organization. Alan Calder also points this out in one of his posts and reinforces the idea with the concept that some risks [...]

Comment on PCI DSS Gathering Momentum…. by Graham Perry

Graham Perry — Sun, 04 Oct 2009 17:56:16 +0000

Is it not still the case that many UK retailers are still not PCI compliant despite the several deadlines?

As far as I am aware no fines have been been imposed in the UK so I assume that retailers are only doing the minimum, particularly given the current state of the economy.

Comment on Prison for DPA breaches by Patrick Innes

Patrick Innes — Tue, 29 Sep 2009 08:29:21 +0000

Thank you, Alan, for stressing and pressing that the imposition of stricter sanctions against very senior manangement, especially of major corporations (for they, after all, are the ultimate data controllers), for reckless management of personal data.

When I was part of the UK Data Protection Forum, during the early days of the UK’s 1984 DP Act, I felt, and stated vociforously, that trading in personal data should be a criminal offence. If that was not to be the case, I compaigned for an opt-in data collection process because that would mean only a 2% collection rate, rather than the 98% that does happen. The miniscule ‘opt-out’ box and its associated barely-readable (especially for those with poor eye-sight) text do not lead to fair collection in my view.

I certainly hope your influence can have the results we would like to see. It would be wonderful if the sphincters of the leaders of British industry were tightened by the threat of stricter application of our DP legislation.

Comment on The US Corporate Governance Model is Broken by David Whelbourn

David Whelbourn — Thu, 12 Feb 2009 15:41:45 +0000

Hmmm At least the US parliament has a discussion on bailing out companies. It seems to me that the UK government just decides to bail out the banks without any discussion on the matter. Our governance certainly struggled around the banking system so it is far from perfect.

Comment on Governance, risk management and compliance in 2009 by Hugh

Hugh — Sun, 01 Feb 2009 06:20:36 +0000

To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. To survive, It’s pretty clear that organizations have to be bit more vigilant in 2009 as far as security risk management is concern.

Comment on The US Corporate Governance Model is Broken by Phillip Sparks

Phillip Sparks — Wed, 07 Jan 2009 17:11:14 +0000

Well spoken Alan. I have been interested in the difference of the US and UK at the governance and risk management requirements of listed companies on different stock exchanges in US-Uk-Middle East, and this posting has triggered my desire to investigate it in more depth. thanks, phillip

Comment on Governance, risk management and compliance in 2009 by Sue Massey

Sue Massey — Fri, 02 Jan 2009 14:30:49 +0000

Nice writing style. I look forward to reading more in the future.