Alan Calder on IT Governance, information security & ISO 27001

I did a presentation earlier this week at NITES, in Ireland.  My topic was data protection and governance. I took the opportunity to make a number of linked points:

1. We already have data protection legislation in the EU and US;
2. These regulations don’t have any real teeth;
3. Most company boards – particularly  in the financial sector – and public sector managements simply don’t care about data security – there are no rewards for doing a good job and no meaningful penalties for failure;
4. The Health and Safety Executive in the UK has a budget and staffing levels about 20 times higher than does the Information Commissioner, as well as powers to inspect and fine, so it’s hardly surprising that health and safety regulation shows progress and data protection doesn’t (remember, too, that our ICO’s tiny budget, the majority of which is provided by company registration fees, has to cover DPA compliance as well as FOI and Environmental Regulation compliance!) 
5. We care more about people using mobile phones while driving than we do about companies losing thousands/millions of sensitive personal records – we jail people for sending text messages while driving but do nothing about company directors whose reckless disregard of data protection regulations endangers the financial future of vast numbers of ordinary consumers;
6. It’s time for data security to be given proper emphasis – by which I mean custodial sentences for CEOs and senior civil servants whose organisations recklessly disregard the DPA – with ‘reckless disregard’ having characteristics like unencrypted laptops or USB sticks and failure to conform to BS10012 (when it is finalised and launched),
7. We also need a pan-European data breach directive, that requires companies who fail to protect personal data to meet in full the costs of restitution for those affected as well as paying substantial financial penalties (and, possibly, jail time for directors – see my earlier point).
8. It’s time for us, the consumers whose personal data is so regularly abused, to start demanding – through all the channels open to us – that our elected representatives start taking this subject seriously and enact legislation that will actually have teeth, and commit the level of financial support that will enable those teeth to bite.

You are welcome to download a copy of my NITES presentation: nites-feb-09.

Lots of organisations think they don’t need to worry about theft of credit card data. I don’t know why. Payment card data theft is now big business – the level of professionalism available in this industry includes the development of bespoke software supported by an extremely efficient helpdesk and you don’t usually get this level of specialization until the industry is starting to mature.

Apart from the interesting fact that darkside helpdesks appear to be more efficient than many over on this side, you have to wonder why every organisation that accepts payment card data isn’t already at least PCI DSS compliant? Why hasn’t the PCI Security Council already come up with some form of ‘PCI DSS Compliant’ badge and certification scheme so that paying customers can concentrate all their business on the websites and businesses of those organisations that have actually bothered to do what it takes to protect their card holder data?

Search Security published this, on 29 July 2008:

Last week, the MoD was forced, in an answer to a parliamentary question, to admit that during the last four years, 658 of its laptops were stolen, and another 89 lost. Only 32 of the devices have been recovered. In addition, 121 USB memory sticks have been taken or misplaced since 2004, with 26 of the losses happening this year, including three that contained information classified as “secret” and 19 that were “restricted”.

What makes the news even more depressing is that earlier estimates of losses had put the scale of the problem much lower (at 347 laptops stolen between 2004 and 2007). Defence Secretary Des Browne explained that there had been “anomalies” in the earlier reporting process.

Of course, any organisation that can undercount the number of lost laptops over a three year period by about 50% doesn’t actually have a functioning system for accounting for its laptops. A functioning system, in an organisation like the MOD, might have components like:

* Loss of any laptop treated as an information security incident;
* Centralised collation of reports of lost laptops;
* Regular physical checks on the continued existence and status of all laptops;
* Automated monthly online updates of all laptops that both ensure that laptops are not running illegitmate software, that all anti-malware software is up to date, and so on – and, of course, that the laptop is still active and authenticating correctly.
* Any failures in any of these checks should be reconciled with the physical check and the incident reports.

If the MOD had any of these systems in place, it would at least know how many laptops it had lost. As it doesn’t know this (those ‘anomalies’) one’s conclusion must be that it simply hasn’t put in place systems that are adequate to this task. And if it hasn’t bothered even to make sure that it knows where its laptops actually are, how can it really be sure that all of those lost laptops are encrypted and that none of them have been used in a way that would breach data protection law or the security of the realm?

And what makes anyone certain that the more recent figure is any more correct than the earlier underestimate? How does the MOD know that actual laptop losses aren’t running into the thousands?

The Realtime IT Compliance blog carried a significant post the other day – the first signs of US civil lawsuits against companies losing customer data.

In this case, it is a $54 million claim against Best Buy for losing a customer’s laptop, but watch this space for similar lawsuits for other forms of data loss and leakage – this is just the beginning.

Organisations taking a lax approach to data security are about to find out just how costly this can be for them. Such cases attract plenty of headlines, so sloppy businesses will have to start making much greater provisions for brand and reputational damage. We like to think that mature executive teams can be self-policing when it comes to looking after their customers, but too often takes a potentially ruinous fine to focus their minds on the issue.

The alternative is to protect your customers and your own interests by adopting a best practice Information Security Management System. ISO27001 is the answer but remains an alien concept to many directors – perhaps a few courtroom pay days are just what we need.

For those boardrooms still slow to grasp the strategic importance of IT governance and information security, the BBC offers a nice simple graph to bring home the scale of the challenge. It comments:

“Reports vary but some estimates suggest there were five times as many variants of malicious programs in circulation in 2007 compared to 2006.”

Some are talking of 2008 as the year of ISO27001, something we have been loudly advocating for the past several years. With threats growing as they are, let us hope that many more companies finally hear the message.

The private sector needs to take data privacy more seriously if it is to stop the Information Commissioner’s Office getting the power to audit their information security systems without warning. According to ComputerWeekly, this is the warning from James Alexander, technology security partner at management consulting firm Deloitte.

His comments followed Deloitte’s finding that only 54% of technology, media and telecommunications (TMT) firms will tell customers if their data privacy is breached.

Well, I take the contrary view here. What we NEED is for the ICO to take some action, because the the voluntary approach doesn’t work – just look at how organizations in both the private and public sectors are dragging their feet over PCI DSS compliance! The privacy of individual data requires more stick.

As ample proof, one need only look to the latest cases of lost MoD laptops and Carphone Warehouse’s recent misdeeds.

I rest my case!

Also from ComputerWeekly, Chief Information Officers need to take a leading role in setting up formal information classification schemes to stop them over-engineering them to comply with security regulations, according to a report from the Information Security Forum.

Well, yes – classifying information correctly is a corner stone of effective information security management. A simple scheme, that assumes that the bulk of information should be available to all employees with only specific types of information restricted on a need to know basis is the most practical approach available. It’s all discussed at length in my book, International IT Governance.

The UK government claimed that the person who burnt the HMRC child benefit database to a disc and mailed it to the National Audit Office (NAO) was a relatively junior civil servant who had breached rules and would be subject to disciplinary action.

If this is true, it’s hardly fair, is it?

After all, this person was just trying to be helpful – a previous set of discs had already gone missing and the NAO really wanted the data (actually, they only wanted some of the data, but HMRC thought it was easier just to send the lot) – and, apparently, ‘senior management’ authorised the despatch. There’s no evidence that HMRC provided the level of training that would ensure that everyone inside the organization understood their individual responsibilities in respect of personal data; conversely, there does appear to be evidence that HMRC is systemically failing to comply with the Data Protection Act (see details of an even more recent data breach) AND, in spite of delaying the publication of this news by over a month, still couldn’t even get their story straight.

It’s only right that the Chairman of HMRC should have resigned. That’s not enough – systemic failures of this sort go right to the top of the organization, to the politician accountable to Parliament for its performance. However, it’s not clear that the current Chancellor of the Exchequer should go (although, if he can’t get to grips with this fiasco, he’ll have to go anyway) – after all, it was his predecessor that presided over the creation of the shambles that is now the HMRC.

And the Prime Minister, who was responsible for the creation of the ‘modern’ HMRC, has promised to spend a lot of money with PricewaterhouseCoopers for proposals to ensure this sort of thing doesn’t happen again.

Well, it doesn’t take a multi-million pound contract to get the answer to this question! The three things that must be done are:

1. Require all UK public sector organizations to achieve ISO/IEC27001 – an independent, third party certificate that they have in place all the procedures – including staff training – necessary to secure such vital information;
2. Bring in a Data Breach Law requiring immediate notification of the breach, enabling criminal charges to be brought against organizations and, individually, top management, and providing for real compensation as a class for those affected by the breach;
3. Forget about the UK national ID card – it must be obvious to anyone by now that the risks associated with a database of this sort are just too great for HM Government to counter.

There – that saves the public purse a small fortune!

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.

According to a new study of 500 IT and HR professionals, 45 percent of businesses fail to train staff in handling sensitive corporate data, and 46 percent have no plans to introduce such training. With Marks & Spencer providing the latest proof of how easily personal records can fall into the wrong hands, I can only hope that this survey is unrepresentative. At IT Governance, we stress at all times the vital importance of internal communications and training as vital weapons in safeguarding information assets. To think security can be achieved without this is self-deluding.