Alan Calder on IT Governance, information security & ISO 27001

Apparently, we’re today kicking off the UK National Identity Fraud Prevention Week – and research for RSA reveals wide-spread disbelief (as in, 90% of Britons) that their personal data are safe with banks and retailers, and half the people think that not enough is done to protect these personal details.

That’s better than I thought! Let me explain: in today’s insecure world, everyone has to be concerned about his or her own personal data – this is a critical personal asset that needs safeguarding. And, for far too long, people have simply not been adequately concerned about this issue. Clearly, this is changing – let’s hope that, as more people learn about the poor care exercised by data controllers in the UK, they get better at insisting that adequate steps are taken - and voting with their feet where they are dissatisfied with the standard of care. 

From an organisational point of view, of course, it’s not hard to respond to the findings of this research – take adequate steps, today, to comply with the Data Protection Act in the UK, or whatever data protection legislation applies in your business jurisdiction. If you accept payment cards, PCI DSS compliance should be a given. And, for every organisation, ISO27001 is the best practice standard for securing information – and this week would be a good week to get started on an ISO27001 project!

The UK Government’s Information Commissioner has now joined the call for people to be wary of identity fraudsters when using social networking sites. In a press release issued today (’4.5 million young Brits’ futures could be compromised by their electronic footprint’), the Office of the Commissioner calls for young people to follow its six top tips for being safer online.

Of course, this applies to adults as well as children. Identify theft – the fastest growing area of e-crime – and social networking sites are a honey pot of relevant and useful information to support identity theft. Companies have a responsibility to ensure that their IT resources are used safely and legally; I’m fascinated that some managements might encourage their staff to get involved in social networking sites, with all their attendant risks. (For example, Reuters’ CEO Tom Glocer records his enthusiasm for social networking on his own blog.) They’ve obviously not heard of ISO27001 – they could do with some exposure to proper information security management!

The Security View blog is running a poll on how companies are treating access to social networking sites – it will be interesting to see what the feedback is.