Alan Calder on IT Governance, information security & ISO 27001

The Realtime IT Compliance blog carried a significant post the other day – the first signs of US civil lawsuits against companies losing customer data.

In this case, it is a $54 million claim against Best Buy for losing a customer’s laptop, but watch this space for similar lawsuits for other forms of data loss and leakage – this is just the beginning.

Organisations taking a lax approach to data security are about to find out just how costly this can be for them. Such cases attract plenty of headlines, so sloppy businesses will have to start making much greater provisions for brand and reputational damage. We like to think that mature executive teams can be self-policing when it comes to looking after their customers, but too often takes a potentially ruinous fine to focus their minds on the issue.

The alternative is to protect your customers and your own interests by adopting a best practice Information Security Management System. ISO27001 is the answer but remains an alien concept to many directors – perhaps a few courtroom pay days are just what we need.

Businesses and organisations operating within the United States face particular challenges when it comes to regulatory demands. This is keenly felt in the area of information security, where it is necessary to satisfy a complex web of regulations. ISO 27001 is something of a magic bullet for many of these demands, and the US has seen rapidly building interest in the new standard. To meet the need for information on this topic we have just launched www.27001.com, a new website that is specifically tailored to the United States and provides a one-stop-shop for all the key ISO27001/ISO17799 standards, books and tools currently available.

Through www.27001.com organisations can find out how an ISO27001 ISMS works with ISO17799 to help them meet their business needs for cost-effective information security, while at the same time meeting their information-related regulatory compliance objectives and preparing them for new and emerging regulations. US regulatory requirements currently addressed by the site include HIPAA, GLBA, SB 1386 and other State breach laws, PIPEDA, FISMA and EU Safe Harbor regulations.

We have aimed to make the site the Neiman Marcus of IT governance and security. It showcases the very best products and services currently available, including works by the most respected industry thinkers as well as uniquely focused products developed by us. Whether you need C-Suite guides to the regulatory landscape, or highly practical guides for project managers, it is all available in a single place.

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.

In his ComputerWeekly blog David Lacey gives welcome airtime to the need for ISO security certification to be the cornerstone of an enterprise security programme. With organisations like Camelot, Misys, Nokia, The Co-operative Bank, COLT, Serious Fraud Office and Halifax Bank of Scotland already certified in the UK, we are surely going to see a wave of others following suit.

David notes that “closing the loop”, as he puts it, is presently quite a manual and time-intensive process, and muses on what the future might bring for managing the compliance process. I am pleased to say that at the forthcoming Infosecurity Europe show we will announce at least part of the answer, in the shape of the world’s first automated ISO 27001 compliance management system, which we have developed jointly with Gael, the UK’s leader in compliance management technologies.

Many other, complementary systems will doubtless follow, which will be excellent news for all of us concerned about information security management. Not only will these further simplify the task of building a best practice ISMS, but, crucially, they should make it far easier to uphold compliance after certification.

One of the great virtues of an information security management system is that it helps steer you around the pitfalls of your own preconceptions. By having a rigorous process that reaches across the organisation and involves people at every level it becomes easier to spot vulnerabilities that you never knew were there. For example, Doug Schweitzer on ComputerWorld highlights that the modern office copier contains a hard drive that retains a record of the images it handles – how many people realise that? How many businesses have measures in place to ensure that vital data doesn’t just walk off the premises when a copier is upgraded? When technology evolves so quickly a best practice ISMS is an absolute must.

ZDNet reports that new research from IDC is predicting a sixfold increase in the amount of digital information created over the next four years, which could have serious implications for compliance and IT departments.

The report, entitled ‘The Expanding Digital Universe’, says that much of the data created through new tools and applications will be subject to compliance rules such as Sarbanes-Oxley, Basel II and other legislation. IDC warns that companies will have to improve their IT infrastructure to make sure that their compliance strategies can cope with this rising tide of data.

What is just as important, I would argue, is to have in place the compliance processes that can satisfy this web of regulatory demands. An ISMS built according to ISO 27001 provides just the tool to achieve this, which explains why certification is being pursued by more and more companies.

As this post by Michael Farnham at Computerworld highlights, many more companies are likely to be attacked in 2007 and too few are implementing robust procedures to counter this. As he says:

“It comes down to whether or not companies view the problem as enough of a risk to spend the capital. And many companies are still making the wrong decision.”

This is the beauty and purpose of information security toolkits, like our ISO 27001 Toolkit. Companies don’t have to spend a fortune on outside consultants or on every new security product that hits the market. If they implement their own ISMS in-house they can keep the cost of the process under control and only purchase the products that are right for them and for which they have a clearly demonstrable need.

Confirmation from PriceWaterhouseCoopers that small and medium-sized firms are underinvesting in IT security and suffering for it. PWC calls the difference in preparedness between large and smaller companies ‘a tale of two cities’, which seems pretty apt. As they say, too many SMBs are unaware of ISO 27001 and other measures that would provide vital help.

It’s all very well Alun Michael MP observing that low awareness is a problem, but what will the Government do to help change this? Not a lot, I fear, with it firefighting issues like NHS budgets, prison scandals, ministerial affairs and ‘cash for coronets’ – critical issues like ISMS just won’t receive the backing they need.

Instead, it will be up to the business community to resolve the issue itself, hence our work to produce books like A Business Guide to Information Security and our ISO 27001 Toolkit, both of which were created with SMBs very much in mind.

The FSA Handbook sets out clear requirements for the management of information security within its regulated sectors. The requirements are best met by implementing and maintaining an ISMS that meets the ISO27001 standard – ISO27001-certification is clear evidence that the firm has taken full account of ISO 17799, as laid down in SYSC 3A.7.8

SYSC 3A.7.7
Information security
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
SYSC 3A.7.8
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

Yoo Cheng Hwee told a HCMC conference on information security that more than 80% of of companies trying to implement an ISO 27001 ISMS had failed because they thought of the exercise as a one-off investment, rather than just the start of a life-long commitment to systematically and continuously improving information security.

He’s absolutely spot-on.

He went on to say that strong management support and tailored operational processes were essential to success. There are a few others as well (as I describe in Nine Steps to Success), but strong management support is undoubtedly the most important.