Alan Calder on IT Governance, information security & ISO 27001

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

The Realtime IT Compliance blog carried a significant post the other day - the first signs of US civil lawsuits against companies losing customer data.

In this case, it is a $54 million claim against Best Buy for losing a customer’s laptop, but watch this space for similar lawsuits for other forms of data loss and leakage - this is just the beginning.

Organisations taking a lax approach to data security are about to find out just how costly this can be for them. Such cases attract plenty of headlines, so sloppy businesses will have to start making much greater provisions for brand and reputational damage. We like to think that mature executive teams can be self-policing when it comes to looking after their customers, but too often takes a potentially ruinous fine to focus their minds on the issue.

The alternative is to protect your customers and your own interests by adopting a best practice Information Security Management System. ISO27001 is the answer but remains an alien concept to many directors - perhaps a few courtroom pay days are just what we need.

I read in ComputerWeekly that the House of Lords Science & Technology Committee is to re-open its inquiry into e-crime and the security of personal data, apparently due to the Government’s “vacuous, idle and irrelevant” response to its initial recommendations.

I am dismayed that, after what was a well considered report, so little has been done by this Government. It is at least a little heartening that their Lordships are not mincing their words about their disapproval. Perhaps this time we may see a little more action as a result? - I wonder. Time will tell, but one would think that the spate of data loss disasters, most notably the HMRC lost discs fiasco, would give the Government ample incentive to finally stop sitting on its hands.

As I wrote at the time of the Committee’s first report, ISO27001 needs to lie at the heart of the Government’s response to this challenge. It is high time that our our political leaders put their money where their mouths are and made the Standard compulsory across all departments.

For those boardrooms still slow to grasp the strategic importance of IT governance and information security, the BBC offers a nice simple graph to bring home the scale of the challenge. It comments:

“Reports vary but some estimates suggest there were five times as many variants of malicious programs in circulation in 2007 compared to 2006.”

Some are talking of 2008 as the year of ISO27001, something we have been loudly advocating for the past several years. With threats growing as they are, let us hope that many more companies finally hear the message.

Also from ComputerWeekly, Chief Information Officers need to take a leading role in setting up formal information classification schemes to stop them over-engineering them to comply with security regulations, according to a report from the Information Security Forum.

Well, yes – classifying information correctly is a corner stone of effective information security management. A simple scheme, that assumes that the bulk of information should be available to all employees with only specific types of information restricted on a need to know basis is the most practical approach available. It’s all discussed at length in my book, International IT Governance.

The most recent survey from the International Organization for Standardization (ISO) reveals that there are now 898,000 ISO9001 certifications worldwide, a 16% increase on the previous year.

It also reveals that there are now 5,800 ISO/IEC 27001 certifications worldwide - only two years after the international standard was published.

In the information age, information security (think cybercrime, data protection, identity theft, cyberwar for starters) is probably more important than quality assurance - how long will it take until there are more ISO27001 certifications worldwide than for ISO9001? In answering this question, consider that ISO27001 is now a basic requirement for public sector contracts in Japan, is going that way in the UK, and provides an internationally recognized umbrella standard for meeting word-wide information-related compliance requirements as well as providing a practical, risk-based approach to managing information security in today’s world.

The UK Government’s Information Commissioner has now joined the call for people to be wary of identity fraudsters when using social networking sites. In a press release issued today (‘4.5 million young Brits’ futures could be compromised by their electronic footprint’), the Office of the Commissioner calls for young people to follow its six top tips for being safer online.

Of course, this applies to adults as well as children. Identify theft – the fastest growing area of e-crime – and social networking sites are a honey pot of relevant and useful information to support identity theft. Companies have a responsibility to ensure that their IT resources are used safely and legally; I’m fascinated that some managements might encourage their staff to get involved in social networking sites, with all their attendant risks. (For example, Reuters’ CEO Tom Glocer records his enthusiasm for social networking on his own blog.) They’ve obviously not heard of ISO27001 – they could do with some exposure to proper information security management!

The Security View blog is running a poll on how companies are treating access to social networking sites - it will be interesting to see what the feedback is.

The UK government claimed that the person who burnt the HMRC child benefit database to a disc and mailed it to the National Audit Office (NAO) was a relatively junior civil servant who had breached rules and would be subject to disciplinary action.

If this is true, it’s hardly fair, is it?

After all, this person was just trying to be helpful - a previous set of discs had already gone missing and the NAO really wanted the data (actually, they only wanted some of the data, but HMRC thought it was easier just to send the lot) - and, apparently, ’senior management’ authorised the despatch. There’s no evidence that HMRC provided the level of training that would ensure that everyone inside the organization understood their individual responsibilities in respect of personal data; conversely, there does appear to be evidence that HMRC is systemically failing to comply with the Data Protection Act (see details of an even more recent data breach) AND, in spite of delaying the publication of this news by over a month, still couldn’t even get their story straight.

It’s only right that the Chairman of HMRC should have resigned. That’s not enough - systemic failures of this sort go right to the top of the organization, to the politician accountable to Parliament for its performance. However, it’s not clear that the current Chancellor of the Exchequer should go (although, if he can’t get to grips with this fiasco, he’ll have to go anyway) - after all, it was his predecessor that presided over the creation of the shambles that is now the HMRC.

And the Prime Minister, who was responsible for the creation of the ‘modern’ HMRC, has promised to spend a lot of money with PricewaterhouseCoopers for proposals to ensure this sort of thing doesn’t happen again.

Well, it doesn’t take a multi-million pound contract to get the answer to this question! The three things that must be done are:

1. Require all UK public sector organizations to achieve ISO/IEC27001 - an independent, third party certificate that they have in place all the procedures - including staff training - necessary to secure such vital information;
2. Bring in a Data Breach Law requiring immediate notification of the breach, enabling criminal charges to be brought against organizations and, individually, top management, and providing for real compensation as a class for those affected by the breach;
3. Forget about the UK national ID card - it must be obvious to anyone by now that the risks associated with a database of this sort are just too great for HM Government to counter.

There - that saves the public purse a small fortune!

While one swallow might not make a summer, multiple breaches of one particular law (Information Commissioner: “we are already investigating two other breaches”) do rather suggest that the organization concerned has little interest in compliance with it.

Her Majesty’s Revenue and Customs (’HMRC’) has, on a number of occasions, broken the law. Those involved in the breach, and their political masters who allowed it to happen, should be dismissed and prosecuted.

The law HMRC has broken is the Data Protection Act 1998 (’DPA’). This is what DPA says: “Personal data shall not be processed unless…appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (7th Principle).

The DPA provides explicit guidance on how to interpret this principle: “Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.”

The data on the child benefit database (names, national insurance numbers, dates of birth, mother’s maiden names, bank account details, etc, of some 25 million people) is clearly personal data, and is clearly highly sensitive. The law therefore requires the Data Controller (in this case, HMRC) to take appropriate measures to ensure the security of the data. Even the most rudimentary of information security risk assessments would identify the danger of someone attempting to extract some or all of this data. Appropriate counter-measures should therefore, and rather obviously, include removal of any technical capability to ‘burn the database to a disc’. The supervisory failure that allowed a junior member of staff to export this data to a disc and then mail it, unencrypted, outside the organization is merely sympomatic of a deeper failure to make any effort whatsoever to comply with the DPA.

It seems to me that the time has come, not only for executives and ministers to be dismissed and prosecuted, but for two other steps:
1. All public sector organizations that deal with personal data should be required to achieve certification to the international information security standard ISO/IEC 27001 - and should be given no more than two years to complete certification;
2. The UK now needs a data breach law that brings significant financial penalties and criminal charges against those - from the top of the organization down - who fail to take security measures appropriate to the nature of the personal data being protected.

Once upon a time, there was only BS7799 for information security - now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use - and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.

Perhaps - but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice - but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate - to go alongside their ISO27001 and ISO20000 certificates, no doubt.

Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?