Alan Calder on IT Governance, information security & ISO 27001

Apparently, we’re today kicking off the UK National Identity Fraud Prevention Week – and research for RSA reveals wide-spread disbelief (as in, 90% of Britons) that their personal data are safe with banks and retailers, and half the people think that not enough is done to protect these personal details.

That’s better than I thought! Let me explain: in today’s insecure world, everyone has to be concerned about his or her own personal data – this is a critical personal asset that needs safeguarding. And, for far too long, people have simply not been adequately concerned about this issue. Clearly, this is changing – let’s hope that, as more people learn about the poor care exercised by data controllers in the UK, they get better at insisting that adequate steps are taken - and voting with their feet where they are dissatisfied with the standard of care. 

From an organisational point of view, of course, it’s not hard to respond to the findings of this research – take adequate steps, today, to comply with the Data Protection Act in the UK, or whatever data protection legislation applies in your business jurisdiction. If you accept payment cards, PCI DSS compliance should be a given. And, for every organisation, ISO27001 is the best practice standard for securing information – and this week would be a good week to get started on an ISO27001 project!

Well, that’s a relief – the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective – it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.