Alan Calder on IT Governance, information security & ISO 27001

The Data Protection Act (’DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t - over 800 organisations have reported data breaches in just the last two years - and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ’swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes - for free - all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

The private sector needs to take data privacy more seriously if it is to stop the Information Commissioner’s Office getting the power to audit their information security systems without warning. According to ComputerWeekly, this is the warning from James Alexander, technology security partner at management consulting firm Deloitte.

His comments followed Deloitte’s finding that only 54% of technology, media and telecommunications (TMT) firms will tell customers if their data privacy is breached.

Well, I take the contrary view here. What we NEED is for the ICO to take some action, because the the voluntary approach doesn’t work – just look at how organizations in both the private and public sectors are dragging their feet over PCI DSS compliance! The privacy of individual data requires more stick.

As ample proof, one need only look to the latest cases of lost MoD laptops and Carphone Warehouse’s recent misdeeds.

I rest my case!

On the face of it, I find the call by British MPs for the appointment of an Identity Fraud Tsar a very good thing. Under the proposals of the All Party Group on Identity Fraud this new role would provide a point of coordination between the Government, police and private sector. Given the pervasiveness of this type of crime it is good to see our legislators being – comparatively – on the ball. I am also glad to see them highlighting, as I have done previously, the great potential risk that people put themselves in by divulging all sorts of personal details on social networking sites like Facebook and MySpace (surely a candy store for any online fraudster).

This report follows the recent recommendations by the House of Lords Science & Technology Select Committee, which called for various overdue measures to tackle the broader issue of e-crime. As I noted previously, this was a well considered work that has made many positive contributions. Again, therefore, plaudits to our parliamentarians for recognising the importance of these issues.

However, the job of ID Fraud Tsar or any other measure to tackle e-crime is of little value if it is poorly resourced. The Home Office says it has “done much” to combat identity fraud, including tougher criminal penalties, better co-ordination in prosecuting fraudsters, more powers to share data about frauds and public awareness campaigns. However, this story from ComputerWeekly today suggests the good work of the Lords and Commons is falling on deaf ears at HM Treasury, which hold the all-important purse strings. In its latest Comprehensive Spending Review the government has promised to throw £11 million – not much, frankly – at three fraud-fighting bodies, but has made no apparent provision to do anything about e-crime.

Let us hope, therefore, that amid the many millions generously directed into health and other public services, some may be found for this vital area. If not, any newly appointed Tsar will end up a figurehead unable to do very much at all.

The recent report from the House of Lords Science and Technology select committee into ‘Personal internet security’ highlights the fact that businesses are not doing enough to protect their customers from the dangers of e-crime and on-line fraud. Clearly this is not exactly a ground breaking conclusion; however it is certainly an important one.

The report emphasises my long held views that organisations need to take action to protect valuable data. ISO 27001, the information security standard, is the benchmark for first-rate information security and certification is the best method of protection an organisation can have. Organisations should get certified to ISO 27001 as soon as possible in order to protect their customers as well as themselves.

Surely it is time that the National High Tech Crime Unit (NHTCU) was re-banded in order to tackle e-crime effectively and hopefully deter those responsible. Since it was disbanded and absorbed into the new Series Organised Crime Agency (SOCA) there has generally been nowhere that e-crime can be reported to and local police forces are often ill equipped to deal with e-crime especially where the perpetrator is based in some other jurisdiction. For example: e-crime can be committed by people based in Russia, who have stolen the credit card of people in the US and are now using it to purchase from a site owned by a UK company but hosted on a Canadian server. This simple example illustrates just how vitally important a co-ordinated national police approach is to dealing with e-crime. PCI DSS will not be enough, on its own. The complexities of e-crime need a dedicated unit, so bring back the NHTCU!

Meanwhile, whilst organisations are making the necessary changes to protect sensitive information, individuals should also take action to protect themselves and the ‘Internet Highway Code’ is the benchmark here. It sets out ten straightforward, no-nonsense, plain English rules for staying safe online and arms anyone using a computer with the knowledge of how to avoid all the problems that make the newspaper headlines.

It’s amazing how social trends can often make people do the most stupid things. Sales of paper shredders have gone through the roof of late because the public has woken up to the identity theft risks of making personal data available to strangers. So far so good – an entirely intelligent response. So what makes often the very same people put all of their personal data online instead through social networking sites like Facebook?! As this article rightly points out, this is an open invitation to phishing scams that can become far more targeted and convincing to the individual. I have no doubt that news stories of the first Facebook scam victims will be just around the corner.

If you are going to use sites like this the important thing is to be very circumspect about what you reveal about yourself. You should share the bare minimum at all times. Of course, the really smart move is not to get involved in the first place (which sounds like a killjoy’s view right up until someone empties your bank account for you).

This research from Harvard and Carnegie Mellon universities shows that that large companies have no clear stock price-related incentive to prevent privacy breaches. Despite clear evidence of vulnerabilities that could seriously harm their interests, investors fail to give major quoted companies more than a mild slap on the wrist if their IT security is shown to be so lacking that there is a major breach of one or more privacy laws. After an initial dip, share prices quickly return to normal.

CIOs shouldn’t take this as a green light to reduce the cost of investment in protecting consumer privacy. The fact is that few institutional investors yet really understand the potentially very high direct and indirect costs of these breaches and so can’t yet make informed investment decisions.

As they become more knowledgeable (particularly with regulators becoming more determined around privacy), so the share price impact of a serious breach will become more dramatic and more prolonged. That, plus the possibility of SEC investigations and class-action suits, should be enough to keep CIOs and boards focused on their responsibilities around protecting personal information.

I’ve just returned from a terrific three days in Dubrovnik, Croatia, where I attended (and spoke) at InfoSeCon 2006. Ably staged, hosted and managed by ZIK, this was an event that made networking very easy.

From the rapid transition through the arrivals hall at Dubrovnik airport, the equally quick transfer to the Hotel Croatia (spectacularly set right on the edge of the Adriatic) , to the smooth organization of the conference itself, everything was memorable. Dubrovnik itself was fascinating; Stanko and Biljana Cerin laid on a trip across Dubrovnik bay in a replica of a medieaval Dubrovnik galleon (which is also where we had dinner that evening) and the car-less fortified city was a fascinating place to visit. Walking an entire circuit of the city walls certainly built an appetite!

World-class speakers dealt with subjects that ranged from the technical (Snort rules) to the general (regulatory compliance) and, while it’s clear that information security threats are continuing to evolve, the underlying discussion at the conference seemed to be about who should drive IT and information security - the business management or the IT management?

As you know, I think that the business should drive the IT strategy, and the security of its IT systems - that, after all, is what IT governance is about. It’s clearly a debate that will run and run - InfoSeCon 2007 will probably be a good event at which to contribute to the evolution of this industry - one on which the security of personal and corporate data really does depend.

No, really, that’s what the Times of London claimed, in an article today, was the reason given by a Delhi Call Centre’s Head of Personnel for taking on someone who allegedly collected and sold account holder identity details. Addresses, passwords, credit card security codes, the works - and he said he could get 2,000 such details a month!

The Head of Personnel apparently had no qualms in taking him on, even though they hadn’t got any of the required three references. The reason that a company has clear rules on things like references, and rigorous cv scrutiny and checks, is that a significant percentage of people lie on their cvs and and at interviews. Organizations dealing with confidential information have an obligation to apply basic recruitment discipline - the principles of which pre-date the Internet.

Information security depends on people, process and technology - working together. When one component fails, there’s a hole - and the bad guys exploit holes ruthlessly. As this one Head of HR has found out.

“I wasn’t fussed about the reference because I thought he had vision,” she said. No lie!

Will she keep her own job after so egregious a breach of basic personnel procedures?

Citigroup announced earlier this week that personal details of 3.9 million consumer lending customers were lost by UPS while en route to a credit bureau.

How do you lose a set of tapes? I mean, UPS are supposed to be good at handling parcels - particularly ones that contain valuable information. Aren’t they?

And if you were CEO of Citigroup, and you knew that it was not unknown for storage partners to lose this sort of data (Time Warner, for instance, had lost 600,000 records just the month before), might you not have built the possibility into your risk assessment? (They do, I’m sure, do risk assessments at Citigroup.) And if you had, then might you not have spotted and provided for this risk as part of the “enhanced security procedures you require of your couriers”?

Or should we be thinking that the unenhanced security procedures were closer to, well, not much, really?

I’m sure we won’t be told.

Recent months have seen a series of widely publicized personal data thefts from companies that ought to have known better - and, in parallel, a series of US legislative proposals for bills that would have the characteristics of both California’s SB1386 and the Sarbanes Oxley Act. Of course, those organizations who lost data - and those who, but for the grace of [insert], go there - don’t think that more legislation of this sort is called for.

The choice, though, is quite easy: improve security voluntarily, so that people feel their privacy is properly protected, or be forced to do so - the outcome is not in doubt, just the pain and expense of getting there has still to be determined.

My expectation is that, just as with financial corporate governance, organizations will have to be forced to take proper steps to really protect personal data. A pity, because the total cost of that route is invariably greater than if it is tackled voluntarily.