Alan Calder on IT Governance, information security & ISO 27001

I find that I wrote this, a couple of years ago, in IT Governance - Guidelines for Directors: “Basel 2 seeks to achieve its goal of strengthening the international financial system through three pillars. Pillar 1 aims to align a bank’s minimum capital requirements more closely to its actual risk of economic loss, aiming to establish an explicit capital charge for a ‘bank’s exposures to the risk of losses caused by failures in systems, processes, or staff or that are caused by external events,’^[1] Those banks whose approaches to measuring, managing and controlling their operational risk exposures are appropriate to the risk area will have lower capital requirements. While Pillar 2 allows for supervisory review of banks’ risk management processes, Pillar 3 explicitly sets out to enhance transparency in banks’ public reporting in order to ‘leverage the ability of market discipline to motivate prudent management’.”

So, what on earth was the point of Basel II?

It rather looks to me as though:

• Pillar 1 was a bust, or we wouldn’t have had Northern Rock, RBS, HBOS, Citi, etc;
• Pillar 2 – well, the supervisory reviews of banks’ risk management processes clearly haven’t been that hot, or someone might have spotted that lending someone 125% of the value of the already inflated value of their property on repayment terms that in some cases exceeded their monthly gross earnings wasn’t exactly a demonstration of effective risk management – or that the creation of opaque, deliberately over-complex CDOs and other instruments wasn’t an attempt at clarity (to say nothing of the cynical appointment to the regulatory authority’s board of someone responsible for firing one of the few risk managers who actually appears to have been doing their job in drawing attention to the bank’s failure to manage risk effectively) – and, as for
• Pillar 3 – well, I guess ‘Sir’ Fred Goodwin’s £650k annual pension (after early retirement!) is a good example of market discipline motivating prudent management, isn’t it? And I bet that no-one would even consider removing the knighthoods that this collection of pretend bankers were awarded, will they?

So, maybe BASEL II was really just an excuse for a lot of central bankers to get together for dinner on a regular basis?

[1] BIS Press Release, 26 June 2004

Well, that’s a relief - the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective - it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.