IT Governance Blog on IT governance, risk management, compliance and information security.

On Sunday 10^th July the News of the World published its last edition.  Old news.  The paper had been printing for 168 years and was established as the UK’s top seller.  The closure came due to reputational loss – revelations around allegedly obtaining personal information using illegal methods known as “voicemail hacking”.  Dialling remotely into voicemail and listening in on recorded messages.  It seemed that people were willing to let this slide for politicians and celebrities, but when it held up the investigation of the search for a missing young girl (the police thought that she was still alive due to voicemails being checked), the public (and media) rallied against the paper  in droves.

So what are we to learn from this?  Indeed the paper had been investigated for this type of activity back in 2005, when information on Prince William’s health was published, resulting in the jailing of two journalists.  The institution of the wider paper and Rupert Murdoch media empire, of course had claimed that these were acting alone.  The amount of people that have come out in recent times confirms this type of activity was, however, institutional.

So what is privacy?

Privacy has no broad legal definition, and is hard to define.  It is a balance of the individual’s right to keep information about themselves to themselves, and the wider need to have a lawful society, commercial businesses to operate, the government to operate etc.  Privacy is indeed, different in different peoples’ eyes, as some believe that all our activities should be open to the state, and others that we should be protected from the prying eyes.  It is therefore a difficult area to legislate for. 

Personally, I believe that we cannot have privacy, in today’s age where we have a huge internet footprint, companies hoard huge amount of data upon us and we are on CCTV everywhere we go, privacy is next to impossible, less you wish to live in a hermits life of solitude in the wilderness.  My thoughts are more about the individual being informed on when and where their data is taken and used, and given control (where possible) over its usage and further disclosure.

This “balancing act” is a difficult line to cross.  Newspapers can claim that it is their duty to expose corruption in business and politics and exposing wrongdoing in the public interest, holding to account those who we raise to heights of office or fame.  To do this they must effectively gather information on these individuals – however, they are not the police, nor government, but occupy a middle ground in between “public interest” holding these groups to account.  A strange and difficult line to walk.

The law

The law begins with Article 7 of the European Convention on Human Rights (ECHR).  This was mostly incorporated into UK law by the Human Rights act 1998 and grants;

“Everyone has a right for his private and family life, his home and correspondence”

And further;

“There shall be no interference from a public authority…except in accordance with the law… in the interests of national security, for the prevention of crime and disorder, for the protection of health or morals, or for the protection of the rights and freedoms of others”

I find “private and family” the interesting words here, as there is a clear sense that you have a greater right to privacy at home and in your family life, than you would do if you adopt a “business or public“ life.  For example your employer has a right to publish your work contact details, but not your home ones, and if you profit from being a celebrity, such as publishing an autobiography, you have less expectation to a private life than those who choose not to be in the public eye.

A further two European directives on privacy were published in the 90s across Europe to allow EU member states to make sure peoples information could freely move to all EU member states on personal data processing and electronic communications, incorporated into UK law with the 1998 Data Protection Act [DPA] (as since amended!) and the privacy and electronic communications regulations 2000.  In international Data Protection law, varying EU countries operate to common principles, but the details vary across jurisdiction.  These along with the Freedom of Information Act 2000 and the Regulation of Investigatory Powers Act 2000, now forms the heart of what some now deem “privacy law”.

Information Governance.

The heart of the issue for most organisations is good information Governance.  Too many people look at the DPA as a problem, a compliance issue to overcome, rather than an effective information management model.  The requirements of the DPA are simply around making sure you notify people how and why you will use their information (ethical, trust building steps), make sure it is accurate and up to date (good housekeeping, reduces complaints), not keeping it for longer than you need (economical), keeping it with “appropriate” security (risk based and reputational advantageous), and making sure you consider the laws that you may encounter if you move out of the EU countries who adopt this approach (again good practice to notify people on how and where their data moves).

Nothing in the act really says “no”, instead it says “yes, as long as you think and put in appropriate safeguards”.  The main problem of the act is that it cannot say for sure, to every situation, what these safeguards are – instead it places the burden back on the organisations to determine this.  The law here is on a case by case basis, with no hard and fast rules.  Organisations must “know themselves” and react appropriately to their legal, regulatory, business and contractual requirements and obligations.

Sometimes, organisations have simply not paid attention to the information they have, how they get it and where it goes to.  Mapping these “information lifecycles” and putting in appropriate controls and checks can be a key area of initial work.  These organisations should be warned however, that the Ostrich approach does not fare well when they find themselves next in the firing line of a data breach or unethical practice.  “We didn’t know” is a much worse position than to identify the bad practices and to have started working on the areas that require improvement.

Most solutions here are human in nature, rather than technological.   This is due to organisational weaknesses being exploited from “blaggers”, social engineers who can aggregate small bits of information from customer facing departments to find out increasingly more and more personal information.  Training, education and awareness are the best tools to actively defend your organisation here.

At the heart of good information governance lies a management assurance regime, where management actively assess what is required, deliver this into the business, and then receive regular reports and updates, measuring and monitoring to see what can be improved and then delivering appropriate improvement – without evolution, we perish.  To do this a consistent approach to risk management, common procedures and practices, appropriate organisational structures and good identification and reporting of information issues can all contribute to a Personal Data management system that delivers only business benefit and is tailored to (and embedded in) the culture of the organisation.

Ever called up a call centre and been told “can’t give you that information, the Data Protection Act won’t let me”?

What rot.

Organisations do have a tendency to hide behind the Data Protection Act, which leads to the perception that the act is a bad thing.  The perception is that It stops people from doing what they want to do, when they want to do it.  In my time with the Police, I would often find out that Police officers would have gotten information in um… how shall we say… interesting ways.  I would ask “Why didn’t you come and talk to us about proper disclosure?”, they would respond “I thought you would say no”…

And there is the problem.  The DPA is often seen as something that gets in the way, that stops Data from flowing.  Nothing could be further from the truth.  The reason the act was created in the UK was in response to a European directive to enable common data rules across the EU.  In order to ensure that where ever you are in the EU your data is treated equally and ENABLE it to flow cross borders.   The DPA doesn’t really say “no”.  What it says is “yes, as long as you have given some thought to doing it safely”.  The problem is that organisations see these safeguards as barriers, rather than ways to take products and services to market in confident and ethical ways.  I have always viewed the act as a business enabler.

Let’s take a look at some of the principles for example;

Principle 2 – this requires you to specify purposes that you process personal data to the data subject.  And why not?  A great chance to demonstrate your ethical conduct.  To inform your customers on what you do and how you do it, and ensure that there are no catches or surprises for them – thus engendering customer trust.

Principle 3 – personal data shall be adequate, relevant and not excessive.  And why should it be anything else?  Collect enough to make accurate decisions weighing up all the facts, but not too much.  Irrelevant and excessive data will “clog up” your business processes, costs to store it and creates an overhead.

Principle 4 – Accurate and up to date.  Do you really want to hold out of date, and inaccurate information?  Make the wrong decisions? send things to the wrong place?  Charge the wrong amounts? 

Principle 5 – Retain for no longer than necessary.  Not exactly rocket science either.  Keep things for as long as you need, then get rid.  Data storage costs and good housekeeping will ensure a lower cost base in terms of storage space and data management.

Principle 7 – appropriate technical and organisational security.  Note the word appropriate.  The Data Protection act does not mandate a security level – it just asks you implement what you feel is appropriate to your risks and apply it consistently.  No restrictions here, no “DPA says no”.  It is the organisation that decides on the response and applies their policy on what is “appropriate”.  You should remind the call centre operative above who tells you the DPA is preventing you from accessing your record that it is their company policy – their response to the DPA rather than the act itself – that is actually the issue.

I could go through each and every principle, but it seems to me that the Data Protection Act is a force for business enablement, focussing on good practice in information management, creating data flows that focus on good customer service, a level of complexity only commensurate with the size and nature of the organisation, which enables organisations to go to confident with good data management, customer trust and cost effective approaches to good information governance.

So don’t shun the DPA as an overhead.  Embrace it as a force to take your products and services to market in a safe, secure, ethical and cost effective manner.  Why would you want to do anything else?

Most companies are in a state of confusion about the new EU laws regarding the use of cookies.  Indeed, the UK government have had to issue three clarifications over the last week, assuring businesses that they will have time to comply.

The UK’s privacy watchdog, the ICO, has stated that it could give companies up to a year to comply.  However, nothing has been set in stone.  In talking to my clients, very few are aware of the change, even fewer have plans to act.

Essentially a “cookie” is a small piece of tracking code stored on the computer of those accessing a website.  Storing a cookie locally, allows the business to better understand and track the device and user’s behaviour.  This enables them to target marketing in some cases, and keep information about individuals behaviour with messages such as “you recently viewed site/product X…so might like site/product Y…”. 

Of course at present few website users are even aware of the existence of the cookie stored on their machine, and indeed, those that switch them off in their browser settings often find this renders them unable to use online retail websites.  Even fewer users are aware that this information on their habits is, in a lot of cases, sold and given to advertising and marketing companies.

The use of cookies without permission from users by companies operating in the EU will now be illegal.  Internet companies, of the likes of Facebook and Google are particularly concerned over targeted advertising revenues, but this affects most online retailers (such as Amazon) or even suppliers such as online employee benefits providers, and other similar web portals.

Ways to comply could include;

• Pop ups – displaying a message asking permission to collect data
• Tracking icons – displaying an icon which is known to represent the site uses this type of technology
• Browser settings – The user can control which sites allow/disallow the use of cookies

The laws apply to any company that does business through a website in the EU.  Penalties can vary across the EU, but in the UK can be up to £500,000 from the ICO.  This does not of course factor in reputational damage, erosion of customer confidence, adverse media attention and time spent to address any issues that arise.

Why play the waiting game and be caught out?

Some say the ICO’s guidance raises more questions than answers and are awaiting further clarification.  Some are awaiting the implementation of the law and a “test case” to be trialled.  Personally, I wouldn’t want that test case to be my organisation.  Others are being more proactive and just sticking to good ethical, moral and best practices decisions of informing individuals what you will do with their data as early as possible and treating them with respect and decency.  Ask yourself the age old question – if this was my data, what would I want to know?

It is worth briefly noting the difference between notification and consent.  Most Data Protection laws look at being “fair” in that persons are notified of what will happen, but in order to be “lawful” consent is only one of several reasons that an organisation can process their data.  As consent can be withdrawn it is also the weakest of reasons, meaning that organisations often rely on the individual signing up to their practices as a term of service.  If they don’t like it, they go to another company, who will have exactly the same set up.  As a result, the individual never gets fair treatment or consideration of their data.  In the realm of cookies to move from “notification” or “implied consent” to an “explicit consent” model is a remarkable step change in the law.

Online privacy is now a huge issue.  Recent events, such as losses of customer data at Sony’s PlayStation Network, opened the doors to further targeted attacks across its network of global websites.  The Sony share price was damaged severely as a result.  People across the world are increasingly asking themselves the most important question of all – who do I trust with my information?

Surely giving them a choice in how their data is to be used goes a long way to establishing that trust, and ultimately winning customer loyalty to your brand.  This legislation is no threat – it is opportunity.

Download our free White Paper Cyber Security: a Critical Business Risk, which sets out a Five-Step Cyber Security Strategy that every organisation should adopt.

Standards are often misunderstood and misapplied. Too many times I have seen organisations try to address standards as a project which results in a lot of documentation, bound in a folder, only viewed by the auditor and kept away from the business. The key lies in the definition of each one of these management system standards (MSS), which begins:

“That part of the overall organisational management system …”

This indicates that standards are not meant to be delivered as a project in a folder, but embedded in the culture of the business and aligned with the business process and objectives. To be honest, in the best implementations I have seen, the standard seamlessly integrates and updates established business processes. This leads me to think that the best standards are invisible. They have become so embedded in the business process, the staff don’t know they are there.

ISO9001 is the granddaddy of management systems (MS) and therefore a lot of other standards have inherited their terminology and structure from it. It includes 8 quality management principles which all management systems implementers could benefit from understanding.

The 8 quality management principles are:

1. Customer focus
2. Leadership
3. Involvement of people
4. Process approach
5. Systematic approach to management
6. Continual Improvement
7. Factual approach to decision making
8. Mutually beneficial supplier relationships.

By adopting these principles, and understanding the fundamental nature of an MSS as part of the wider business. Thia means that all standards can all be integrated as parts of a single, wider, integrated corporate management system.

Common elements that can be integrated across the standards include:

• management review
• internal audit
• document control
• record control
• corrective action
• preventive actions.

These apply for all management system standards (MSS) such as 9001, 14001, 18001, 20001, 27001, BS 25999-2, etc.

However, each standard has a specific focus, such as:

• 9001 deals with process conformity to ensure quality of products/services
• 27001 deals with protecting confidentiality, availability and integrity of assets
• 25999 deals with business interruption and disaster by safeguarding critical business activities.

So, each standard has common MS elements, but applies the Plan-Do-Check-Act model with a different focus, to form individual requirements specific to the topic. Looking at the standards, it is easy to break each down into the PDCA, focused on its topic and then the common requirements that can be integrated as a wider MS. Though each certainly has its own certification scheme and certificate, they can be implemented and audited as part of a wider corporate MS, leading to cost savings.

The International Standards Committee is further enhancing this integration by enforcing a future “harmonisation” of all MSS when they are reviewed and superseded, aligning their terminology, clauses, numbers and structure, and ensuring that some MSS contain standard areas of text. The future format is due to be based on a 10 point clause list as follows:

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement.

Standards are designed to work together as part of a wider governance picture for the organisation. Organisations with ISO9001 will already have elements in place that will make the others easier to achieve.

Using a documentation toolkit from the ITGP Toolkit suite will also help to ensure harmonisation across multiple management systems. They are designed to help small and medium organisations adapt and adopt best management practice in technology governance, risk management and compliance and have been designed to integrate with each other, saving time and money.

	Complete ITGP Toolkit Suite – Buy an individual toolkit, or buy the suite, and save £1000! For the first time ever, all ITGP toolkits are available to purchase as a complete suite! You can buy an individual toolkit for the management system and/or standard you are focused on today, or you can purchase the complete suite and save £1000! We are at the forefront of bringing to market tools, software and publications that are on the cutting-edge of new standards, legislation and government recommendations. Our toolkits have been designed to integrate with each other saving time and money and preventing duplication.Remember, For the first time ever, all ITGP toolkits are available to purchase as a complete suite! Buy today and save £1K!

This complete ITGP Suite contains CD-Rom versions of all the following toolkits:

1. No 3 ISO27001 Comprehensive ISMS Toolkit (CD-Rom/Download)
2. ISO38500 IT Governance Framework Toolkit (CD-Rom)
3. Social Media Governance Toolkit (CD-Rom)
4. SharePoint Governance Toolkit (CD-Rom)
5. BS25999 BCMS Implementation Toolkit (CD-Rom)
6. PCI DSS v2.0 Documentation Compliance Toolkit (CD-Rom)
7. Complete Data Protection Toolkit and Awareness Posters (CD-Rom)
8. ISO9001 QMS Quality Management System Documentation Toolkit (CD-Rom)
9. ISO14001 EMS Environmental Management System Documentation Toolkit (CD-Rom)

EN16001 Energy Management System Documentation Toolkit (CD-Rom)

10. OHSAS 18001 Occupational Health and Safety Toolkit (Download)

Not all toolkits will be relevant for your organisation right now but the chances are, in time, they will be! If you only need one toolkit today and another in three months’ time, that’s fine. Buy whichever toolkit you need now, and then, when you are ready, you can buy the next toolkit and integrate it easily into your existing framework – they are designed to integrate in this way.

Price-conscious organisations will see the benefit of purchasing the entire suite and will save £1000.

Take advantage of this exclusive offer and save £1000 today!

A blog about “safety” and what is means to be “safe”. Often depressing is the fact that there is no such thing. The bad news is that nothing is ever 100% secure. Not if you want to actually be able to use the information anyway! 

That does not mean however, we should throw our hands up in the air and give up, quite the opposite. “Safety” like security is a relative term, and it always comes down to an organisations Risk appetite. A good security architecture is always risk driven, with a response proportionate to both the value of the assets and the risk posed by the threats arrayed against them. But I’ll save risk assessment for a later blog…

For the moment let’s consider the qualities of the asset we are trying to protect. I’ll take you back to my much maligned “Joes Bloggs” view of information security, in which he states ‘it’s about keeping people out of computer, innit?’. My last blog dispelled the myth that computers is our area of focus, now let’s deal with the other – “it’s about keeping people out”.

Now as we’ve said, to keep everybody out is not possible. It’s also a very negative view of security which will lead the organisation concerned to think you are just there to stop them doing business. I’ve lost count of the times that security is seen as a business barrier, not the business enabler it should be.

Clearly one of the aims of security is about “keeping the right people in”. We call this CONFIDENTIALITY. Probably most peoples’ first concern, and quite correctly too. However, it’s only one of the trio that make up our security “CIA”.

Some organisations have no confidentiality concerns at all. Say a public sector organisation only concerned with ensuring public information is on the web 24x7x365. You ask any IT department when their stakeholders start to complain, and rarely will they say it’s when information is given out, but instead when it’s unable to be gotten to or used at all. The system is down, the network is out or slow, the access is restricted. In today’s modern day and age we are used to “always on” and “instant access”. What concerns people mostly is really the AVAILABILITY of the information assets.

Finally, how would you feel if your bank dropped a couple of zeros from your bank account? How annoying is it when your name is spelt incorrectly by your utility company? What are the consequences if you’ve been mislabelled a debtor, or a criminal, or your penicillin allergy has been missed off your medical file? Information has to be accurate, up to date and relevant to be useful. Acting on damaged, corrupt or simply wrongly input data can have serious and far reaching consequences. We call this third quality of the information it’s INTEGRITY.

It’s the CIA that protects us from DDD.

• Disruption vs. Availability
• Damage vs. Integrity
• Disclosure vs. Confidentiality

Getting the balance right…
Organisations will have a different Confidentiality, Integrity and Availability (CIA) balance. For some, confidentiality will be the most important, for others it may not be relevant at all as long as it is available and accurate. Considering the threat of a fire to our building assets, the main damage to be caused is that the asset becomes unavailable, or its integrity is damaged – once the building is burnt to the ground – let’s face it – the confidentiality of the information is inside is pretty much assured.

So we are left with the question of finding the right balance for your organisation. Looking at CIA and the question of security vs. usability, risk vs. reward, cost vs. benefit? Yes, nothing is 100% secure, but we should do our best to find a way that will give us the “most bang for our buck”. A system that will fit your organisation, enable it, not disable it. Add value and allow you to focus your priorities on the key qualities of the key assets.

Safe may be a relative term, but information security is specific, in that it aims to target the correct qualities of the correct assets in a balanced way to allow you to conduct business in confidence.

“Beauty is in the eye of the beholder…”

Well not an easy question to answer as you may think. It will mean different things to different people. If I ask Joe Bloggs on the street, they will probably say something along the lines of “it’s about keeping people out of computers – innit?” – Ugh.  I’m constantly confused with some sort of glorified IT technician, if I’m asked my job title at a party (yes I do go to some!) and I mention information security I’m normally asked to help fix their printer/laptop/PC. Again Ugh.

I normally then have to explain that I “help organisations keep their information safe”, whether this be physical, human, IT, legally, paperbased or otherwise. And thats an interesting place to start. “Safe” for one organisation is not the same as “safe” for another. Security is a subjective thing.

Consider an organisation that is a top secret nuclear bunker against three men making furniture in a shed. Clearly they both have different needs to keep their information safe. The “3 men in a shed” will likely have the following as appropriate measures;

• Padlock on the door
• Fire extinguisher
• Somewhere else to work if it all goes wrong
• Insurance

Even the last two bullets here are questionable! We’d hope a top secret military installation would have a little more measures than this, motion detection, CCTV, high fences, guards, dogs, guns, multiple layers of protection, underground location etc etc… (still not mentioned a computer yet!)

So even here we can see security is a variable thing. It is entirely dependent on the risk posed and threats arrayed against the particular organisation, the nature of the organisation, and the particular nature of the information itself – its value, format, type, importance, consequence of loss etc. Of course naturally your response will vary dependant on the risks faced…

…Or that’s what you would think. In my experience a common bad practice in security management is treating all information equally, normally a consequence of ownership of information being left to the IT division rather than the “business”. Naturally IT departments will focus on networks and systems en entire, and not the data itself – therefore all data receives the same level of protection, without taking into account its value. Typically it will mean high sensitivity data does not receive enough security, and low sensitivity information receives too much seccurity(and therefore wasting money and resource). 

We must also consider the information environment itself. Information does not exist on its own, just floating in the ether. It may be stored in a computer, on a bit of paper, cctv tape, removable media, inside peoples’ minds, over networks, spoken over the phone, is stored within buildings and software. In information security we often have to protect the whole environment in order to protect the information correctly. A good way of looking at “information asset classes” is as follows…

• The information and data itself
• Processes and working practices
• Software, hardware, systems and medium of storage/transport
• Physical facilities and locations
• Systems and services that allow facilities to operate (electricity/water/gas/lifts/telephony etc)
• People (not only the user, but cleaners, third parties, internet users etc etc)
• Intangibles (brand, legals, compliance, reputation, share price, media image)*

*An interesting note here is that the senior management are generally concerned with the final point on the list – which can often be the consequence of an information security breach – these are the assets you are really protecting!

Therefore the “IT centric” approach will not take into account the physical office environment, human factors, paper based records, legal requirements, working practices, remote working etc etc. This leaves a huge gap in the security regime, which has to be holistic to be in any way effective.

“The chain is only as strong as its weakest link…”

One of the greatest problems of information security, is the one of perceived ownership. IT will think the business owns information, the business will think it is IT. Rather than pointing fingers at each other we all need to step up and play our part.  Only a joined up response will holistically protect information appropriately with all stakeholders helping to pursue a common goal, protecting information appropriately to its value.

Most are aware that BS25999-2 (the requirements for a business continuity management system) will be becoming an international standard in the future. The aim is to have this published by the end of 2011, but as ever, there will be a long transitional phase given by the certification bodies, probably at least 2 years after publication.

It will be “ISO 22301, Societal security — Preparedness and continuity management systems – Requirements” and is currently a “DIS” (Draft International Standard).

As with the draft ISO/IEC 27001:2013 (information security management) nothing is final yet, but it uses the 10 clause format that is to be the new common format for management system standards, as below;

1. Scope
2. Normative references
3. Terms and definitions
4. General requirements
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

I reiterate – ISO 22301 is not final, and subject to change. However, as with the ISO 27001 Draft, requirements for procedures such as record control have disappeared (as records are now considered a type of document), similarly preventive action has been aligned with risk treatment and so the requirements for a preventive action procedure have gone too. Most of the BC requirements stay similar but are more fully and specifically defined.

Most of the familiar “Plan Do Check Act” content seems to fall at present within section 8 of the new format, which I’m personally not sure is how the format was intended to be used, but I’m sure these kinks will be ironed out as it gets closer to publication.

Please also note that BS25999-1 (the code of practice) has already been superseded by “ISO 22399:2007 – Societal security – Guideline for incident preparedness and operational continuity management” already published from ISO.

We expect the moving from BS 25999 to ISO 22301 to be similar to that experienced by organisations moving from BS 7799 to ISO 27001, as BS 25999 is the document ISO 22301 has used for its foundations. As such there is no need for organisations to hold back any BS 25999 certification plans to wait for ISO 22301. To adopt best practice in business continuity management, BS 25999 is still the recommended solution, and will serve as the best route towards compliance to ISO 22301 when it finally comes into force.

I often say this to clients, but this is advise that often goes unheeded.  These days integrated management systems are becoming more common place.  A lot of people are moving away from ISO 9001 (quality management) and are instead utilising increasingly diverse management system frameworks, ISO 27001 (information security), BS 25999-2 (business continuity), ISO 14001 (environment) etc etc.

All well and good.  The problem comes when trying to “sell” these to staff.  Frequently, these management systems are perceived as heavy amounts of documentation without any real business benefit to the end user – the staff and management.  More of an overhead, especially when the key driver comes not from an internal desire to improve, but from an external tender requirement placed on the organisation concerned.  The task is given to an individual, who then spends hours writing the documents and putting them in a collated mighty tome, that then sits on the shelf, unused and unloved until the certification auditor arrives.  This approach may well be more of a cost to the business than a benefit.

All management systems have a similar chassis, a series of seven documented procedures that are common, internal audit, management review, corrective action, preventive action, document control, record control and exception management (be these security incidents or non conforming products).  In fact, the news from ISO is that subsequent revisions to these standards will further harmonise these management system documents, so you know these common areas will even have the same clause number from standard to standard.

So what does this mean for a business?  It means that you don’t need weighty tomes for each standard.  It means that management systems can be integrated, with a single business wide document that governs the whole of the business, that does not have to refer to the management system standards at all.  Why have an ISO 27001 document control procedure, a 14001 document control procedure and a 9001 document control procedure, when instead you can have a single business wide document that tells you how the business as a whole manages documents?  The fact that this business wide procedure meets the relevant standards should be a happy coincidence, not the driving goal.  It is worth remembering that it is the certification body’s assessor’s job to evidence that you are meeting the standards, not yours by littering your documents with references to standards and standard clause numbering conventions.

This approach means that the management system begins to fade from your average users eyes, they don’t care what ISO 9001 or ISO 27001 says, but if you tell them all their documents have to meet this procedure because it is what your business expects (not some external standard), then they will probably get on board.  The management system stops being some external requirement, and just “what we do as a business”, embedded within the culture.

The other two major factors here are management commitment, and local ownership.  If either is lacking the management system may fail.  Frequently the management nominate an individual to write the MS documentation and this individual is then engaged in writing meaty tomes that no one else will use or read.  It is worth remembering that these are management systems and most will have a business wide scope.   The management, instead of nominating an individual should realise how important that this is embedded business wide and be adopted by the whole of the business as a cultural change, and take ownership themselves as a methodology to run the business, not as a single project which has been forced on them.  Embracing the change will reap the benefits, begrudgingly chucking a single resource at it will only produce cost.

Finally, the best way to engage the business is to encourage local ownership.  This means abandoning the huge manual and splitting up the documents into a framework of smaller documents, much more easily updated and owned locally, rather than controlled centrally in some goliath book that rests on the shelf.  They are much more easily updated, by those who need to update them.

All MS standards have a requirement for training awareness and competency, which is the remit of the HR department.  So why then, is the quality/information security manager writing these in isolation as part of his huge manual?  Who is best to write a business procedure, someone remote from the process, or the people who actually do it?  To embed management systems in the culture of the business, individuals within the business must own their own process documentation, and the organisation will be better off for it.  HR write the HR docs, IT write the IT docs, Operations write the operational documents.  The standard has an internal audit mechanism to police these are completed, and a document control procedure to make sure they are all looking consistent.  Electronic document storage tools similar to “sharepoint” and cloud based storage solutions can help in their overall management.

And if the staff ask why they must document what they do?  Not because the ISO standard tells you too, but because it is good business practice.  Because the organisation itself requires it to be.  It is embedded in the organisations culture, because the organisation wants to have a mature level of corporate governance. 

Management systems with proper levels of management commitment, embedded in the culture of the business, locally owned and split into a framework of business focussed activities can reap huge reward.  Those owned by a single individual, collated into a huge folder no one looks at, uses or reads, pulled off the shelf for update shortly before the assessor arrives, will only ever be a cost.

The best management systems are invisible.  They are “just what we do as a business”.

During my experience as an assessor, auditor, practitioner and consultant, I find that documentation is a real pain for organisations.  Too often I see organisations who have ended up with documentation that is inappropriate for the way they work.  Large, bulky manuals full of technical information.  Documents that are inconsistent and in different formats and layouts.  Documents are written for an external assessor rather than for the a practical business process.  The result is clear.  People don’t bother to read or use them.  And this means the resulting business practices become non compliant and out of control.  Security risks therefore, will increase dramatically.

Getting documents “write” shouldn’t be difficult.  I’ve compiled a list of top tips below that, if followed, should ensure that documentation stays, relevant, up to date, useable and more importantly read and followed by an organisations stakeholders.

The most important document you will write is the document control, or “how to document” document.  This will set out the formats and practices that the rest are built on, and makes sure that all the other documents are consistent within the organisation.

Educate staff on the difference between policy (senior management aspiration), procedure (documenting how to undertake a process), guidance (non-mandatory help or explanation) and records (evidence that procedures have been carried out).  Too many organisation use the word “policy” to mean all of the above and end up with documentation with very confused purposes and language.

Try to keep documents short and succinct.  As a guide, try and keep policies to a single page, procedures to around three.  Consider whether a picture or diagram will be more effective than words.

Allocate roles and responsibilities early to ensure everyone knows where they stand.  If you allocate someone a role or responsibility, be clear what that entails and requires of the individual.

Give staff ownership of documents that pertain to their part of the business.  Make them responsible for document update and maintenance.  Not only will it ensure that documents are produced, but that they are relevant, accurate and practical to their right audience.  Audit to ensure documents have been reviewed and updated.

Try and avoid large and unwieldy compliance manuals, instead build security controls in to the smaller business process documents that are relevant to the staff who will use them. 

When pursuing standards, though you must ensure the requirements are covered, ensure that documents are still written in language that is appropriate to the staff and culture of the business.  For example, if a standard says you must have a “corrective action” procedure, it may be better to call it something like “How do we fix problems?” instead of the title from the standard.

When applying protective marking (or information classification) to documents, make sure that everyone is educated in the marking system and what it means you can and cannot do with a document.  Consider extending the marking system to other tangible information assets, such as manual files, emails, media and using it for the basis of access control (ie this is a “public” zone and through that door is the “confidential” zone)

Consider how you will evidence that staff have read and understood documents.  However, getting staff to sign loads of documents can sometimes be a waste of resource.  Consider standing orders that require staff to visit a folder or intranet page at a certain time, or an email with links to relevant documents.

Don’t mix words like “will”, “shall” and “should” in the same document.  Some words are aspirational (“will” is a good word for policy), some are mandatory (“shall” or “must” is good for procedures) and some are non-mandatory (“should” or “may” is good for guidance).  Mixing these words like this within a single document means that you are not providing clear direction to your staff on what they are required to do.  Being consistent in your words means that the style of documents and instructions to staff remain consistent.

Make sure document formats and templates are held centrally and used by staff to create documents.  This ensures the logo and brand is protected, and staff have examples to work from.  Make sure that documents can be approved and published centrally to ensure that all documents contain the relevant information and can be found when required (technology solutions for storing these documents in web portals are becoming more popular by the day).

Finally – whenever I train staff and information security professionals the documentation part of the courses, is always initially met with a groan.  However, once people see the many benefits of good documentation regimes, they leave the session enthused and confident, knowing the many benefits that good communication can brings to any organisation, and the improvement it can bring to its security stance.

Post by Ralph O’Brien.

Under the Data Protection Act 1998, anyone who processes personal data has a legal obligation to “notify” the Information Commissioner’s Office (ICO) they are doing so.  In fact it is a criminal offence not to notify, or to fail to keep the ICO up to date with any changes to the way an organisation processes personal data.

This notification can be done online or by phone directly with the ICO, and costs 35 GBP per year (500 for larger businesses).  However it was in 2000 I first became aware when working for the Police of “bogus agencies” who threaten businesses to extort money from them using this law.  It seems the scam is still in operation today.

These businesses often charge up to 200GBP to notify on an organisations behalf.  There is nothing illegal in charging an admin fee for taking this burden from other organisations.  What is wrong about this, is the way they undertake to get their clients, often posing as the information commissioner and writing threatening letters stating that organisations will be fined or people jailed if they do not pay up immediately to that bogus agency concerned.  Often their name or logo is designed to make an organisation think that bogus agency is an official body, and of course they do not state the organisation can do it themselves far cheaper.
(more…)