IT Governance Blog on IT governance, risk management, compliance and information security.

Under the Data Protection Act 1998, anyone who processes personal data has a legal obligation to “notify” the Information Commissioner’s Office (ICO) they are doing so.  In fact it is a criminal offence not to notify, or to fail to keep the ICO up to date with any changes to the way an organisation processes personal data.

This notification can be done online or by phone directly with the ICO, and costs 35 GBP per year (500 for larger businesses).  However it was in 2000 I first became aware when working for the Police of “bogus agencies” who threaten businesses to extort money from them using this law.  It seems the scam is still in operation today.

These businesses often charge up to 200GBP to notify on an organisations behalf.  There is nothing illegal in charging an admin fee for taking this burden from other organisations.  What is wrong about this, is the way they undertake to get their clients, often posing as the information commissioner and writing threatening letters stating that organisations will be fined or people jailed if they do not pay up immediately to that bogus agency concerned.  Often their name or logo is designed to make an organisation think that bogus agency is an official body, and of course they do not state the organisation can do it themselves far cheaper.
(more…)

Ever watched a presentation that’s left you with the feeling that it was an hour of your life you’ll never get back? Ever sat in a room full of people that are just two PowerPoint slides away from screaming “None of this matters!” before defenestrating themselves? Have you ever had to present to a room full of people like that? People who have so little interest in you, or your subject, that they’ve had to resort to stabbing their own leg with a biro just to stay awake?

I might be going out on a limb here, but I’m pretty sure that most people reading this will have been subjected to “Death by PowerPoint” at some time in their lives, and that most of us have previously resorted to any excuse short of actually faking our own death not to be subjected to it again. The simple fact is that it’s hard to keep your attention focussed on anything you’ve already decided you don’t care about. It doesn’t matter how often someone extols the virtues of something to you; if you can’t see how it matters to you, you’re unlikely to care.
(more…)

Recently my neck of the woods has been taking a bit of a beating from the weather gods. First it was the rain, which flooded part of the town I live in and all but destroyed a couple of towns nearby. This week it’s been snow, which has reduced the main roads in and out of my home town to a complete standstill at some times, and an outright deathtrap at others.

Happily having a member of staff, or even several members of staff, trapped by the weather has little or no impact on ITG’s continuing operation. Why? Because we operate an Information Security Management System to the ISO27001 standard. We are prepared.
(more…)

In my inaugural post last week I talked about those companies out there who certificate their own work, in particular to ISO27001. I’m not going to go over the same argument again here, but I do feel it would be remiss of me not to address the more pressing, underlying cause that feeds such organisations in the first place: information security can be expensive to do properly.

In particular, ISO27001 can be an expensive standard to tackle for small businesses. That doesn’t mean that there’s any less of a demand for it, however: The “information age” has provided start-ups and SME’s with the tools required to punch well above their weight, often finding themselves in the supply chains for much larger bodies who demand a certain standard in doing business, including how you manage your information security.

What to do in that situation? Well, there are a number of options available:
(more…)

There are some things that make me grind my teeth with despair. People who seem to think that everyone in the train carriage will appreciate the music on their phone, for example, or the grammar checking function on my word processor that’s convinced it knows better than I do. Oh, and companies that trade on the reputation of international standards, without actually complying with them. I admit, that last one’s probably a bit more specific to me than the other two.

In my particular field (information security) the international standard is ISO/IEC 27001:2005. There are lots of good reasons to comply with this standard, which are well documented elsewhere on the IT Governance website and in this great little pack of books on the subject. For the purposes of this post let’s just say that if you need to keep your company information present, correct and secure, ISO27001 is the standard you want. Organisations do want it, too, in their thousands, and they look for help in implementing it.
(more…)

Strategic approach to energy management: EN 16001

In today’s highly volatile and competitive market place energy costs have assumed a greater significance. With rising fuel costs, open markets in gas and electricity and new government climate change policies, no organisation can afford to be complacent in managing its energy efficiently.

Evidence shows that adopting structured management techniques to energy management can result in significant savings.

There has never been a better time for any organisation large or small to move forward and adopt a strategic formal approach to managing its energy system.

  (more…)