IT Governance Blog on IT governance, risk management, compliance and information security.

Data protection seems to have a bit of an image problem. What began with such good intentions is fast becoming a scapegoat for silly decisions, overzealous practitioners and an awful lot of paperwork.

Slightly bonkers stories, such as the letter featured in The Guardian last month from a lady whose purse had been shredded ‘for data protection purposes’, has led to data protection being viewed in the same irrational light as human rights and health and safety.

All three concepts are perfectly sensible and lovely, but are too often misunderstood. Scared of the consequences of getting these things wrong, organisations tend to over-compensate leading to measures such as banning triangular flapjacks and refusing to sell knitting needles.

Admittedly it keeps a small army of Daily Express journalists in work but it’s not good for those of us who’d rather keep our data, health and human rights safe.

The truth is that data protection does need to be a serious concern for all organisations. Everyone needs to comply with the 8 key principles of the act or face fines of up to £500,000.

However, it is possible to comply without inconveniencing your customers, without hundreds of convoluted processes and without making yourselves look stupid.

The IT Governance DPA Foundation Course is a one-day introduction to the act. Led by an expert, the foundation will dispel the myths and make sure you get data protection right.

First in a series of joint ‘ISO27001 Workshop’ events held with Certification Bodies opens to a packed house.

It was 09:30 am on the 26^th February. Venue: the CBI Conference Centre at Centre Point in London. In the room were gathered 50 senior managers from UK industry.

As I stood to welcome the delegates attending our ‘Information Security Workshop – Practical Guidance for Senior Managers’, held jointly with DNV Business Assurance, I realised that ISO27001 has become mainstream. “If anyone on your Board says that ISO27001 information security is of no interest to your customers, suppliers and stakeholders…,” I said, surprised at my own boldness so early in the day, “…then, remember this moment. Look around you: the room is full to capacity. There is interest – both in here… and out there!”

And it was true. Days before the event, we had to put a red flash on our site advising those who wanted to book that this Event was full and we were no longer accepting bookings – please enquire about future ISO27001 events for senior managers (in the advanced planning stages) and register your interest in attending. We often fill our popular ISO27001 training courses – particularly Foundation and Lead Implementer, but achieving the same for this practical Workshop and shop window for our consultancy services was not anticipated to be a ‘C-suite magnet’.

And yet, the leaders of FT500 names were there at the beginning – and the end!

So why now? Why is ISO27001 proving to be such a draw for organisations with a national and international profile – for there were major names in our audience – and smaller enterprises, whose senior managers were enthusiastically registering from the time that we posted our page with the details? Perhaps because this ISO management system is the one that all entities need to trade safely and securely?

Paul Breslin of DNV and Alan Calder of IT Governance made the key point in their talks that Standards help organisations to be more successful and more profitable.

Ralph O’Brien of IT Governance then talked the delegates through a short case study involving Tribal, a leading provider of systems and solutions to the education, training and learning markets. This was followed by a case study on achieving ISO 27001 certification in the Financial Services sector, delivered by the DNV BA team.

Workshop Round-table discussions on certification and consultancy took place in the afternoon (see Twitter pic) moderated by DNV BA and IT Governance respectively. The majority of participants chose to join in both Workshop sessions, which were then followed by one-to-one expert advice ‘surgeries’ conducted by IT Governance consultants and DNV representatives, during which delegates could ask questions.

During the day, it became clear from delegate comments that if you can show the marketplace that you’re using the ISO27001 standard properly‚ you can attract better customers‚ participate in wider supply chains and reassure stakeholders about how well run your organisation is. To get that recognition‚ and to make sure that the standard is being used correctly‚ accredited certification is generally seen as a major plus. That means calling in a third party certification body (CB) to check how the standard is being applied. If it‘s being used effectively‚ the CB issues a certificate. The organisation can then publicise itself as ‘certified’ to the standard and enjoy all the benefits that brings – which was felt to be a compelling reason to adopt ISO27001. Improving cyber security to reduce risk and minimise loses was also important, but as one delegate said: “We want to win business through Trust.”

The second in a series of dedicated Information Security workshops is due to take place in Swindon on Thursday 18^th April, at an event held jointly by IT Governance and another UKAS-accredited certification body, Certification International (CI).

The venue this time will be the Sir Daniel Gooch Theatre and Balcony at STEAM – The Museum of the Great Western Railway. A payment of £35+VAT per delegate is needed to secure your place at the event. You are advised to make your bookings as early as possible as we anticipate heavy demand for tickets in the South West.

Register online or call: 0845 070 1750. This is a rare opportunity to participate in a day of highly-informative talks, practical workshops and one-to-one advice sessions to learn how your organisation will benefit from ISO27001 information security and the steps that you need to take to implement/maintain your ISMS – don’t miss out!

For more information on how to plan your cyber security defences based on ISO27001 and keeping your business safe, download our free ‘green paper’ here >>

The strategy for “An Open, Safe and Secure Cyberspace” proposed by the European Commission (EC) in conjunction with the Representative of the Union for Foreign Affairs and Security Policy, announced on the 7^th February 2013 how the European Union (EU) plan to prevent and respond to cyber disruptions and attacks. The strategy details five key cybersecurity priorities:

• Achieving cyber resilience
• Drastically reducing cybercrime
• Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP)
• Developing the industrial and technological resources for cyber-security
• Establishing a coherent international cyberspace policy for the European Union and promoting core EU values

Far from being a lofty aspiration the EC has also proposed a directive on network and information security (NIS) which will require actions from Member States and industry alike. The directive is a key part in the EU’s cybersecurity strategy which aims to guarantee a secure and trustworthy environment throughout the EU.  Among other measures specified in the proposed directive is the reporting of major security incidents on the core services of key infrastructure sectors and information processors requiring them to adopt risk management practices and report major security incidents on their core services. Business sectors specifically named  include:

• financial services
• transport services
• energy services
• health services
• app stores
• e-commerce platforms
• Internet payment
• cloud computing
• search engines
• social networks

According to a Deloitte TMT Global Security Study a survey of executives at the world’s largest technology, media and telecommunications (TMT) identified that 70% of those surveyed identifying a lack of security awareness among employees as a vulnerability: “innovations in technology and the people using these technologies also rank as one of the biggest threats, with 70 percent listing their employees’ lack of security awareness as an “average” or “high” vulnerability.”

ISO27001 is the International Cybersecurity Standard that should be employed by all organisations. At IT Governance we produce a range of ISO27001 toolkits which provides all the tools you need to create your own ISO27001 compliant Information Security Management System (ISMS).

This week we are promoting the benefits that buying a toolkit can bring you and your business.  Toolkits give you the knowledge and information you need to cost-effectively achieve your goals, setting you aside from your competitors.

We offer free trials of all our best-selling toolkits. These toolkits contain all the documents, templates and tools to help organisations quickly and cost-effectively implement a management system or IT standard.

ISO22301 Business Continuity Management System Documentation ToolkitISO27001 Cyber Security ISMS Documentation Toolkit ITSM, ITIL & ISO20000 Implementation Toolkit ISO9001 Quality Management System Documentation Toolkit Business Transformation Toolkit

Now in its 5th edition, IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is a great buy for anyone interested in data security. Here’s why:

1. Includes NEW material on key international markets, including the EU, the UK, North America and Asia Pacific
2. Fully updated to take account of current cyber security and advanced persistent threats
3. Written by world-renowned information and data security experts, Alan Calder and Steve Watkins
4. It is the de-facto guide to implementing an Information Security Management System (ISMS)
5. Reflects the latest regulatory and technological developments
6. Details how to design, implement and deliver an ISMS that complies with ISO 27001 – the world’s only cyber security standard
7. Provides clear, unique data security guidance for both technical and non-technical managers
8. It is the UK Open University’s post-graduate information security textbook
9. All aspects of data protection / information security are covered including viruses, hackers, online fraud, privacy regulations, computer misuse, investigatory powers etc
10. Web-enabled to keep you up-to-date with key changes to the content of the book.

Buy today >>

	IT Governance: An International Guide to Data Security and ISO27001/ISO27002 by Alan Calder and Steve Watkins Price: €59.99

With Google planning to change its privacy policies as from today, will they slot into place with the EU’s data protection directive?

EU regulators have urged Google to ‘pause’ the changes so that they can analyse them first and see if they will effect the EU’s data protection directive.

The French regulator, ‘The Article 29 Working Party’ said it was “deeply concerned about the combination of data across services and will continue their investigations with Google’s representatives”.

The European Commisioner is set to change its directive within the next few years, but as the directive stands today, will Google pass the EU’s data laws?

Google says that it is simply “improving user experience” and making its policies cimpler and easier to understand.

Will Google have to make exceptions for the European Data Protection Directive? If not, how will Google settle the disagreement?

Source: BBC

Whilst the legislative process continues, Europe is set to issue tough new data protection rules for all Internet-based companies that operate in Europe.

If passed, the new rules will:

• Require companies to notify regulators when data has been stolen/mishandled (possibly within 24 hours)
• If a data breach occurs, fines will be able to run up to 1% of their global revenues
• Individuals will be given the ‘right to be forgotten’, as well as the ‘right to data portability’
  (Source: Reuters & Bloomberg)

As a company that handles sensitive data, you will be required to make sure you have a system in place to keep your customer’s data in a safe and secure environment. Kick-start your compliance by implementing an Information Security Management System (ISMS) and download yourself a copy of the ISO 27001 ISMS Requirements.

Know your requirements with ISO 27001 >>

	ISO27001 (ISO 27001 – BS7799-2) ISMS Requirements Price: €104.00

An Introduction to Information Security and ISO27001

Nine Steps to Success: an ISO 27001 Implementation Overview

All Three ISMS Standards

“Only if consumers trust that their data is protected will they entrust companies with it … We need individuals to be in control of their information”

Viviane Reding, DLD conference, Munich,

Europe is set to issue tough new data protection rules tomorrow in order to protect users. Their aim is to also simplify the EU’s approach to online data protection, making it easier for businesses to comply with the rules.

However, this legislative process is likely to take a couple of years as it will need to be approved by national governments and some might resist. So we’re really looking at 2014 or 2015 before Internet companies will be required to comply and before we will see any real change.

According to a draft of the new powers that Reuters gained access to, the new rules will require companies to notify regulators when data has been stolen/mishandled and that fines will be able to run up to 1% of their global revenues. Individuals will be given the ‘right to be forgotten’ and the ‘right to data portability’, meaning they can easily transfer their data between companies and services.

Source: Reuters

In a different article written by Bloomberg, they disclose that the new EU data-privacy rules will require companies to disclose data breaches within 24 hours of their occurrences. “Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay,” Reding concurrs.

Source: Bloomberg

As noted above, we won’t see the full details of the new rules until tomorrow, but it’s good to have an idea of what we’re to expect.

How will these new rules effect you and your business?