IT Governance Blog on IT governance, risk management, compliance and information security.

“Organisations that don’t allow staff  access to social networking websites risk alienating the next generation of workers”
Support World Magazine

Research from Hyphen indicates that almost half of those under 25 would not join a company with strict social media policies. The report highlights the fact that young workers starting out on the career ladder have high expectations regarding technology and social media, 60% of which recognise social networking sites such as Linkedin improve their effectiveness.

Some managers believe that staff waste their time on social media sites such as Facebook and Twitter, and view it as a dangerous distraction. However, the Hyphen report contradicts this popular belief, concluding that over half of all those polled who have access to social media  at work, said that they spend less than 10 minutes per day on it for their personal use, and 1/3 saying they spend no at all time during work hours.

Those service desk managers who don’t allow their team to use social media could be missing a trick. Nowadays, customers often relay feedback of the company/service desk using social media. If you have a presence on social media then you are more likely to measure customer satisfaction. In SDI’s recent ‘UK Service Desk Benchmarking Report’, Daniel Wood (author) found that 17% of respondents  did not measure customer satisfaction. This is alarming, given that many service desks measure their success due to feedback and perceptions from their customers. Using social media as a tool to gain customer feedback is a great way of getting responsive answers.

Use social media in your service desk team to your advantage with the Social Media Governance toolkit. The Social Media Toolkit helps organisations create an effective governance structure around their social media activities. Social media is, for many organisations, a critical part of how they speak to customers, partners and stakeholders; for others, social media is a dangerous distraction.

Dealing effectively with social media requires a joined-up approach that is aligned with the objectives and risk appetite of the business - a governance approach.

See the advantages social media can bring with this toolkit >>

 Source: Hyphen report, via Support World Magazine

Following on from last week’s discussion ‘Which, Why and How is an ISO 27001 ISMS toolkit right for you‘, I thought we should take a closer look at the ISO 27001 implementation team and how our special January offer is the logical step that your organisation should take to implement ISO 27001.

Organisations that are serious about implementing ISO 27001, and successfully achieve certification, develop the in-house capability and skills through training.

They also take a risk based approach to develop the information security management System (ISMS), using our tried and tested ISO 27001 ISMS toolkits.

Buy any variation of the ISO 27001 ISMS toolkit before 31st January and get 15% off any ITG Training Course.

	No 3 ISO27001 Comprehensive ISMS Toolkit Price: £1,795 Buy before 31st January and get a 15% discount code for any ITG Training Course!

Our range of training courses offer a structured learning path from Foundation to Advanced level in ISO27001 and ISO27002 together with related topics that include PCI DSS, Data Protection Act and Digital Forensics.

Training the ISO 27001 implementation team:

• In any ISO 27001 project you will have a Lead Implementer that is capable of leading their organisation to successful certification. The ISO27001 Certified ISMS Lead Implementer Masterclass is the perfect course for this role.
• You will need a team of Internal Auditors to effectively audit compliance with the ISO 27001 standard and against the controls contained in ISO 27002. You should book multiple people onto our essential ISO27001 Certified ISMS Internal Auditor training course.
• An understanding of the best practice guidance as outlined in ISO27002 is essential to ensure the compliance to ISO27001 in any organisation. Information Security Foundation based on ISO/IEC 27002 serves as a practical guideline for all members of staff as they initiate, implement and maintain an information security programme.

Save 15% on any of these courses when you buy an ISO 27001 ISMS toolkit before the end of January!

“Only if consumers trust that their data is protected will they entrust companies with it … We need individuals to be in control of their information”

Viviane Reding, DLD conference, Munich,

Europe is set to issue tough new data protection rules tomorrow in order to protect users. Their aim is to also simplify the EU’s approach to online data protection, making it easier for businesses to comply with the rules.

However, these legislative process is likely to take a couple of years as it will need to be approved by national governments and some might resist. So we’re really looking at 2014 or 2015 before Internet companies will be required to comply and before we will see any real change.

According to a draft of the new powers that Reuters gained access to, the new rules will require companies to notify regulators when data has been stolen/mishandled and that fines will be able to run up to 1% of their global revenues. Indiviuals will be given the ‘right to be forgotten’ and the ‘right to data portability’, meaning they can easily transfer their data between companies and services.

Source: Reuters

In a different article written by Bloomberg, they disclose that the new EU data-privacy rules will require companies to disclose data breaches within 24 hours of their occurrences. “Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay,” Reding concurrs.

Source: Bloomberg

As noted above, we won’t see the full details of the new rules until tomorrow, but it’s good to have an idea of what we’re to expect.

How will these new rules effect you and your business?

Global research consultancy company, Illuminas, receives ISO 27001 certification after over a year’s worth of dedicated work.

John Ricketts (Director of IT and Information Security) and John Ricketts (Global COO)  comment, “We are delighted to achieve ISO 27001 at a time when data protection and data privacy are increasingly important in both the research industry and society generally.  ISO 27001 ensures there are clear benefits for clients and respondents, with personal information as well as client confidential material encrypted 100% of the time whilst on Illuminas systems. The standard is a systematic approach to managing the security of sensitive information covering people, processes, IT systems and policy. We believe all research companies should follow the guidelines of the standard given they are often entrusted with personal information.”

Source: Illuminas Press Release, PRWeb

Achieving ISO 27001 instills confidence within your customers on how you handle their data. ISO 27001 is the international standard for Information Security Management Systems (ISMS) and covers topics such as:

• Extensive risk management evaluation
• Business resilience planning
• Ensuring data security standards set by client companies are met

If you’re thinking about implementing ISO 27001 requrements, then take advantage of our Value Added ISO 27001 ISMS Toolkit Offer. This comprehensive toolkit will cost effectively accelerate your ISO 27001 project and help you to become certification-ready in no time!

Find out the the steps of standard approach towards implementation of an ISMS that is recommended by all international certification bodies>>

Praxis Care charity  lost a memory stick in August 2011,  containing  confidential data of 160 different people. The data that was held on the unencrypted stick contained personal information such as their mental health and care records.

Since losing the memory stick and coming under the wrath of the ICO for suffering the data breach, Praxis Care is now committed to improving its data protection standards.

Christopher Graham, the information commissioner, said: “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable.”

To avoid a situation like the above, companies need to use a secure USB sitck with hardware encryption.

SafeXs is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197-certified. Over 1 million of these sticks are now in use by the NHS, helping to keep patient data and other confidential data secure.

Simply plug in a SafeXs and within minutes you can be up and running. All you need do is set a password and any data placed on the SafeXs is encrypted.

Read more about the popular encrypted USB stick >>

Leading Indian pharmaceutical research and development company, Semler Research Center (SRC), has been awarded ISO 27001 certification in recognition of its deployment of information security best practices.

ISO 27001 is the best practice specification that helps businesses across the world develop a best-in-class Information Security Management System (ISMS). An ISMS is the systematic management approach to managing confidential data so that it remains secure. It includes the looking after, and security of people, processes and IT systems.

Dr Krathish Bopanna, President and Executive Director  of SRC said “It is an important milestone for us and reiterates our efforts in the direction of data security, confidentiality and client data protection. We recognize and understand that the security of our sponsor’s data is of vital importance and this independent accreditation should help our customers and their confidence that we have adequate measures and internal procedures in place to protect their data and eliminate any potential security risks….. This certification shows our committment to sponsors information security, business continuity and physical security”.

In India, April 2011, the Government released a new announcement on privacy data law which relates to any company that collects information within the country.

The proposed regulations state in the ITA (Information Technology Act) that those who have implemented ISO 27001 “shall be deemed to have complied with reasonable security practices” which are “duly approved by the Central Governmant.”

Therefore complying to ISO 27001 will mean that you are complying to the regulations stated in the ITA.

Find out more about ISO 27001 here >>

If you’re looking to kick start your ISO 27001 implementation project, then Introducing ISO27001 contains four complementary texts from Alan Calder or Steve Watkins, who are widely acknowledged as experts in the practical implementation of this international best-practice standard.

Make your first move towards best practice information security with this selection of books >>

Before we get on the ‘which’, lets explore ‘why’ and ‘how’ the ISO 27001 ISMS toolkit range has helped hundreds of organisations across the world to achieve ISO 27001 certification readiness.

‘WHY’ choose an ISO 27001 ISMS toolkit?

The hardest part of achieving ISO 27001 certification is the documentation of the Information Security Management System (ISMS). The documentation that is necessary to create a conforming system can, particularly in more complex businesses, be up to a thousand pages.

A toolkit can accelerate your ISO 27001 project immensely. The key benefits of a toolkit are:

• A toolkit is cheaper than one days’ consultancy
• Provides clear guidance on the role of risk assessment
• Template documents are easy to edit and customise
• Template documents save you time on research
• Template documents save you time on procedure writing
• Makes you your own expert
• An after sales support service
• 12 months of automatic updates

Then there’s the ‘HOW to do it’ issue.

The resource, time and management implications of making all this happen are immense. But that’s where toolkits come in. Our toolkits are precisely tailored to the requirements of ISO 27001 and contain pre-written documents, which can be tailored to your organisation. Our unique document support service offers after sales support to answer your queries, and each toolkit includes 12 months of free updates

Importantly, you do not want hundreds and hundreds of policies, after all ISO 27001 only requires 7 policies. By purchasing a toolkit, you receive a set of policies and procedures that really enable you to implement ISO 27001.

And finally, ‘WHICH’ toolkit is right for you?

	No 3 ISO27001 Comprehensive ISMS Toolkit Price: £1,795 Buy before 31st January and get a 25% discount code for any ITG Training Course!

It seems like every week we hear of a new news story where a company has been hacked, broken the Data Protection Act and/or fined. Although in these hacking stories the data of innocent people is often compromised, it seems like the blame is often being put upon the companies, when in fact it should be the hackers who are taking the blame.

After a data breach occurs, how much investigation goes into finding the hacker that committed the crime? Little? Or none? It is easier to blame the company where the attack occurred, issue a fine, and pronounce them incompetent of looking after your data. But is this really the case? Lee Howell, Managing Director at the World Economic Forum, stated that “it’s impossible to be completely secure online”. So if this is true, then why should the victims (companies) be put to blame? Yes, I agree that companies who manage sensitive data should take the necessary precautions to do everything they can to protect that data, but where does the justice lie for them if they did not commit the real crime?

Take it like this; if you were to lock your house up at night (doors, windows etc.) before you went to bed, and you were burgled during the night, should it then be you who faces prosecution for not protecting your house properly, or should the person who broke into your house be prosecuted?

Lee Howell talks about social norms in terms of cyber crime, concluding that “we do not yet fully understand how social norms are shaped in the virtual world. Why is it that many people who would be ashamed to admit stealing a DVD from a shop will happily discuss illegally downloading a movie?” This can be referenced to the point above about the current justice system for hackers and hacked companies.

It is important to note that one of the main reasons cyber criminals don’t get caught is because of the anonymity of it all. Hackers are often more technologically advanced than the people tracking them down, which can mean that most investigations come to a halt before they’ve even begun. You can find hacking software easily on the web, meaning that anyone can try their hand at it, which has thus been a major cause in the proliferation of hacking. Another main reason why hackers fail to get caught is the difficulty in cross-border policing. If you notice a computer attack that came from country X, tracking down that cyber criminal would be near-on impossible due to the different laws and regulations held between two different countries. Adam Segal from The Diplomat says, “It’s hard to deter if you can’t punish, and you can’t punish without knowing who is behind an attack.” With so much difficulty in tracking down hackers, they often get away with the crime, but does their anonymity give them the right to this?

More attention should be put on the hackers themselves (tracking them down and prosecuting them), rather than the companies who suffer data breaches because of them. A unified approach and shift in focus will lead to a more realistic deterrent for cyber criminals, hoping to break the cyber gang culture that is appearing across the web.

Food for thought anyway.

A recent report by Cisco shows frightening statistics that threaten to damage IT security as we know it.

The report found:

• 70% of young employees frequently ignore IT policies
• Two-thirds of young employees believe their companies policies need to be changed
• 61% said corporate IT security isn’t their responsibility, and that it should be that of their employer or the maker of their devices

This ‘casual’ attitude towards IT security may be a contributing factor to the fact that one in four people asked have been a victim of identity theft before the age of 30.

“The desire for on-demand access to information is so ingrained in the incoming generation of employees that many young professionals take extreme measures to access the Internet, even if it compromises their company or their own security,” the report said.

And when asked why 70% of young employees ignore IT policies, the reasons given were:

• They didn’t think they were doing anything wrong
• They needed to do it to get there job done
• They didn’t have time to think about policies while they were working
• The policies weren’t inforced in the first place
• Adhering to the policies was not convenient

This attitude towards IT security needs to change amongst young people, otherwise their employers could be in serious trouble. Leaving networks vulnerable to attacks could cause your system to be infiltrated by hackers, with the risk of losing sensitive data and suffering a data breach.

To ensure that all your employees are up to scratch on what, and what not to do on the Internet, take an Information Security Staff Awareness e-Learning Course.

This Information Security course recognises that information security awareness starts at home and then aims to help employees understand the organization’s information and compliance risks, thereby reducing the organization’s liability due to security failures. The course not only familiarises the learners with the basics of information security, including security threats via emails, the Internet and at the workplace, but also introduces the learners to the policies on incident reporting and responses. Having completed the 40-minute course, students can take a 20-question multiple-choice test.

This Information Security Staff Awareness course, which includes an online certificated test, is squarely based on the detailed guidance of ISO27002 and covers the following areas:.

• What has Information Security got to do with you?
• Where does your organisation fit in?
• Definitions: what is Information Security?
• Could this happen to you? (Scenarios and follow up questions).
• Information Security at home – potential weaknesses (Passwords, Phishing, Web 2.0, USB sticks, Sat Nat)
• Information Security at work
• Secure perimeters
• Tailgating
• Clear desk and screen
• Passwords
• Portable media
• Information classification
• Intellectual property
• Security incidents
• Business continuity
• Important documentation, with links to key policies and procedures

For more information on the Information Security Staff Awareness e-Learning Course, click here >>