IT Governance Blog on IT governance, risk management, compliance and information security.

Throughout August we’re offering some fantastic deals on our September 2010 training courses and I would hate for you to miss out. You can see all the offers available on our blog. Below are some offers that I thought may be of particular interest to you:

Offer 1: ISO27001 Foundation Course

Foundations of Information Security Management According to ISO27001 Training

This 1-day course will be held in Manchester on 7 September and gives an excellent overview of the ISO27001 standard, including how ISO27001 is helping companies around the world compete more effectively,
how ISO27001 helps organisations meet their legal, regulatory and contractual compliance objectives, and how ISO27001 helps increase user productivity and reduce IT problems.

Delegates who book the course during August will receive a bundle of e-books (worth over £100), absolutely free, which will complement their training and help them towards successful ISO27001 certification.

Read more about this offer here >>

(more…)

I have just been reading the Information Commissioner’s Annual Report 2009/10, and thought I’d summarise a few of the key statistics that really matter.

• 91% of people are aware of their right to see information held about them.How would your organisation deal with a subject access request? Do you have a process in place to ensure you meet the requirements of the Sixth Principle of the DPA?
• 94% of people are concerned about the protection of their personal information.How does your organisation demonstrate to its customers that it takes the security of their personal information seriously?
• 1,055 organisations have signed the Personal Information Promise.Out of almost 46,000 registered data contollers, this is a drop in the ocean.
• 30% increase in requests for advice and complaints than the previous year.This trend looks set to continue as awareness of rights, and fear of identity theft, continue to rise.
• 40% (32,714) more data protection cases closed than the previous year.This shows that the ICO has become more efficient and better equipped to respond to complaints and are taking their new powers seriously.
• 28% (and the most common) of complaints were relating to subject access.As people’s awareness of their rights under the DPA increase, businesses are failing to keep up, and are failing to meet their subject access obligations.

The report goes on to highlight that the ICO issued 15 enforcement notices during the year (and names the organisation they were issued to); 16 on-site compliance audits were conducted; 57 undertakings were obtained during the year and 7 bodies (a mix of individuals and organisations) were successfully prosecuted for failing to notify as a data controller with the ICO.

(more…)

In a press release this week, the Information Commissioner’s Office (ICO) slates the NHS for not taking the security of personal information seriously. It claims that a quarter (250) of all data breaches reported to the ICO are from the NHS. According the the Data Breach Table (also published by the ICO), the number of reported data breached from the NHS actually exceeds a quarter, and is claimed to be 305.

The issue here isn’t a discrepancy in the figures, the issue is that NHS organisations are obliged to notify the ICO of every data breach, whereas other organisations, particularly the private sector, are not. Given this situation, it seems that branding the NHS as the worst offender for data breaches may not be entirely true.

Putting these issues aside, there can be no disputing the fact that there are far too many data breaches coming from the NHS and the action taken by the ICO is justified.

Mick Gorrill, Head of Enforcement at the ICO, said:
“Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”

In addition to signing a formal undertaking and promising to do a better job, a serious data breach can be a lot more harmful to an organisation, no matter what sector you are in. There are financial penalties of up to £500,000 for a start, then there is the the brand damage which could cripple your income streams at the source, as customers lose trust and move to your competitors.
(more…)

New powers, designed to deter data breaches, came into force on 6 April 2010. The Information Commissioner’s Office (ICO) can now order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. The power to impose a monetary penalty is designed to deal with the most serious personal data breaches and is part of the ICO’s overall regulatory toolkit which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data.

The number of data breaches reported the to the ICO has now exceeded 1000 and while this may sound like a lot, the reality is that these breaches are a drop in the ocean when you combine them with the non-disclosed breaches that occur every day due to insufficient information security controls and human error.

Don’t be next ICO breach, escape £500,000 fines!

So you know that you have to comply with the Data Protection Act, and you know that the penalties for non-compliance are far tougher than any seen before.
(more…)

With the 201 CMR 17.00 – The Massachusetts Data Protection Law, recently passed and the Nevada PCI Compliance Deadline long gone, it is only a matter of time before other States follow suit and adopt stringent information security and data protection laws.

ISO 27001 is the best practice specification that helps businesses and organizations throughout the world to develop a best-in-class Information Security Management System (ISMS) that will stand-up to the next round of state and/or federal regulations.

We have developed a range of ISO27001 ISMS Toolkits which enable organizations to quickly and effectively implement an ISMS in line with ISO27001. These toolkits are now in use in 100s of organizations of all sizes all round the world saving months of work and helping to avoid costly trial-and-error dead-ends.
(more…)

During my experience as an assessor, auditor, practitioner and consultant, I find that documentation is a real pain for organisations.  Too often I see organisations who have ended up with documentation that is inappropriate for the way they work.  Large, bulky manuals full of technical information.  Documents that are inconsistent and in different formats and layouts.  Documents are written for an external assessor rather than for the a practical business process.  The result is clear.  People don’t bother to read or use them.  And this means the resulting business practices become non compliant and out of control.  Security risks therefore, will increase dramatically.

Getting documents “write” shouldn’t be difficult.  I’ve compiled a list of top tips below that, if followed, should ensure that documentation stays, relevant, up to date, useable and more importantly read and followed by an organisations stakeholders.

The most important document you will write is the document control, or “how to document” document.  This will set out the formats and practices that the rest are built on, and makes sure that all the other documents are consistent within the organisation.

Educate staff on the difference between policy (senior management aspiration), procedure (documenting how to undertake a process), guidance (non-mandatory help or explanation) and records (evidence that procedures have been carried out).  Too many organisation use the word “policy” to mean all of the above and end up with documentation with very confused purposes and language.

Try to keep documents short and succinct.  As a guide, try and keep policies to a single page, procedures to around three.  Consider whether a picture or diagram will be more effective than words.

Allocate roles and responsibilities early to ensure everyone knows where they stand.  If you allocate someone a role or responsibility, be clear what that entails and requires of the individual.

Give staff ownership of documents that pertain to their part of the business.  Make them responsible for document update and maintenance.  Not only will it ensure that documents are produced, but that they are relevant, accurate and practical to their right audience.  Audit to ensure documents have been reviewed and updated.

Try and avoid large and unwieldy compliance manuals, instead build security controls in to the smaller business process documents that are relevant to the staff who will use them. 

When pursuing standards, though you must ensure the requirements are covered, ensure that documents are still written in language that is appropriate to the staff and culture of the business.  For example, if a standard says you must have a “corrective action” procedure, it may be better to call it something like “How do we fix problems?” instead of the title from the standard.

When applying protective marking (or information classification) to documents, make sure that everyone is educated in the marking system and what it means you can and cannot do with a document.  Consider extending the marking system to other tangible information assets, such as manual files, emails, media and using it for the basis of access control (ie this is a “public” zone and through that door is the “confidential” zone)

Consider how you will evidence that staff have read and understood documents.  However, getting staff to sign loads of documents can sometimes be a waste of resource.  Consider standing orders that require staff to visit a folder or intranet page at a certain time, or an email with links to relevant documents.

Don’t mix words like “will”, “shall” and “should” in the same document.  Some words are aspirational (“will” is a good word for policy), some are mandatory (“shall” or “must” is good for procedures) and some are non-mandatory (“should” or “may” is good for guidance).  Mixing these words like this within a single document means that you are not providing clear direction to your staff on what they are required to do.  Being consistent in your words means that the style of documents and instructions to staff remain consistent.

Make sure document formats and templates are held centrally and used by staff to create documents.  This ensures the logo and brand is protected, and staff have examples to work from.  Make sure that documents can be approved and published centrally to ensure that all documents contain the relevant information and can be found when required (technology solutions for storing these documents in web portals are becoming more popular by the day).

Finally – whenever I train staff and information security professionals the documentation part of the courses, is always initially met with a groan.  However, once people see the many benefits of good documentation regimes, they leave the session enthused and confident, knowing the many benefits that good communication can brings to any organisation, and the improvement it can bring to its security stance.

Post by Ralph O’Brien.

Below is a list of known data breaches during April 2010. This list is not exhaustive and will updated at least weekly so check back regularly:

• Employee accidentally emails students names, addresses and Social Security numbers
  • Date: 2010-04-28
  • Records Lost: 260
  • Source: Inside Accidental
  • Location: Butte Mt, US
  • Organization: Montana Tech of The University of Montana

(more…)

The ICO’s new powers to issue monetary penalties came into force on 6 April 2010, allowing the Information Commissioner’s office to serve notices requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act.

The data protection powers of the Information Commissioner’s Office are to:

• Conduct assessments to check organisations are complying with the Act;
• Serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
• Serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
• Prosecute those who commit criminal offences under the Act;
• Conduct audits to assess whether organisations processing of personal data follows good practice; and
• Report to Parliament on data protection issues of concern.

(more…)

Many organizations accross the state of Massachusetts and organizations outside of Massachusetts, who collects, owns or licenses personal information about a resident of Massachusetts, are struggling to meet the requirements of the new Data Protection Law (201 CMR 17.00), which came into force on March 1st this year.

If you fall into this category, or need to build a case for management buy-in, consider:
Massachusetts General Law, Chapter 93A, section 4 specifically authorizes the Attorney General to seek injunctive relief against the organization involved in the unauthorized act or practice. In addition, section 4 allows a court to impose a $5,000 civil penalty for each violation and if ‘violation‘ is interpreted to mean the unauthorized access to a single individual’s personal information, the potential damages could be enormous.

Did you know – ISO/IEC 27001:2005 directly covers 95% of the 201 CMR 17.00 requirements without modification and with a few specific requirements added to support the prescriptive requirement to encrypt personal information, the 201 CMR 17.00 & ISO 27001 Toolkit provides a truly comprehensive solution!

(more…)

Under the Data Protection Act 1998, anyone who processes personal data has a legal obligation to “notify” the Information Commissioner’s Office (ICO) they are doing so.  In fact it is a criminal offence not to notify, or to fail to keep the ICO up to date with any changes to the way an organisation processes personal data.

This notification can be done online or by phone directly with the ICO, and costs 35 GBP per year (500 for larger businesses).  However it was in 2000 I first became aware when working for the Police of “bogus agencies” who threaten businesses to extort money from them using this law.  It seems the scam is still in operation today.

These businesses often charge up to 200GBP to notify on an organisations behalf.  There is nothing illegal in charging an admin fee for taking this burden from other organisations.  What is wrong about this, is the way they undertake to get their clients, often posing as the information commissioner and writing threatening letters stating that organisations will be fined or people jailed if they do not pay up immediately to that bogus agency concerned.  Often their name or logo is designed to make an organisation think that bogus agency is an official body, and of course they do not state the organisation can do it themselves far cheaper.
(more…)