IT Governance Blog on IT governance, risk management, compliance and information security.

I have just been reading the Information Commissioner’s Annual Report 2009/10, and thought I’d summarise a few of the key statistics that really matter.

• 91% of people are aware of their right to see information held about them.How would your organisation deal with a subject access request? Do you have a process in place to ensure you meet the requirements of the Sixth Principle of the DPA?
• 94% of people are concerned about the protection of their personal information.How does your organisation demonstrate to its customers that it takes the security of their personal information seriously?
• 1,055 organisations have signed the Personal Information Promise.Out of almost 46,000 registered data contollers, this is a drop in the ocean.
• 30% increase in requests for advice and complaints than the previous year.This trend looks set to continue as awareness of rights, and fear of identity theft, continue to rise.
• 40% (32,714) more data protection cases closed than the previous year.This shows that the ICO has become more efficient and better equipped to respond to complaints and are taking their new powers seriously.
• 28% (and the most common) of complaints were relating to subject access.As people’s awareness of their rights under the DPA increase, businesses are failing to keep up, and are failing to meet their subject access obligations.

The report goes on to highlight that the ICO issued 15 enforcement notices during the year (and names the organisation they were issued to); 16 on-site compliance audits were conducted; 57 undertakings were obtained during the year and 7 bodies (a mix of individuals and organisations) were successfully prosecuted for failing to notify as a data controller with the ICO.

(more…)

So you know that you have to comply with the Data Protection Act, and you know that if you are found to be in breach of the DPA the ICO can now levy tough penalties, far tougher than any seen before.

The first thing you need to do is identify your current level of conformance. The DPA Compliance Assessment Tool will help you do this: it provides recommendations and offers guidance to help you close any gaps that are identified.

Once you have identified exactly what you need to do in order to become fully compliant with the DPA, you will find the DPA Compliance Documentation Toolkit invaluable. It includes all the documentation templates, which are fully customisable, that are essential for any UK data controller (and UK organisation that is responsible for personal information) seeking compliance with the UK Data Protection Act 1998.
(more…)

We have two training courses later in July which you should take a look at:

Data Protection Act (DPA) 1-Day Course 23 July in London. >> Does your organisation comply with the DPA? >> Do you want to avoid fines and censure for data breaches? >> How do you manage personal data legally and effectively? Data loss in both public and private sectors is all over the media, and the governance of personal information now keeps company directors awake at night. This has been raised so far up the public agenda that the Information Commissioner (the UK’s regulatory body for the DPA) has now been granted extra powers and sanctions – including the power to levy fines of up to £500k.

This interactive and enjoyable one-day course gives both new and experienced staff and management – those involved with or responsible for personal data – an oversight of what the Data Protection Act means to their business also to their own rights as an individual.

Find out more and Book Today!

ISO27001 ISMS Implementation (Lead Implementer) MasterClass 20-22 July in London This three-day London based ISMS Implementation Masterclass provides comprehensive and practical coverage of all aspects of implementing ISO27001 for real. If you’re in information security management, writing information security policies or implementing ISO27001 (BS7799) – either as Lead Implementer or as part of the planning/implementation team, this Masterclass covers all the key steps in preparing for and achieving certification first time.

Delegates will receive their own free copy of the worldwide de facto ISO27001 implementation handbook, IT Governance: a Manager’s Guide to Data Security and IS027001/ISO27002. This, now in its 4th edition, and for some years the Open University’s postgraduate information security textbook, provides the core material for this Masterclass.

This Masterclass will fill up quickly!

Find out more and Book Today >>

In a press release this week, the Information Commissioner’s Office (ICO) slates the NHS for not taking the security of personal information seriously. It claims that a quarter (250) of all data breaches reported to the ICO are from the NHS. According the the Data Breach Table (also published by the ICO), the number of reported data breached from the NHS actually exceeds a quarter, and is claimed to be 305.

The issue here isn’t a discrepancy in the figures, the issue is that NHS organisations are obliged to notify the ICO of every data breach, whereas other organisations, particularly the private sector, are not. Given this situation, it seems that branding the NHS as the worst offender for data breaches may not be entirely true.

Putting these issues aside, there can be no disputing the fact that there are far too many data breaches coming from the NHS and the action taken by the ICO is justified.

Mick Gorrill, Head of Enforcement at the ICO, said:
“Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”

In addition to signing a formal undertaking and promising to do a better job, a serious data breach can be a lot more harmful to an organisation, no matter what sector you are in. There are financial penalties of up to £500,000 for a start, then there is the the brand damage which could cripple your income streams at the source, as customers lose trust and move to your competitors.
(more…)

New powers, designed to deter data breaches, came into force on 6 April 2010. The Information Commissioner’s Office (ICO) can now order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. The power to impose a monetary penalty is designed to deal with the most serious personal data breaches and is part of the ICO’s overall regulatory toolkit which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data.

The number of data breaches reported the to the ICO has now exceeded 1000 and while this may sound like a lot, the reality is that these breaches are a drop in the ocean when you combine them with the non-disclosed breaches that occur every day due to insufficient information security controls and human error.

Don’t be next ICO breach, escape £500,000 fines!

So you know that you have to comply with the Data Protection Act, and you know that the penalties for non-compliance are far tougher than any seen before.
(more…)

In a speech at the Infosec security conference last week, the deputy Information Commissioner, David Smith, said that the NHS reported the highest number of serious data breaches of any UK organisation since the end of 2007.

The NHS – the UK’s largest employer with 1.7m staff reported 287 breaches it in the period, accounting for more than 30% of the total number of reported breaches. Most of the breaches (113) were the result of stolen data or hardware, followed by 82 cases of lost data or hardware.

Skewed Results

Mr Smith said the problems were not confined to the public sector and that results could be skewed because the public sector has a culture of reporting all breaches whereas not all private sector firms did.

Currently the reporting procedure for data breaches in the UK is voluntary although the ICO is “moving towards” a compulsory system. In April the ICO introduced fines of up to £500,000 for serious data breaches.

(more…)

During my experience as an assessor, auditor, practitioner and consultant, I find that documentation is a real pain for organisations.  Too often I see organisations who have ended up with documentation that is inappropriate for the way they work.  Large, bulky manuals full of technical information.  Documents that are inconsistent and in different formats and layouts.  Documents are written for an external assessor rather than for the a practical business process.  The result is clear.  People don’t bother to read or use them.  And this means the resulting business practices become non compliant and out of control.  Security risks therefore, will increase dramatically.

Getting documents “write” shouldn’t be difficult.  I’ve compiled a list of top tips below that, if followed, should ensure that documentation stays, relevant, up to date, useable and more importantly read and followed by an organisations stakeholders.

The most important document you will write is the document control, or “how to document” document.  This will set out the formats and practices that the rest are built on, and makes sure that all the other documents are consistent within the organisation.

Educate staff on the difference between policy (senior management aspiration), procedure (documenting how to undertake a process), guidance (non-mandatory help or explanation) and records (evidence that procedures have been carried out).  Too many organisation use the word “policy” to mean all of the above and end up with documentation with very confused purposes and language.

Try to keep documents short and succinct.  As a guide, try and keep policies to a single page, procedures to around three.  Consider whether a picture or diagram will be more effective than words.

Allocate roles and responsibilities early to ensure everyone knows where they stand.  If you allocate someone a role or responsibility, be clear what that entails and requires of the individual.

Give staff ownership of documents that pertain to their part of the business.  Make them responsible for document update and maintenance.  Not only will it ensure that documents are produced, but that they are relevant, accurate and practical to their right audience.  Audit to ensure documents have been reviewed and updated.

Try and avoid large and unwieldy compliance manuals, instead build security controls in to the smaller business process documents that are relevant to the staff who will use them. 

When pursuing standards, though you must ensure the requirements are covered, ensure that documents are still written in language that is appropriate to the staff and culture of the business.  For example, if a standard says you must have a “corrective action” procedure, it may be better to call it something like “How do we fix problems?” instead of the title from the standard.

When applying protective marking (or information classification) to documents, make sure that everyone is educated in the marking system and what it means you can and cannot do with a document.  Consider extending the marking system to other tangible information assets, such as manual files, emails, media and using it for the basis of access control (ie this is a “public” zone and through that door is the “confidential” zone)

Consider how you will evidence that staff have read and understood documents.  However, getting staff to sign loads of documents can sometimes be a waste of resource.  Consider standing orders that require staff to visit a folder or intranet page at a certain time, or an email with links to relevant documents.

Don’t mix words like “will”, “shall” and “should” in the same document.  Some words are aspirational (“will” is a good word for policy), some are mandatory (“shall” or “must” is good for procedures) and some are non-mandatory (“should” or “may” is good for guidance).  Mixing these words like this within a single document means that you are not providing clear direction to your staff on what they are required to do.  Being consistent in your words means that the style of documents and instructions to staff remain consistent.

Make sure document formats and templates are held centrally and used by staff to create documents.  This ensures the logo and brand is protected, and staff have examples to work from.  Make sure that documents can be approved and published centrally to ensure that all documents contain the relevant information and can be found when required (technology solutions for storing these documents in web portals are becoming more popular by the day).

Finally – whenever I train staff and information security professionals the documentation part of the courses, is always initially met with a groan.  However, once people see the many benefits of good documentation regimes, they leave the session enthused and confident, knowing the many benefits that good communication can brings to any organisation, and the improvement it can bring to its security stance.

Post by Ralph O’Brien.

Below is a list of known data breaches during April 2010. This list is not exhaustive and will updated at least weekly so check back regularly:

• Employee accidentally emails students names, addresses and Social Security numbers
  • Date: 2010-04-28
  • Records Lost: 260
  • Source: Inside Accidental
  • Location: Butte Mt, US
  • Organization: Montana Tech of The University of Montana

(more…)

The ICO’s new powers to issue monetary penalties came into force on 6 April 2010, allowing the Information Commissioner’s office to serve notices requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act.

The data protection powers of the Information Commissioner’s Office are to:

• Conduct assessments to check organisations are complying with the Act;
• Serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
• Serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
• Prosecute those who commit criminal offences under the Act;
• Conduct audits to assess whether organisations processing of personal data follows good practice; and
• Report to Parliament on data protection issues of concern.

(more…)

• Does your organisation comply with the DPA?
• Do you want to avoid fines and censure for data breaches?
• How do you manage personal data legally and effectively?

This interactive and enjoyable one-day course gives both new and experienced staff and management – those involved with or responsible for personal data – an oversight of what the Data Protection Act means to their business also to their own rights as an individual.
(more…)