However, most ICT professionals will be heaving sighs of relief that a security disaster hasn't happened on their patch – yet. The appearance of Home Office data on a laptop bought from eBay will though send a shiver down the spine.
In the HMRC case, when two CDs holding the details of 25 million UK families went missing in the internal post, it seems the weak point was one or more employees failing to apply corporate security policy. If they had been fully trained in that policy and made aware of its importance, there would have been no excuse.
Equally, if they hadn’t been, it would be no surprise. Time and again my colleagues and I see cases where policies and procedures reflect best practice but no one has told the infantry about them. Theory and practice remain some way apart.
Take a project we recently carried out for a local authority that had decided some time ago to work towards ISO 27001 certification. Policies and procedures had been written and implemented, and they now wanted us to audit their current information security controls and produce a gap analysis against ISO 27001 certification.
The results of our audit were an eye-opener. ISO 27001 certification involves demonstrating appropriate implementation of 133 controls, and had this been an actual certification inspection the council would have failed on more than half.
The main problem was that staff at all levels were simply not applying the Council’s information-security policies and procedures to their work. In fact, they were blissfully unaware of their responsibility as individuals for information security and maintaining the confidentiality of council data.
Socitm benchmarking figures suggest the problem may be widespread. The following statistics, based on the 88 public sector organisations benchmarked in 2006, speak volumes:
- 92 percent have a formal security policy in place (ergo 8 percent do not)
- 86 percent have a security policy agreed by the management team
- 76 percent have a security policy based on BS7799/ISO27001 (one wonders what the other 24 percent base theirs on, but perhaps it’s best not to ask…)
- 68 percent have a formal security policy in place that is based on BS7799 / ISO27001 and agreed by the management team (and the other 32 percent?)
- 85 percent have a code of conduct for all employees, listing roles and responsibilities. However, as we’ve seen, the existence of such a code and employees actually putting it into practice are two very different things.
- 40 percent provide all new employees with training in security as part of induction and a further 17% provide between 2.5 percent and 99 percent of all new employees with training in security as part of induction. However, 43 percent do not provide training in security as part of induction (and probably not thereafter, I suspect).
All these statistics relate to policies and procedures. However, as we have seen, the real issue is behaviour. If you’re going to change behaviour across the organisation and permanently, then the classic knee-jerk management reaction – just send everyone on a training course – simply doesn’t work.
Ensuring information security is part of every employee and contractor’s awareness and working practices requires initial training, refresher courses, regular compliance checks and auditing, and constant reinforcement of the key messages.
Incidentally, in many organisations a significant proportion of staff are temps of one sort or another (some prefer to be called ‘consultants’…). Temps often hang around for years, but rarely get sent on training courses. Yet they may be handling as much sensitive data as full-time employees.
Returning to the main point, what are the key challenges for an organisation that needs and wants to treat its data securely? Socitm’s Performance Management Group has come up with the following top 10 tips:
1. Ensure you understand which legislation affects your business area. The list grows all the time, and while much of it is targeted at the public sector, private sector shareholders and customers now expect best practice too.
2. Ensure a named individual in the business owns the risk, not ICT. People tend to assume that security is the ICT department’s baby, just because most data these days passes through a computer at some point in its life. The ICT department may own the service delivery aspects of technology and data handling, but the risk ownership is clearly with the business.
3. Ensure there is an effective incident reporting mechanism in place. Awareness raising about incident reporting is proven to improve processes and improve the culture of security in an organisation.
4. Regularly monitor, measure and audit your processes and procedures. It may be a short-cut to instant unpopularity, but this is a commonsense requirement and failure in this will lead to failure overall.
5. Implement a Corporate Information Governance Group (CIGG). Without top level leadership, Information Governance will fail. One key aspect of the CIGG is to oversee all procurement to ensure security is "baked in" from the outset.
6. Ensure all staff are trained, updated and aware of their responsibilities. Security and awareness should be part of the staff induction process – and that includes temps. Team briefings and staff appraisals can also be used to get the message across.
7. Undertake regular risk reviews of all processes and procedures, on at least an annual basis. You should consider joining a WARP (Warning, Advice and Reporting Point).
8. Ensure all key Information assets are classified and are resilient. Classification should include Confidentiality, Integrity, Availability, Liability and Aggregation (this last may need explanation: losing a single record might be impact level 2, losing the entire file could be impact level 4).
9. Have robust, risk-driven processes in place for "ad hoc" situations. Procedures that assume trouble comes neatly packaged will fail when something new comes along. Here too, aggregation is an issue: HMRC probably had a procedure for what to do if a client’s data went missing – but maybe didn’t know how to handle everybody’s data going missing….
10. Have documented policy driven processes and procedures in place. This is the responsibility of the Corporate Governance Group – every organisation should have one.
If having read this far you’re feeling a bit worried, good. The next security disaster could lead to your 15 minutes of fame. Security is not just a matter for the ICT department, but if you don’t raise its profile in your organisation who else will? Put it another way - until everyone else understands that it’s their issue too, you’ll get the blame if something does go wrong. A high-level gap analysis or even just an awareness-raising session for senior management could be all you need to get the ball rolling out of your court.