BUSINESS STANDARDS
is the quarterly magazine of BSI Group, highlighting the vital role that standards play in today's business environment. Regular features include interviews with leading business figures, as well as news on the latest developments in management systems and standards.

Business Standards > Articles

Giving good governance

02 Jun 2009
Topics: Information mgt, Information security, ISO/IEC 27001, Data protection, BS 10012

Headline writers have had a field day with the growing number of security breaches in both the public and private sectors involving personal information. John Lamb asks: what's being done to protect our data?

Despite the legal obligation to protect information under the Data Protection Act, the financial risk of damaging an organization's reputation by losing confidential data and increased spending on security systems, the number of cases continues to climb with a high cost to the UK economy.

Records of bank accounts, addresses and other personal information are being used by fraudsters to impersonate individuals and steal money, goods and services, creating a crime wave of identity fraud. The latest estimate of the cost of identity fraud to the UK economy, published by the Home Office Identity Fraud Steering Committee, is £1.7bn a year.

Organizations are in a bind: the increasing ease with which they can collect and combine information allows them to run their business more efficiently and offer better services, but these objectives can conflict with the need to keep personal information secure and to control its use.

Information commissioner Richard Thomas, the man responsible for enforcing the Data Protection Act in the UK, summed up the dilemma in his 2007/08 annual report: "Information can have great value as an organizational asset, but can be a toxic liability if not handled properly."

Many of the cases of lost or stolen personal information involve a seemingly casual attitude to the value of personal information and the consequences of it falling into the wrong hands. In some of the most serious incidents, employees lost discs and memory sticks they were carrying or had laptops stolen that were loaded with sizable confidential files.

More organizations may be spending more money on IT security, but more data is being lost, stolen or compromised, according to Gartner Research vice-president Debra Logan in a speech given at the Gartner Compliance & Risk Management Conference in the US in 2008.

The source of most of these data breaches? Bad business processes and policies, according to Logan. It is not just a question of IT security: better information governance regarding corporate information is essential.

All access

One of the reasons that the loss of personal information has become such an issue recently is that data is much easier to copy and pass around. In the days when personal files remained in office filing cabinets, they not only had a physical presence but were "owned" by an individual. No one would think of putting these records in an envelope and posting them to someone.

However, as the number of people who may handle sensitive information has expanded inside organizations, there is uncertainty about who is responsible for looking after it and concern for what happens to that personal data has diminished.

What happened at Nationwide Building Society last year is typical of the consequences of overlooking information governance. An enthusiastic systems engineer took a laptop home to work on improvements to the structure of the building society's customer files.

A thief broke into his house and made off with the machine, which contained the details of millions of customers.

The Financial Services Authority (FSA) fined the company a record £980,000, even though there was no evidence that the data had been exploited by anyone.

"It is a case of making sure your processes are correct," says Julian Thrussell, product manager at BSI UK.

"The problem is never a single point failure, but a failure of a process. Making sure a process works doesn't have to be debilitating; it is just logical.

"For example, the recipe for Coca Cola is something that doesn't go out of your building, but names and addresses may leave it, so there are opportunities to lose that data or change key parts of it," Thrussell says. "Managing data is not just about keeping it secure but also keeping it accurate."

The right tools

Breda Corish, BSI's head of market development for the ICT sector, highlights that proper attention to information governance can go a long way to reducing the likelihood of incidents such as the Nationwide debacle occurring.

Information security is not just a question of passwords and encryption to lock up data. It also involves having appropriate controls and processes in place to ensure that access to personal information is restricted to those having access rights. Guidance on the subject is available in BS ISO/IEC 27002 Information security management. In addition, BS ISO/IEC 27001 was designed as a standard to enable an organization to clearly demonstrate by means of internal or independent audit that it has the necessary controls in place to protect data.

Successful governance, however, goes beyond securing data. It's about controlling and monitoring data as it flows through a system. For example, a new British Standard, BS 10012 Specification for the management of personal information, is being developed to aid compliance with the UK's Data Protection Act by helping organizations to determine who should have access to what personal data, how damaging the loss of particular data might be and how long it should be kept.

BSI has a long track record in this area, including the publication of detailed guidance material for data protection (originally developed in collaboration with the Information Commissioner's Office (ICO), the UK's independent public body set up to promote access to official information and to protect personal information in line with the Data Protection Act). BSI also provides complementary training for data protection practitioners. This guidance material is being updated in line with BS 10012 and will be made available online so that organizations can do their own assessments. Initially the standard will be self-certifying, but if the market demands it, BSI may introduce an independent certification scheme.

Corish is in no doubt of the standard's benefits to UK businesses: "BS 10012 will result in better customer service, enable organizations to know their customers better and build customer loyalty by showing them you are treating their personal information with due care.

"Companies in highly regulated or highly sensitive industries benefit from technical solutions but technology alone is not the answer," Corish explains. "There are wider issues around policies, processes and people. You can't get over the fact that people are at the heart of this. You have got to have the right capabilities and the right policies. Roll these together and you can be in better shape to meet customer needs."

The new standard is welcomed by the ICO: "Recent reports suggest that data loss is not restricted to the public sector," a spokesperson told Business Standards. "Businesses play an important role in making data protection a priority in organizations.

"The ICO recently called for chief executives to ensure their organizations have the right policies and procedures in place, that ?privacy by design' features are incorporated in the technology their organizations use and that the staff is properly trained to counter the risks of data loss.

"The introduction of the BS 10012 standard highlights how data protection has risen up the business agenda and provides a useful template for organizations looking to improve the governance arrangements for data protection in their organization."

Getting the right message out

Gordon Wanless, head of information governance at the NHS Business Services Authority and chair of BSI's panel that has drafted BS 10012, believes the new standard will take the sting out of media interest.

"Given the current issues in the press one assumes it will give members of the public more confidence," he maintains.

Although Wanless says it is going too far to say that concerns over personal information have affected the running of the NHS, having the new standard will demonstrate that an organization can handle personal information responsibly: "Complying with the standard shows demonstrably that we are taking it seriously."

The Business Services Authority processes prescriptions, NHS pensions and payments to NHS dentists. The organization also plays a key role in combating prescription fraud and running NHS logistics. Wanless not only sets the policies and procedures that govern the often highly confidential information that the Authority handles, all new systems must pass his approval.

"The Data Protection Act is crafted in legal terms: it needs interpretation," he says. "We are saying in the standard it should be as easy for a one man band to comply with the Act as a large multinational."

Data protection legislation has international ramifications. Organizations that outsource data processing to third parties must satisfy themselves that managers at these companies are complying with UK laws. Guernsey, for example, may have a population of only 60,000, but the financial services industry there plays host to the records of millions of people.

"The approach by governments around the world varies enormously," says Peter Harris, data protection commissioner of Guernsey. "If people subcontract, they have to ensure the appropriate safeguards are written into their contracts. They are responsible for what happens to that personal information."

Harris is involved in developing an international standard for identity management and privacy technologies which will define a privacy framework to help to shape the way in which information security techniques are applied in the future.

The security breaches of recent years may be shocking, but the good news for regulators is that organizations are beginning to take information governance seriously. More boards of directors are asking themselves what they need to do to keep personal information secure. Standards such as BS 10012 will provide them with some of the answers.

CASE STUDY: A matter of record

Faxes, memos and other paper-based correspondence have been familiar as evidence within the US and European legal systems for some time.

In recent years, however, digital material has also started to take its place in legal cases, from emails to electronic files. Without proper security procedures, such material can be intercepted and altered en route or deleted at source. They can be sent out of most corporations with ease, with copies produced at the click of a mouse. And they can end up in court.

With this in mind, BSI published BS 10008 Evidential weight and legal admissibility of electronic information, a specification for the legal admissibility of electronic information - including scanned documents - to ensure that, as far as possible, they are accepted as evidence by the courts. BS 10008 addresses issues relating to the authenticity and integrity of electronic information that could potentially be used as evidence. Supporting guidance material is available in the form of BSI's publication, Code of Practice for the Implementation of BS 10008.

BSI has also published ISO 15489 Information and documentation - Records Management and an accompanying guidance publication. These cover management of records in all formats or media, created or received by any public or private organization in the conduct of its activities, or any individual with a duty to create and maintain records.

In both cases, it's a question of good information governance. They include everything from the storage and transfer of information to issues surrounding the authenticity and integrity of that information. Both help ensure that organizations are doing everything possible to secure and maintain information throughout the lifetime of that piece of data.

For more information on BS 10012, visit: www.bsigroup.com/bs10012

CONFERENCE:
Information and Data Protection Conference and Workshop (featuring BS 10012)
30 June-1 July 2009
London www.bsigroup.com/informationgovernance