Implementing a respected policy among your staff

News that the Home Office has been found in breach of the Data Protection Act after losing the details of people serving custodial sentences and previously convicted of criminal offences came at a time when government is aspiring to become a role model for data governance. In the wake of infamous data breaches and subsequent enquiries, it is right that government aspire to achieve role model status in this arena, particularly if it is to advance a Digital Britain agenda. If this is to be achieved, it must be recognised as a very human challenge.
    
The Home Office and its relevant suppliers have been mandated to ensure all portable and mobile devices used to store and transmit personal information are encrypted. The challenge here is hardly in the assessment and procurement of encryption technologies. It is in ensuring that all involved understand what has to be done.

Taking responsibility
The Home Office will have to go beyond telling people about the encryption policy, and writing it into contracts. It will have to address the common misconception that password protection provides encryption.
    
Overall, the individuals handling the data must be motivated to become responsible for their own benefit. When this starts to happen, a collective risk-aware culture can provide a reasonable chance of the simple mandate being upheld.
    
Perhaps the first thing to take stock of is how much the need for securing data influences what we do. Information technology and business departments alike are recognising the need to take security requirements into account when enabling new business processes, such as remote and/or more collaborative working.
    
Application developers need to work with the thought that they are developing programmes that will handle valuable data, that this will dictate how they are designed, tested and released. For their part, employees are waking up to the fact that a lost memory stick could cost them their job.

A shift in behaviour
A series of recommendations made by Kieran Poynter following his review of the much publicised loss of discs by HMRC, clearly illustrates that the security issues are systemic. He also rightly pointed out that organisations would have to live with existing systems for some time, despite having a strategy for improvement.
    
Training for staff and a review of the procedures they must follow will be the critical “lever” of control, he concluded. The report states: “Change will require an investment and a sustainable shift in behaviour. In the short term HMRC needs staff to operate in a disciplined and responsive way to the additional controls being put in place. In the longer term, it needs to rely on staff who can intelligently apply their understanding of information security to the changing needs of the organisation...”
    
As they embrace this realisation that security is people-driven, organisations must recognise and begin to define the distributed responsibilities and defined department interfaces that will spread security instincts where they are required.
    
(ISC)2 research, including a series of focus group workshops and broader research in the (ISC)2 Global Workforce Study conducted 2004-08, illustrates that accountability for information security is being distributed across IT, legal, HR, business lines, risk management, compliance, as well as the rising dedicated information security department.
    
The security team itself is evolving to be responsible for strategic definition and management, while implementation and enforcement is covered at the department level. The 2008 focus group workshops led by (ISC)2 in conjunction with the Information Security Forum highlighted the need for leaders with broad but not necessarily ‘‘specialist” security knowledge, and identified the desire to develop risk management and communication skills within this department. Governance, policy, strategy and awareness have become core responsibilities.   

Armed with security skills
This leaves a lot to be accomplished elsewhere. Demand for training underlines a growing desire to arm application developers, administrators and those in operational roles with security skills.
    
Despite the rise of the Chief Information Security Officer (CISO) and his department, the CIO must work hard to ensure the IT team can appreciate the whys and wherefores of the systems that cover access control, administration, cryptography, communications, vulnerability management, and the like. Further, IT must enable itself to advise as well as support the security and risk management functions that are evolving to be less technical. Nearly 50 per cent of the more than 7,000 people polled in our most recent global workforce study suggested their roles would be mostly managerial in two to three years. More than a third said this was already the case.
    
The business units, where requirements are less understood, are where a good role model is likely to have the greatest impact. Increasingly, common practices, such as defining generic responsibilities within employment contracts and awareness programmes delivered via the intranet cannot be adequate. They will, for example, have to develop an understanding of what data they use, what data they actually need access to and how that needs to be protected.
    
Security policy must reflect those objectives and be supported by workable business processes within individual business functions so that employees respect rather than flout it. One size does not necessarily fit all.

A good investment
An examination of the root causes of most high-profile data breaches reveals that technology had little hope of preventing them. If government is to become a role model for Digital Britain, it is going to have to make significant investment in security, something that was hardly mentioned in the initial document released at the end of January this year.
    
This means, not merely embracing, but starting with the very human side of the challenge. From advancing professionalism and competencies where they are required to ensuring employees understand how risks apply to their role and can anticipate them as they get on with their daily tasks. Electronic data protection must become as instinctive as locking the desk drawer at night.About John Colley
John Colley is managing director, EMEA for (ISC)2, a non-profit professional consortium that represents over 64,000 members worldwide, 10,000 of which reside in the EMEA region. John has over 15 years experience in information security. He has formerly held posts as head of Risk Services at Barclays, group head of Information Security at the Royal Bank of Scotland Group, director of Information Security at Atomic Tangerine and as head of Information Security at ICL. He can be contacted at jcolley@isc2.org.

Please register to comment on this article