IT Governance Blog on IT governance, risk management, compliance and information security.

Labour MP Tom Watson suffered an embarrassing spate of affairs on Twitter yesterday afternoon, when his intern logged in as him and made an offensive comment.

The intern quickly apologised but the damage was already done. Tom came back from his meeting to find an explosion of retweets from his intern’s ‘offensive’ tweet. Tom made an apology on behalf of her, saying “I sincerely apologise for the recent tweet. A lesson learned for a young intern. She’s also very sorry. I will deal with the matter offline.”

This quickly led to ‘Tom Watson’ and ‘#SavetheIntern’ trending nationwide in the UK. This just goes to show that a few words written by the wrong person can go a LONG way.

No real harm was done, but ask yourself this question: Has this damaged Tom’s reputation?

It may have not damaged his reputation, but it has certainly dented it. He may have gained a few extra followers after the incident happened, but his credibility has certainly gone downhill. People won’t recognise him as an MP, but as the one who had an embarrassing spate of affairs on Twitter.

Many individuals and companies use Twitter to promote themselves or their brand. It’s an easy way to talk to people/customers, to gain followers and increase your persona and credibility. However, social media in the wrong hands can have a disastrous effect (as seen above). Words can be taken out of context and all credibility can be lost within a few minutes. On Twitter especially, news travels like wildfire with people finding out stories in real time, meaning that you have no power at all to take back what you last said or reverse the context.

There should be policies in place within your organisation that create an effective governance structure around your social media activities. The Social Media Governance Toolkit contains a comprehensive suite of documents and templates that will help you develop, implement, monitor and improve social media activities across your organisation. Uniquely, this social media governance toolkit also links to the best practice information security controls contained in ISO/IEC 27001 so you can be sure that all best practices by your employees will be followed.

Find out more about the Social Media Governance Toolkit >>

Are you planning to study and prepare to take the examination for the CISSP (Certified Information Systems Security Professional) certification? While recognised as the ‘must have’ qualification for a senior career in information security, CISSP is also known as one of the most difficult of all the infosec exams to pass first time.

So what is the secret to passing CISSP? A comprehensive knowledge of the CISSP Common Body of Knowledge (CBK) and thorough preparation and practice for the examination are crucial to your success.

The CISSP Accelerated Training Programme is designed to provide an intensive and complete preparation to ensure that delegates pass the (ISC)² CISSP examination at the very first attempt. Delivered in London over a period of 5-days, this unique 3-Phase intensive study program includes the following:

• Pre-course CISSP Knowledge Assessment
• Classroom Presentation delivered by an experienced CISSP qualified trainer
• Evening Q&A and discussion sessions
• Final Exam Preparation with example exam questions
• (ISC)² CISSP CBK Official Study Guide Textbook
• Optional Accommodation package

** Now including the (ISC)² CISSP 2012 CBK Domain Updates **

A key feature of our programme is the Pre-course CISSP Knowledge Assessment which determines the strengths and weakness of the current knowledge of each delegate. The results of this assessment are used by our trainer to prepare an individual Pre Course Study Plan and to adapt the delivery of the subsequent class-room training to meet the needs of the individual and the group.

As preparation is the essential ingredient to passing the CISSP examination, we strongly recommend that all delegates review and purchase our dedicated publications and resources available from our CISSP Campus.

Conquer the CISSP examination first time with our unique 3-Phase Study Programme

Book the IT Governance CISSP Accelerated Training Programme Now.

0845 070 1750

Our friendly training team are ready and waiting to assist you with your booking.

Mobile giant 02 have suffered a couple of embarrassing gaffs this week. Firstly it was revealed that they had been inadvertently been passing their customers phone numbers on to any site that they visited when using O2’s 3G network on smartphones. With almost half of O2’s customers using smartphones, the data leakage could possibly have affected up to 15 million people.

O2 blamed a ‘technical’ glitch and has since stated the problem has been resolved and apologised to its customers. However a leading consultant at Sophos, Graham Cluley, commented that such issues had “been known about for almost two years at least”.

The Guardian reported yesterday that O2 also ‘regularly hands over subscribers’ phone numbers to sites that offer age-restricted material and premium-rate billing, whether the users realise it or not.’

What?! I hear you cry. The Information Commissioners Office’s is considering investigating the incident however it seems unlikely that that any action will be taken as a mobile phone number, in the eyes of the ICO, on its own, is not considered as a ‘personally identifying information’.

Even though, with your number being passed onto potentially anyone under the sun, you could be the subject of phishing attacks, reverse charge texts and unsolicited marketing.

These incidents further highlight what companies do with our data when we’re surfing the internet; and how little we actually know as consumers. And what can you do as a consumer? Where is the avenue for reproach? We’ll all be politely told that the issue was a ‘technical problem’ and has now been resolved. But when did we sign up for this in the first place? I mean if, when you bought your latest phone, there were questions like: “Would you like us to share your information with every single website you visited?” Or, “Would you like us to pass your details on to sex chat services?” You would tick yes to these?!

Often terms and conditions are deliberately confusing, long winded and impenetrable for consumers; allowing the service provider you’re signing with the legal ambiguity to do with your information as they wish. But in the instances referenced in this article, this wasn’t the case. One was an error and the other – passing customer details onto premium and age-restricted sites – well, no one seems to know. O2 have thus far refused to comment. Are they allowed to do this?

One thing is for sure. Such instances cause huge brand damage and loss of custom. Retaining customer loyalty and brand image is of huge importance to all businesses and organisations. I dare say that if an SME suffered an instance like this that they would have a far more difficult time of it. Protection of customer data is important. The data protection act says so.

But I often wonder, when the brand is so big and they have so much money, as in the instance of Playstation last year, and now someone like O2, are they beyond the pale?

You can read more about data protection and the Data Protection Act here >>>

“Organisations that don’t allow staff  access to social networking websites risk alienating the next generation of workers”
Support World Magazine

Research from Hyphen indicates that almost half of those under 25 would not join a company with strict social media policies. The report highlights the fact that young workers starting out on the career ladder have high expectations regarding technology and social media, 60% of which recognise social networking sites such as Linkedin improve their effectiveness.

Some managers believe that staff waste their time on social media sites such as Facebook and Twitter, and view it as a dangerous distraction. However, the Hyphen report contradicts this popular belief, concluding that over half of all those polled who have access to social media  at work, said that they spend less than 10 minutes per day on it for their personal use, and 1/3 saying they spend no at all time during work hours.

Those service desk managers who don’t allow their team to use social media could be missing a trick. Nowadays, customers often relay feedback of the company/service desk using social media. If you have a presence on social media then you are more likely to measure customer satisfaction. In SDI’s recent ‘UK Service Desk Benchmarking Report’, Daniel Wood (author) found that 17% of respondents  did not measure customer satisfaction. This is alarming, given that many service desks measure their success due to feedback and perceptions from their customers. Using social media as a tool to gain customer feedback is a great way of getting responsive answers.

Use social media in your service desk team to your advantage with the Social Media Governance toolkit. The Social Media Toolkit helps organisations create an effective governance structure around their social media activities. Social media is, for many organisations, a critical part of how they speak to customers, partners and stakeholders; for others, social media is a dangerous distraction.

Dealing effectively with social media requires a joined-up approach that is aligned with the objectives and risk appetite of the business - a governance approach.

See the advantages social media can bring with this toolkit >>

 Source: Hyphen report, via Support World Magazine

Following on from last week’s discussion ‘Which, Why and How is an ISO 27001 ISMS toolkit right for you‘, I thought we should take a closer look at the ISO 27001 implementation team and how our special January offer is the logical step that your organisation should take to implement ISO 27001.

Organisations that are serious about implementing ISO 27001, and successfully achieve certification, develop the in-house capability and skills through training.

They also take a risk based approach to develop the information security management System (ISMS), using our tried and tested ISO 27001 ISMS toolkits.

Buy any variation of the ISO 27001 ISMS toolkit before 31st January and get 15% off any ITG Training Course.

	No 3 ISO27001 Comprehensive ISMS Toolkit Price: £1,795 Buy before 31st January and get a 15% discount code for any ITG Training Course!

Our range of training courses offer a structured learning path from Foundation to Advanced level in ISO27001 and ISO27002 together with related topics that include PCI DSS, Data Protection Act and Digital Forensics.

Training the ISO 27001 implementation team:

• In any ISO 27001 project you will have a Lead Implementer that is capable of leading their organisation to successful certification. The ISO27001 Certified ISMS Lead Implementer Masterclass is the perfect course for this role.
• You will need a team of Internal Auditors to effectively audit compliance with the ISO 27001 standard and against the controls contained in ISO 27002. You should book multiple people onto our essential ISO27001 Certified ISMS Internal Auditor training course.
• An understanding of the best practice guidance as outlined in ISO27002 is essential to ensure the compliance to ISO27001 in any organisation. Information Security Foundation based on ISO/IEC 27002 serves as a practical guideline for all members of staff as they initiate, implement and maintain an information security programme.

Save 15% on any of these courses when you buy an ISO 27001 ISMS toolkit before the end of January!

“Only if consumers trust that their data is protected will they entrust companies with it … We need individuals to be in control of their information”

Viviane Reding, DLD conference, Munich,

Europe is set to issue tough new data protection rules tomorrow in order to protect users. Their aim is to also simplify the EU’s approach to online data protection, making it easier for businesses to comply with the rules.

However, these legislative process is likely to take a couple of years as it will need to be approved by national governments and some might resist. So we’re really looking at 2014 or 2015 before Internet companies will be required to comply and before we will see any real change.

According to a draft of the new powers that Reuters gained access to, the new rules will require companies to notify regulators when data has been stolen/mishandled and that fines will be able to run up to 1% of their global revenues. Indiviuals will be given the ‘right to be forgotten’ and the ‘right to data portability’, meaning they can easily transfer their data between companies and services.

Source: Reuters

In a different article written by Bloomberg, they disclose that the new EU data-privacy rules will require companies to disclose data breaches within 24 hours of their occurrences. “Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay,” Reding concurrs.

Source: Bloomberg

As noted above, we won’t see the full details of the new rules until tomorrow, but it’s good to have an idea of what we’re to expect.

How will these new rules effect you and your business?

Global research consultancy company, Illuminas, receives ISO 27001 certification after over a year’s worth of dedicated work.

John Ricketts (Director of IT and Information Security) and John Ricketts (Global COO)  comment, “We are delighted to achieve ISO 27001 at a time when data protection and data privacy are increasingly important in both the research industry and society generally.  ISO 27001 ensures there are clear benefits for clients and respondents, with personal information as well as client confidential material encrypted 100% of the time whilst on Illuminas systems. The standard is a systematic approach to managing the security of sensitive information covering people, processes, IT systems and policy. We believe all research companies should follow the guidelines of the standard given they are often entrusted with personal information.”

Source: Illuminas Press Release, PRWeb

Achieving ISO 27001 instills confidence within your customers on how you handle their data. ISO 27001 is the international standard for Information Security Management Systems (ISMS) and covers topics such as:

• Extensive risk management evaluation
• Business resilience planning
• Ensuring data security standards set by client companies are met

If you’re thinking about implementing ISO 27001 requrements, then take advantage of our Value Added ISO 27001 ISMS Toolkit Offer. This comprehensive toolkit will cost effectively accelerate your ISO 27001 project and help you to become certification-ready in no time!

Find out the the steps of standard approach towards implementation of an ISMS that is recommended by all international certification bodies>>

Praxis Care charity  lost a memory stick in August 2011,  containing  confidential data of 160 different people. The data that was held on the unencrypted stick contained personal information such as their mental health and care records.

Since losing the memory stick and coming under the wrath of the ICO for suffering the data breach, Praxis Care is now committed to improving its data protection standards.

Christopher Graham, the information commissioner, said: “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable.”

To avoid a situation like the above, companies need to use a secure USB sitck with hardware encryption.

SafeXs is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197-certified. Over 1 million of these sticks are now in use by the NHS, helping to keep patient data and other confidential data secure.

Simply plug in a SafeXs and within minutes you can be up and running. All you need do is set a password and any data placed on the SafeXs is encrypted.

Read more about the popular encrypted USB stick >>

Leading Indian pharmaceutical research and development company, Semler Research Center (SRC), has been awarded ISO 27001 certification in recognition of its deployment of information security best practices.

ISO 27001 is the best practice specification that helps businesses across the world develop a best-in-class Information Security Management System (ISMS). An ISMS is the systematic management approach to managing confidential data so that it remains secure. It includes the looking after, and security of people, processes and IT systems.

Dr Krathish Bopanna, President and Executive Director  of SRC said “It is an important milestone for us and reiterates our efforts in the direction of data security, confidentiality and client data protection. We recognize and understand that the security of our sponsor’s data is of vital importance and this independent accreditation should help our customers and their confidence that we have adequate measures and internal procedures in place to protect their data and eliminate any potential security risks….. This certification shows our committment to sponsors information security, business continuity and physical security”.

In India, April 2011, the Government released a new announcement on privacy data law which relates to any company that collects information within the country.

The proposed regulations state in the ITA (Information Technology Act) that those who have implemented ISO 27001 “shall be deemed to have complied with reasonable security practices” which are “duly approved by the Central Governmant.”

Therefore complying to ISO 27001 will mean that you are complying to the regulations stated in the ITA.

Find out more about ISO 27001 here >>

If you’re looking to kick start your ISO 27001 implementation project, then Introducing ISO27001 contains four complementary texts from Alan Calder or Steve Watkins, who are widely acknowledged as experts in the practical implementation of this international best-practice standard.

Make your first move towards best practice information security with this selection of books >>