As an ISM, you can see by now that you have to consider yourself to be some kind of plate spinner – with a number of different sub-projects going on at any one time. This may have been done to serve the needs of management, rather than for anything effectively designed by you. So the end result could be that nobody knows what’s going on!
However, there is always a concern that your large project is somewhat of an elephant that cannot be eaten whole. Therefore, breaking it down into a number of sub-projects, is a tactic designed to focus each team on specific tasks, rather than trying to spread them too thinly. We were encouraged to break it down into the following:
As the ISM, you may have no day-to-day authority over the time allocation of resources provided to you on project tasks, and this can be very destabilising in terms of project progress. Of course, the reality, in these straitened financial times, is that it’s the same people on each of the project teams. Therefore, setting up sub-projects actually increases their workload, as they now have to do even more reporting and upward management, as well as attending even more meetings, and this is very wasteful of time, energy and resources.
Sadly, people never seem to pay attention to the blindingly obvious. So your task has to be to keep highlighting to management that for as long as resources are not afforded appropriate time, the overall project will slip further and further backwards, and they will ultimately pay the price for a lack of compliance with a required external mandate or a lack of connectivity to a particular infrastructure. This would impact a significant number of users, way beyond the immediate management team considerations.
Every now and then, you need to take a step back and remind yourself, and everyone else, what it is that you are trying to achieve. Your programme of change is ultimately seeking to influence the review of information flow and business process re-engineering, to ensure that those processes that are being undertaken are appropriate, adequate, safe and secure, given the nature of the information assets at risk during all transactions. This is fundamentally about ensuring your organisation is in compliance with relevant legislation. For example, particularly in the UK, your information processing, in all its forms, must not breach the Data Protection Act, which is from a European Data Protection Directive. Therefore, similar principles apply to all organisations processing information across Europe.
Most endeavours in this area have always been about more than just technology, in spite of their uptake usually being served by the implementation of new tools. It is part and parcel of the information governance agenda, which embraces any legislation, regulation and standard that relates to information as an asset and that requires risk assessment, impact analysis and proper management. (We will return to describing the breadth of information governance itself in the next chapter.) This, therefore, needs to be owned at a senior level in the organisation and supported with appropriate resources. Otherwise, ICT continues to be perceived as the natural lead, which results in projects being afforded a technical focus, rather than an operational one, and users are left feeling that things are being ‘done’ to them.
It is certainly true that technological solutions can be used to make the policing and implementation of information security easier, but there are implications for how we do business to ensure the protection of data and information. Continuing to deliver on your programme of activity requires changes to policies, too. For example:
As mentioned previously, many of the issues addressed by information governance-related programmes of change concern personnel and procedures, but there are obviously technical matters, too. A lot of these have already been covered in previous chapters, but others are identified below:
In reality, anything that is described in this book is nothing more than encouragement to achieve the minimum expected security standards for an organisation.
There is a fundamental and intrinsic link between security and data protection and, indeed, privacy. You cannot have the latter two without the former, and the seventh data protection principle in the UK Act places security squarely as a fundamental requirement to be embedded into the fabric of your organisation, where you are in a position of protecting personal data in whatever form it may take.
UK Data Protection Act 1998, seventh principle
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
As the ISM, it may be that you are asked to assist with fulfilling subject access requests (SARs), when individuals ask to see all the information that your organisation holds on them. This can require trawling through data logs, e-mail archives, system records, etc., as well as paper/manual records, and can be time-consuming and challenging in terms of piecing together the breadth of information captured and ensuring that the response is provided within the requirements of the legislation.
Data protection is a huge legislative learning curve, but it behoves the ISM to learn the Act and understand it from both a legal and technical point of view, as it is not going away. More changes are planned in terms of data-breach notification and the underlying premise in terms of how the various data protection authority bodies assume that your organisation is handling personal data in that a) you know that you have it, b) you know where it is at all times and c) you have taken ‘appropriate technical and organisational measures’ to protect that data. The latter, in the 21st century, implies encrypting data at rest, data in motion and data in transit, at minimum. Again, this is a massive area in itself, and there are many great books that can be found on the subject.
We will address the need to undertake privacy impact assessments (PIAs) in the next chapter. Suffice to say that if you are in this mode of thinking, then you should be able to see the links with business impact assessments or analysis too. The ISM has a key role to play in identifying the likely root causes of threats being realised, establishing their likelihood and being the creator and author of the definition of a great many of the mitigating or compensatory controls that could be implemented to ensure the appropriate protection of personal data and/or information assets, as expected by the regulators, your stakeholders and the public at large.
This is another easy fix – a low-hanging fruit task – and yet it is so often not addressed. We talked about this back in Chapter 1. It is an ongoing task and you really need to make it a mission to ensure that:
It’s these kinds of little things that really show whether an organisation is taking security seriously, both internally to itself and to outsiders (when audited or otherwise).
The list of items needing to be included on your inventory gets longer and longer, or at least it does if you reflect on the potential risks associated with the use of some machines. Consider the purchase of new dictaphones – the technology has come on so far that these now have an inbuilt storage element similar to a USB drive, and if that drive is not encrypted, you need to review the potential requirement for addressing this risk. What if the dictaphone was dropped in the street? Anyone could pick it up and press play to hear what had been recorded and, depending on the result of the discovery, take it straight to the local media – or worse still, the national press. In all likelihood, this would become an immediate data breach and an incident response would need to swing into action. Mighty oaks from little acorns grow …
This month’s information security theme could pick up on the fact that the media focus is usually, at least for the first two weeks of February, related to Valentine’s Day, so there’s a ‘love’ element. You could run a campaign entitled ‘Love your laptop’, where users are encouraged to ensure that they have connected to the network, updated the patches and anti-virus status, run a back-up, cleaned out the cookies and Internet history, etc.
The brevity of this chapter reflects that February always feels like a short month for everyone, depending on how it ‘falls’ across the calendar weeks. It is a time to make the most of the speed of the month and tackle some of the basics, as have been expressed, whilst continuing to keep plates spinning at a management level.
18.119.104.95