IT security policies are vital in reducing corporate liability risk under a raft of new and coming information...
security laws and regulations.
The first line of defence against any official inquiry is for organisations to have documentary evidence that their IT security policies meet legal and regulatory requirements, says Stewart Room, partner at law firm Field Fisher Waterhouse.
Enforcement authorities are more likely to tackle companies on data protection policies than procedures, Room says, and companies that can prove they have the correct policies in place are in a much stronger legal position.
The authorities' assumption is that if the correct policies are in place, the appropriate technological controls and procedures will follow. However, this is not how it works in practice.
In case after case, data breaches have occurred because organisations have failed to implement or enforce existing information security policies, deputy information commissioner David Smith told the inaugural Human Factors in Information Security (HFIS) conference in London.
Several inquiries that followed a series of high-profile data breaches by government departments in 2007 and 2008 revealed basic system failings, including a lack of proper governance to ensure IT security policies were universally understood and followed, says Nick Haycock, government information security community manager.
In the case of HMRC's loss of personal details of 25 million people, the Poynter inquiry found that although there were data security policies and procedures in place, they were overly complex.
Since then, HMRC has rolled out a rigorous programme aimed at improving information security across the organisation.
An important element of this programme is helping employees to comply with security policies and processes by making them clear and simple, says Jeff Brooker, head of security and business continuity at HMRC.
But security ultimately rests on an organisation's ability to ensure that all its employees are aware of the information security polices and are able to comply.
This was a key element of Nationwide's security revamp after the Financial Services Authority slapped a £980,000 fine on the building society in 2007 for the theft of a laptop containing confidential customer data.
The building society polled its 19,000 employees to find out what difficulties they had in complying with IT policies to identify procedural weaknesses and make compliance easier, says Sarah Garrett, senior manager, policy and communications, in Nationwide's information security department.
"Nationwide always had good data security, but the focus was on reducing technological threats and there was limited engagement with users," she says.
Since 2007 that has changed, she adds. Nationwide has achieved ISO 27001 certification and the culture has changed so that information is now as important as cash and every employee feels comfortable in asking the security department for help and advice.
Nationwide, HMRC and other government departments have demonstrated that by paying better attention to the human factors in security, organisations can protect their data better.