Today’s guest blog post takes on a special meaning for ISACA and its constituents. It was written by Paul Williams, a former ISACA international president who passed away suddenly last week. True to his character, he was passionate about sharing his vast knowledge and wide-ranging expertise with his colleagues and friends around the world. He truly believed in ISACA’s work and offered his support wherever and whenever he could make a difference. Paul’s contributions to business and the fields of IT audit, security and governance were significant and will benefit us all for years to come.
In September 2010, a UK firm hit the headlines following the loss of potentially sensitive personal data from its systems. An external direct denial of service (DDoS) exploit apparently led to the data being compromised. The data referred to more than 5,000 alleged illegal file sharers and included names, addresses, Internet addresses and titles of movies that allegedly had been shared by the individuals concerned. The breach was regarded as so serious that the UK Information Commissioner has become involved amongst talk of heavy fines and other penalties against the firm involved.
Whatever the reasons for this breach of security, questions will need to be answered. Allegedly, the data were sent to the firm by a number of Internet service providers (ISPs) in unencrypted form via an e-mail attachment. Thus, there were a number of possibly weak links in the chain, any of which could have led to the data being compromised.
The question of security governance once again arises. Did the firm in question, as well as the ISPs providing the data, at a senior business management level, recognise the sensitivity of the information that they were holding, and did they ensure that appropriate steps were taken to minimise the risk of it being compromised? Good governance includes a proper understanding of risk and the need for business management to obtain evidence and continuing assurance that key risks are being mitigated.
With the continuing emergence of security incidents such as this, it is a particularly opportune time for ISACA to have released its Business Model for Information Security (BMIS). The aim of this model is to provide a holistic and business-oriented approach to managing information security and a common language for business and security management to work better together to safeguard the enterprise and its information assets.
The model addresses the three traditional elements considered in information security (people, process and technology) and adds a critical fourth element (organisation). The model also recognises the often complex and dynamic interconnections amongst and across these four elements.
By applying the BMIS model intelligently, it is probable that other enterprises could, in the future, reduce their information security risk and potential embarrassment and financial penalties.
We welcome your comments. Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now button in the blue box on the left.