2007-12-24 12:30:19 by Posted By: Paul Proctor, Research VP in IT Leaders - Security and Risk Management
We all know about the law of unintended consequences - the principle that the actions we take can have results that are unpredictable, and sometimes even the exact opposite of what we're hoping to achieve. Media reports out of the United Kingdom this week seem to offer a spectacular example of this principle at work in the world of enterprise security. The details are still emerging, but what's come out so far should be a wake-up call for security and risk professionals everywhere.
Last month, HM Revenue & Customs (HMRC), the U.K.'s tax and excise agency, acknowledged that it had suffered one of the worst data breaches in history (see "Data Loss Could Have Huge Impact on U.K. Banking Industry"). The agency had somehow managed to lose the entire national child benefits database, which contains highly confidential information on a staggering 25 million individuals - literally every household with dependent children in the U.K. The database was stored on two computer disks that were apparently lost while being transported and that still haven't been recovered. The U.K.'s citizens, who are very sensitive about privacy issues, were predictably outraged, parliamentary and regulatory inquiries were launched, and HMRC's chairman was forced to resign. But the agency blamed a single comparatively low-level staffer for causing the breach by downloading the benefits database onto disk. Now it looks like the story was a lot more complicated than that - and HMRC still hasn't learned its lessons from this debacle.
Reports in the U.K. media in the past few days suggest that the downloading was actually ordered by senior officials as part of official HMRC policy. As if that weren't bad enough, HMRC still seems to be working hard - even after the data breach - to make sure that most of its personnel don't even know what the agency's official policy is, much less follow it. It turns out that HMRC has a detailed policy manual governing the handling of confidential information. But in the days after the data breach, HMRC apparently decided that the manual itself was so sensitive that it had to be kept confidential. According to the media reports, only senior staff are allowed physical access to the manual, while lower-level personnel receive only a Web-based briefing that discusses general principles of security and confidentiality.
How are people supposed to follow a policy when they don't know what it is? I'll leave that question to the bright lights at HMRC. Even if they aren't ready to learn the lessons of this data breach, I hope you are. And one of the most important is that well-crafted, well-communicated security policies and policy documents are the bedrock of effective enterprise security. That's why Gartner security analyst Les Stevens recently published a three-part series of Toolkit documents focusing on creating, implementing and communicating an enterprise security framework. You can use these documents to build enterprisewide consensus on security issues, develop appropriate security policies and processes, and - crucially - communicate them to the necessary stakeholders within your enterprise. Take a look. I think you'll be glad you did.
Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 1)
Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 2)
Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 3)
Last month, HM Revenue & Customs (HMRC), the U.K.'s tax and excise agency, acknowledged that it had suffered one of the worst data breaches in history (see "Data Loss Could Have Huge Impact on U.K. Banking Industry"). The agency had somehow managed to lose the entire national child benefits database, which contains highly confidential information on a staggering 25 million individuals - literally every household with dependent children in the U.K. The database was stored on two computer disks that were apparently lost while being transported and that still haven't been recovered. The U.K.'s citizens, who are very sensitive about privacy issues, were predictably outraged, parliamentary and regulatory inquiries were launched, and HMRC's chairman was forced to resign. But the agency blamed a single comparatively low-level staffer for causing the breach by downloading the benefits database onto disk. Now it looks like the story was a lot more complicated than that - and HMRC still hasn't learned its lessons from this debacle.
Reports in the U.K. media in the past few days suggest that the downloading was actually ordered by senior officials as part of official HMRC policy. As if that weren't bad enough, HMRC still seems to be working hard - even after the data breach - to make sure that most of its personnel don't even know what the agency's official policy is, much less follow it. It turns out that HMRC has a detailed policy manual governing the handling of confidential information. But in the days after the data breach, HMRC apparently decided that the manual itself was so sensitive that it had to be kept confidential. According to the media reports, only senior staff are allowed physical access to the manual, while lower-level personnel receive only a Web-based briefing that discusses general principles of security and confidentiality.
How are people supposed to follow a policy when they don't know what it is? I'll leave that question to the bright lights at HMRC. Even if they aren't ready to learn the lessons of this data breach, I hope you are. And one of the most important is that well-crafted, well-communicated security policies and policy documents are the bedrock of effective enterprise security. That's why Gartner security analyst Les Stevens recently published a three-part series of Toolkit documents focusing on creating, implementing and communicating an enterprise security framework. You can use these documents to build enterprisewide consensus on security issues, develop appropriate security policies and processes, and - crucially - communicate them to the necessary stakeholders within your enterprise. Take a look. I think you'll be glad you did.
Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 1)
Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 2)
Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 3)
