A number of privacy special interest groups, government officials, and members of the general public have raised concerns that our personally identifiable information (PII) is at risk. Such concerns are understandable, given the nature of information today. As electronic storage gets cheaper, organizations and individuals store more information for longer periods of time. As information gets digitized it becomes more accessible and seems to flow freely across the Internet. Smartphones and tablets broadcast our every move across the globe as we carry volumes of sensitive information with us.
While the perceived risks may be rising, the concerns about private data becoming public are not new. Information security professionals have been handling sensitive information for decades and have developed standards to help organizations manage the risks involved and prevent security breaches. And if a breach does occur, these standards help an organization to contain the damage, investigate what went wrong and improve risk management procedures going forward. These concepts apply to all organizations, from national governments and large corporations to smaller businesses.
The Information Security Management System (ISMS), first published in 2005 as part of the International Standards Organization (ISO) 27001 standard, includes processes for governance, compliance, risk management, internal audit, quality management and continuous process improvement. Adopting this has improved the information security practices and mitigated risks for thousands of organizations that have registered their compliance with ISO, from small businesses to large government agencies. The ISMS has become a standard for cloud computing best practices, and the U.S. National Institutes of Standards and Technology includes the ISMS in its publication on recommended security controls.
In my experience, there are three major benefits to implementing the ISMS and the best practices it represents:
- Money saved to invest in other areas. Companies that adopt the standard don’t need to spend money and time – think of hundreds of thousands of dollars – to reinvent what has already been developed as a baseline. Organizations can start work immediately and get systems in place. And many of the management practices in ISMS can be connected with other compliance programs related to enterprise risk management.
- Ongoing organizational improvements. By design, the ISMS process engages an organization’s leadership in assessing risks and identifying ways to manage and mitigate them. The ISMS establishes processes for ongoing audits of business practices. And it prompts regular reassessments of security risks to determine if changing conditions in business, technology or society require new protections. And adopting these best practices on information security strengthens a company’s compliance efforts—including government rules that relate to data security, such as HIPAA and data breach notification laws and industry-run standards such as payment card industry (PCI) security standards.
- The flexibility to emphasize data privacy and personally identifiable information in security plans. The ISMS was created to address threats and vulnerabilities to sensitive information. The standard is under constant review and receives regular updates to help ensure that it stays relevant to changing conditions. Information security experts recognize the ISMS as the perfect standard upon which to build protections for personally identifiable information.
Why the Security Standard is a Business Enabler
To apply ISMS to personally identifiable data means adopting a set of risk management principles that should be familiar to information security professionals. For example: engaging executive leadership in risk management decisions.
The ISMS calls for creating an executive management oversight board to review and adopt a risk management methodology. Working with the company’s information security manager, this process prompts the organization’s leaders to articulate their appetite for risk, what risks are acceptable and which pass the company’s threshold. The resulting risk management policy for the organization—including a list of documented controls—will lead to procedures for assessing threats, vulnerabilities and controls for mitigating them. Management must agree that these controls will be put in place.
More on the ISMS Standard
Information Security Management System Requirements, International Organization for Standardization 27001, October 2005. (Requires fee to download.)
Tackling ISO 27001: A Project to Build an ISMS, SANS Institute, 2009
Another example: accountability and quality control. The ISMS establishes a governance board that oversees compliance for the organization. But the board does not act alone or keep its own score. An essential element of the ISMS calls for reviews by both internal and external auditors to update executives on the status of the organization’s risk assessment and the effectiveness of security controls put in place. In this process, new threats and new ways of dealing with them become part of a process that includes documentation, changes to business processes and an organization’s commitment to mitigate the risk of a data breach.
A standard like the ISMS is not designed to be easy. It takes resources, management buy-in and ongoing commitment. But the benefits are real. Enterprises that I have worked with to adopt the ISMS have improved their organizations’ management, their legal department, and their staff.
By understanding the risks associated with handling customer data, they are empowered to make more informed decisions about data management and privacy controls. The ongoing improvement of information security policies leads to more precise staff and budget allocations based on risk management principles. Incidents that result from weak controls—or a critical audit—allow them to make changes and mitigate the highest-priority risk areas.
Adopting the ISMS means establishing a documented system that demonstrates standards of practice and due diligence—potential evidence of the organization’s efforts to protect data privacy should there be legal claims against it.
There is also a staff benefit. I have seen job satisfaction rise in organizations that adopt the ISMS. They have higher levels of competency because their employees need to have the knowledge to follow security procedures. This structure enables them to develop new staff members and retain knowledge when staff changes occur. It fosters a culture of quality improvement and caring. Apply it to your personally identifiable data and see.
Mark E.S. Bernard is director, governance, risk and compliance at TechSecure Holdings Inc. in Sooke, British Columbia. He has 22 years of experience working with private sector and government clients and has architected information security and privacy programs based on ISO 27001 and other standards.