The news has been plagued over the last year with stories of the UK Government and major corporations losing CDs with private information on them. But few days ago I notice in a story on the BBC website that the Italian Government has found a novel way to prevent the unauthorised loss of confidential information – they’re giving it away for free. How can you lose confidentiality over data that was not confidential in the first place?

It seems as if one of the last actions of Italian prime-minister Romano Prodi’s outgoing government was to sign off on a plan to release the names, addresses, birthdates and incomes of all Italian citizens via the Italian tax authority’s website, all in the name of freedom of information.

And, as you may expect, I find there to be an information security lesson in all of this…

You see, while some of my fellow information security specialists and most of the UK’s journalists have been clamouring for the heads of the hapless employees that lost our personal details on CDs in the mail, I have been more circumspect. I would question whether these Guy-Fawkes-figures quite deserve the vilification that they have received.

The security management standard (ISO/IEC 27001) teaches us that a secure information security management structure (ISMS) isn’t necessarily one in which security incidents don’t take place, but is one which attempts to prevent major incidents through training, education, well-understood policies, but accepts that incidents will happen and attempts to learn from them.

Let’s take the case of the lost CDs – the sender may be guilty of a lack of common sense, but they should only accept blame for the security incident if they have acted against the training that they have been given by the organisation. The question of whether they have broken the security policy is a completely moot point. The employee is only to blame if they knew the policy and then chose to act against it. And I would bet dollars-to-doughnuts that this isn’t the case.

So, is it the fault of the ISMS for not educating the employee? Perhaps. But security policies will never cover all eventualities, and security incidents are going to happen. In a situation like this, it’s somewhat futile to attempt to cast blame. ISO/IEC 27001 would rather have us attempt to identify where the mistake was made and correct it (with new policies or, as is more likely, through renewed training and education). Rather like the sports team that suffers an ignoble defeat at the hands of a team three leagues below them, a good information security manager will leave blame to the newspapers and concentrate on improving his game to the point where the ISMS won’t be caught off guard again.

But I hesitate even to say that the organisation’s ISMS was at fault in the case of the lost CD. No ISMS exists in a vacuum and all departments need access to the outside world. Perhaps the mail carrier to whom the data CD was given was regarded as a trusted sub-contractor who guaranteed a level of security as part of the contract with the organisation and provided sufficient evidence that they could cope with the job? Suddenly, the organisation needs take no blame at all, and it’s the mail carrier’s ISMS that needs to be examined.

Lastly, and to bring the whole post back to its original point, no ISMS can prevent a mistake that is made wilfully. If the senior management team cannot be persuaded that some action, for example publishing the name, address, birthdate, and income of every employee in the organisation, is a bad idea, then even the most brilliant security manager cannot do much beyond prepare for the inevitable storm of trouble that is heading his way. I have a certain measure of sympathy for information security team within the Italian tax authority today – it’s not going to be a good day for them.

In conclusion, security incidents are going to happen in any organisation: a good ISMS prevents what it can and reacts to what it cannot prevent. It seeks not to blame, but to repair, and hopefully the silver lining to all of these lost CD incidents will be better ISMS’s all around. What I want to know is why all the data was put on a CD in the first place: haven’t these people heard of solid state memory?

Dr. Alex Dent