The 2008/09 annual report of the Independent Safeguarding Authority (ISA) revealed a lapse in email security. People in the organization sent confidential information to the wrong email recipient. The ISA was set up in the UK to prevent unsuitable people from working with children and vulnerable adults. An investigation concluded that human error was at fault. The ISA has plans to address IT disasters, but is still working on business continuity plans to cover issues like this.
The Statement of Internal Control in the report states “The ISA places a high level of importance on ensuring that staff are aware of appropriate Information Governance legislation. All staff at induction are provided with training in relation to Data Protection, Freedom of Information and Information Security. The training has proven to raise awareness and embed security and information governance into the organisational culture.”
The ISA recognizes its corporate risks and has taken steps to instill information security into its culture, but more work is needed. Organizations need to look at people, process and technology when addressing information security and internal controls. You can throw technology at a problem, but without adequate business processes, it may be a waste of money. The ISA had technology in place and was addressing people issues with their training program. The missing piece was a process in the event of a data breach.
1. If an incident occurs, how does the organization respond?
2. What are the legal and financial obligations of the organization?
3. What laws and regulations cover the situation?
4. How do you notify the affected parties?
Being proactive in risk assessment is the best approach to address information security issues. Having the right safeguards in place is important, but it is equally important that everyone understands what to do in the event of a problem. Mitigating risk is the name of the game.
Photo credit Jesse Wagstaff
– Written by Ron Arden