Does your company certify for various areas of operation? Perhaps one or more of Business continuity ISO 22301; Information Security Management ISO/IEC 27000; Risk Management ISO 31000; Environmental Management ISO 14000, or the most popular, Quality Management ISO 9000?
ISO has attempted to keep pace with technological changes, with updates to ISO27000 and 22301 to embody regulatory changes such as the GDPR. Impact assessments and risk assessments are now more clearly matched with data privacy standards. So do you really need to certify your organization to mitigate the risk of non-compliance by proving your organization has maintained the highest IT security standards?
The Challenge
Cases such as those of British Airways and the Marriott hotel group in the UK raise the question of how to prove that your data protection is secure and compliant in order to avoid prosecution for negligence. In the two major UK cases the Regulator (ICO) imposed the financial penalty due to customer data being “compromised by poor security arrangements at the company”. By contrast, in the Marriott case, it was not a failure of existing operations that was the cause of the fine, but that the company had “failed to undertake sufficient due diligence” when it purchased a company which had suffered the cyber-attack(Starwood Hotel Group).
In both instances, the size of the fines was such that the ICO clearly believed the failures were criminally negligent. So how do you demonstrate that your company is not and what evidence will the Regulator accept as proof in rebuttal?
With the GDPR having been in operation since 2018 and the US COPRA only coming into force in January 2020, it is still early for the number of cases brought by a Regulator to be indicative of what constitutes proof of intent to comply and an absence of negligent conduct.
The Solution
Whilst being certified for ISO standards such as 27000 can provide auditable proof of compliance to an accepted security standard, it does not of itself prove that your company’s management of data is compliant. How can this be so? Taking ISO 9000 as a prime example, although the standard sets out what needs to be done in order to qualify for ISO certificate issuance, the level of the management system put in place for certifying against the standard may not be fit for purpose. When compared to another entity with a far more granular approach to their management method, it may be a qualifying system, but not the best.
The same applies to most certification standards and bodies. Proof of certification against one does not provide unassailable proof that there has not been negligence in managing data to the required data protection law standard. It can be indicative of the method, management style and process that can assist a Regulator in determining fault.
The greater the prima facie evidence your company can provide to a Regulator in cases of breach, the greater the likelihood that the Regulator will accept that there was no intent to breach the relevant data protection standard.
Quantar can assist in the provision of auditable proof through the implementation of our CyCalc software solution. This uses client-specific data, external data and actual threat data to extrapolate and quantify business process financial exposures. It also provides “what-if” capability in order to model scenarios and changes made to systems and processes.
Using CyCalc gives clearly demonstrable intent to comply, through being able to identify those risks and their values. The historic data plots over time your security maturity, further strengthening arguments against negligence. In this increasingly regulated environment, such data has become of even greater importance.
