Managing risk and delivering savings
Trish Thomas, information governance specialist at Orbit Group, tells us how Orbit bounced back from a data protection breach to deliver savings and improve staff training.
Like other organisations, business practices around information security, data protection and privacy were patchy across Orbit at the time of our breach in 2008. When the breach happened, senior management reacted quickly, identifying that more needed to be done to raise the importance of information security across Orbit, so that we could protect our customers and staff. That internal reaction was formalised by signing an agreement (on 30 November 2008) with the Information Commissioner’s Office to improve the security of personal and sensitive information.
So what did we do? Well, quite a lot! We developed tools for staff to learn about the importance of data protection. These incorporated classroom-style training covering the basics, as well as introducing a more robust reporting system. We had quizzes for staff, an interactive board game and our ’8 Golden Rule’ keyring cards that staff could take away with them. We also introduced some best practice policies and procedures, such as the clear desk policy and our office move guidance. Online training became mandatory for all new starters, together with all existing staff undergoing regular ‘refresher’ training.
We did all that quickly after the breach, but over time we became more sophisticated around how we dealt with information security. In 2012 I started at Orbit, bringing over 20 years’ experience of all things information governance. My team and I deliver services (to both external and internal customers) across a range of topics: information security; information and records management; information sharing and Freedom of Information; data protection and privacy; information quality and assurance – such a robust offering means we can be sure people have the knowledge and skills to take information governance seriously.
In mid-2012 we also introduced a robust information security and risk management approach which is designed to be flexible and able to change quickly, responding to threats and the introduction of new technology.
Four years after our data breach and after all the work we’d put in, we were delighted to gain the ISO27001:2005 Information Security Management standard, then followed by our PCI-DSS accreditation in 2013.
But we’re still improving…
We are currently working on a new electronic document and records management system, which will be the bedrock of managing Orbit’s information, keeping everything in one place. We’ve also integrated information security into our project management framework to make sure information governance is at the forefront of people’s mind when they start a project, and stays there throughout! And we’ve incorporated questions about information governance and security into our procurement process so that we can assess the governance of our supply chain. This means that the information governance team can develop an accurate Information Security Risk Assessment (ISRA) report, including options and recommendations to the business to reduce their residual information security risk.
But information security isn’t just about my team embedding practices, it’s also about giving ownership back to the business in exactly the same way that management are accountable for their financial and HR related risks. By getting managers to take responsibility for information security in their area, we will embed it at all levels of the organisation, provide accountability and ownership of risks, therefore minimising threats and vulnerability of information. My team can then give on-going support and advice as the specialists, which allows us to deal with wider organisational issues, as well as providing services externally.
Now six years on from the breach, our information security approach is recognised externally and internally as highly effective. We can be adaptive and proactive, and we’ve seen tangible results in terms of reducing information security incidents and avoiding reoccurrences. Plus, our approach is contributing to Orbit’s ‘Making it Count’ value for money agenda – by incorporating business process improvements into our information security risk assessments we’ve seen tangible cost savings year on year.At Orbit, our experience made us realise just how important information governance is – I’d encourage others to make sure that breach never happens!