Alan Calder on IT Governance, information security & ISO 27001

Confirmation from PriceWaterhouseCoopers that small and medium-sized firms are underinvesting in IT security and suffering for it. PWC calls the difference in preparedness between large and smaller companies ‘a tale of two cities’, which seems pretty apt. As they say, too many SMBs are unaware of ISO 27001 and other measures that would provide vital help.

It’s all very well Alun Michael MP observing that low awareness is a problem, but what will the Government do to help change this? Not a lot, I fear, with it firefighting issues like NHS budgets, prison scandals, ministerial affairs and ‘cash for coronets’ - critical issues like ISMS just won’t receive the backing they need.

Instead, it will be up to the business community to resolve the issue itself, hence our work to produce books like A Business Guide to Information Security and our ISO 27001 Toolkit, both of which were created with SMBs very much in mind.

Bruce Schneier highlights the latest report to find that many (most?) senior execs still fail to grasp that IT security really is their problem:

“Most C-level executives view security as an operational issue — kind of like facilities management — and not as a strategic review. As such, they don’t have direct responsibility for security.”

The report of The Conference Board identifies several familiar priority tasks for infosec professionals seeking C-suite attention:

* Stronger alliances with colleagues, particularly risk professionals
* Metrics that demonstrate that security really does save the business money
* Regularly meetings with senior execs to keep their eye on the ball

What isn’t stated in this posting is a fourth imperative, which is to help educate the board through relevant reading material. ‘The Case for ISO 27001’ and ‘A Business Guide to Information Security‘ are two books written specifically for non-technical directors, in which I have stripped out the technical jargon and explained in management terminology why these things matter and what to do about them. Buy your board directors an early Christmas present and get your company’s New Year off on the right footing.

The FSA Handbook sets out clear requirements for the management of information security within its regulated sectors. The requirements are best met by implementing and maintaining an ISMS that meets the ISO27001 standard - ISO27001-certification is clear evidence that the firm has taken full account of ISO 17799, as laid down in SYSC 3A.7.8

SYSC 3A.7.7
Information security
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
SYSC 3A.7.8
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

The FSA Full Handbook quite clearly sets out the requirement for its 29,000 regulated firms to implement an IT governance framework. I quote:

SYSC 3A.7.5
IT systems
IT systems include the computer systems and infrastructure required for the automation of processes, such as application and operating system software; network infrastructure; and desktop, server, and mainframe hardware. Automation may reduce a firm’s exposure to some ‘people risks’ (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependency on the reliability of its IT systems.
SYSC 3A.7.6
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:
(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
(2) the extent to which technology requirements are addressed in its business strategy;
(3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, processes for embedding security requirements into systems); and
(4) the appropriateness of its activities supporting the operation of IT systems (including the allocation of responsibilities between business and technology areas).

I’ve written before about the fact that wireless kit usually ships with a default security set up of ‘no security’ - because that’s what makes it easy for consumers to get started right away on using the kit. ‘No security’ is obviously not a good default setting in today’s identify- and bandwidth-hijacking world.
California, as so often the case, is taking the lead in dealing with this issue. Assuming that Governor Schwarzenegger signs it into law, manufacturers will have to place appropriate warning labels on all wireless equipment. Of course, that won’t mean that users will improve their wireless security - but it will at least ensure that they’re made aware of the issue.
California’s Database Security Breach law has been widely copied by state legislatures across North America - I guess we’ll now see a rash of wireless-related legislation as well.

You would think that, after a number of years banking with an institution - putting money in every day, writing cheques, doing transfers, that sort of thing - that the institution would know who you were? Well, you would, wouldn’t you?

Apparently not.

Our foreign business is growing rapidly and we need to open a US$ bank account - while we can deposit US$ cheques to our sterling account, it’s expensive and it costs again when we want to pay suppliers in US$. Anyway, our sterling corporate bank account and one of the director’s personal bank accounts are at the same branch of a national bank. Have been for years. We just want to add a corporate US$ account to our accounts there.

No can do, says the Bank. Although we know you, we don’t know you - not for foreign currency accounts, anyway. So, here are some new forms for you to fill in and please, when you’ve filled in them in, we need all the officers and directors of the company to come into the branch, bringing their personal identification, and to identify themselves to the bank officials. We know you’ve got nothing else to do during the business day. It’s the Anti-Money Laundering regulations, you see.

Is that the same AML regulations that have enabled alleged terrorists to fund a series of aborted and actual atrocities?