Alan Calder on IT Governance, information security & ISO 27001

Read Compliance Week for 17 April 2007 – Battling the Wide World of Data Breaches – and be astonished that those who are responsible for such grievous breaches of basic data security aren’t just taken out and …..

If you want a regular dose of horror, get the RSS feed from the Attrition.org website. It seems clear to me that there are large numbers of organizations out there who truly, genuinely, don’t give a hoot about the security of their employee and customer personally identifiable information.

I mean, if the extent of the repercussions facing TJX don’t frighten CEOs and board directors – 18 class-action lawsuits (so far), 30 states conducting attorney-general investigations, a US$5 million pre-tax charge in Q4 of 2006, and the statement that: “beyond this charge, we do not have information to reasonably estimate losses we may incur arising from the computer intrusion” (and TJX does deserve it, allowing hackers to access credit card data from some 45.7 million customers) – then nothing will get their attention. After all, TJX is not the first example of gross incompetence on this scale, and it’s not as though the US doesn’t already have a battery of privacy and personal breach legislation on the books.

It’s also not as though best practice standards (eg ISO27001) don’t already exist; nor is it unobvious that laptops simply should not be loaded with personal data, not ever.

I think the only thing remaining is for everyone – customers, suppliers, partners – to simply cease dealing with organizations like TJX. Subscribe to Attrition.org and boycott those organizations that won’t get their act together.

More proof that the much vaunted convergence of information security and physical security is being made flesh: ‘Research from the Economist Intelligence Unit shows the number of CSOs taking ultimate responsibility for the security of a business has almost doubled year-on-year.’

As this article says, CSOs – and in my view CIOs too – need to understand the business and be able to relate security to its needs. The concept of the CSO is in principle a good one, but it calls for a very broad range of abilities and experiences, and I am a little concerned as to where that talent is being nurtured.

While there may have been a doubling in the number of CSOs, I worry that the difference between a good and an indifferent office holder may be down to luck for many employers. We need to see more work done in the area of defining the CSO’s role and consequently what training and career experience is appropriate for achieving this office. Only then can we begin to have some confidence that the CSO title will deliver the reassurance it suggests.

A BBC TV programme, Inside Out, recently caused some red faces in the UK House of Commons by revealing that a six year-old girl was easily able to break into the parliamentary computer system by installing a keylogger on the PC of an MP.

Having managed to sneak the device in under the noses of one of the UK’s most vigilant security teams, the girl was able to swiftly attach the device while the MP agreed to leave her PC unattended for 60 seconds as part of the test.

This has brilliantly highlighted the increasing threat posed by keyloggers, which in the programme’s words are proving the “weapon of choice” for many fraudsters and criminals.

The real vulnerability that organisations face here is human, not technological. The keylogger is installed by someone physically attaching it to the PC, which can only be accomplished through the negligence, naivety or active help of someone within the organisation. A best practice information security management system adhering to ISO 27001 is the best possible defence against such vulnerabilities, as it addresses the staff training and awareness issues surrounding infosecurity in addition to technological defences.

This exchange on the blog of Doug Schweitzer adds some more useful colour here and highlights a couple of books that focus on the startling truth that the greatest security threat an organisation faces is from within.

Ian Kerr’s Computer Weekly article on the human dimension to infosecurity has good and bad points. He correctly highlights how critical it is to address employee behaviour within a security strategy – the smartest technological defences are of little help if your staff leave the front door wide open, whether by accident or design. However, he significantly misstates the way in which ISO 27001 tackles this in its specification for a best practice ISMS.

In fact, one out of 11 control sections (containing nine controls) of ISO 27001′s list of controls deals specifically with HR, and many of the others – such as password management and user access controls – also deal explicitly with the human component of threats. I would say that ISO 27001, when properly implemented, provides an extremely strong safeguard against ‘human weakness’ and insider/outsider attacks.