Alan Calder on IT Governance, information security & ISO 27001

We carried out an analysis of the data breach cases which led to the UK’s Information Commissioner extracting an undertaking from the organisation concerned. Over the last 18 months (May 2010 – mid-November 2011), this is the breakdown of 85 cases:

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning - this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.

A recently published study into Global 2000 IT-spending intentions identified that 39% of corporations are spendng more on information security this year, with 37% planning to increase spending in 2012.

With cyber security identified as a key strategic threat facing organisations worldwide, sensible CIOs and CISOs will now be spending at least 13% of their IT budget directly on information security. There is a growing body of evidence that points to increased expenditure having a direct impact on reducing frequency and impace of cyber crime. In particular, the 2010 Cyber Security Watch Survey found that there was, on average a 10% reduction in the losses from cybercrime resulting from significantly increasing spend on cyber security. As individual cyber incidents can cost $3 million or more, a 10% reduction can be seriously worth having!

In fact, adopting and applying cyber security standards for managing information security and business resilience can pay off massively – depending on whether you adopt a self-help approach or bring in outside consultants, a best practice ISO27001 Information Security Management System can cost as little as £3.5k to £10k to implement and more than pay for itself in reduced financial damages in almost  no time!

At the end of October, we submitted the manuscript of the 5th Edition of our best-selling book on implementing an ISO27001 Information Security Management System (ISMS) to our external publisher, Kogan Page. It should be in bookshops across the world in Spring 2012.

This 5th Edition is completely updated and combines the content of International IT Governance, the version of the book that we produced for the North American market, with that of IT Governance. This means that there will now be a single edition, with coverage of IT governance, legal, security and compliance issues in the UK and in North America, as well as in Europe and elsewhere across the world.

We’ve obviously also updated all the technology content of the book, and have included the most recent information about Advanced Persistent Threats, attack vectors, cyber crime standards, the cyber resilience agenda, social media governance, PCI DSS and, of course, cloud computing.  

While the core standards, ISO/IEC 27001 and ISO/IEC 27002, have not yet been updated from the versions published in 2005, a whole family of ISO27000 standards has been created and are being published with great regularity.  Our new book incorporates material from a number of these standards and places them in their broader implementation context.

While working on the book, I came across a growing number of surveys and reports in which the link between increased expenditure on information security and a reduced incidence of cyber breaches (and, therefore, reduced financial and business impairment) is clear.  It has always been obvious to us that, in an insecure neighbourhood – and the Internet is a deeply insecure environment – it is simply good sense to lock the doors, alarm the house and secure one’s valuable assets.

The growing number of organisations certificated to ISO27001 (many of whom have taken advantage of our range of certificated ISO27001 training courses to prepare themselves) all contribute to greater information security awareness amongst users of digital assets. We hope that the 5th edition of IT Governance: a Manager’s Guide will help many more organisations around the world make the first step toward better digital self-preservation.

Among the most common errors of judgement that I see from company directors is the failure to carry out regular and detailed reviews of their business continuity arrangements. For most boards, the whole discussion is boring. It becomes even more boring when the discussion has to work its way through identification of critical systems and processes, determination of Minimum Tolerable Periods of Disruption and Recovery Time Objectives, as well as identifying threats and vulnerabilities and estimating likelihoods and impacts of external events that might unacceptably disrupt key processes.

Inactions have consequences. DistributeIT.com.au ceased to exist as an independent business because it hadn’t identified the possible impact of a devastating hack attack: it didn’t have adequate offsite backups for the 4,800 websites it hosted.  And that’s what business continuity plans are for: to ensure that, as an organisation, you can survive when something terrible happens. You would have thought that an IT company would understand the importance of backups but, again, my experience is that most organisations never actually think through the circumstances in which they might have to recover from their backups and they are therefore never prepared when disaster strikes.

The good news, of course, is that there are internationally recognised standards for business continuity management – BS25999 (shortly to be ISO22301) and ISO/IEC 27031  - and there are Business Continuity Management Toolkits to help you with an BCM implementation – but there is no substitute for directors paying attention to what is going on in the risk world around us, and taking appropriate action to survive the unexpected. Right now, of course, being hacked is one of the more likely things to happen - so there really isn’t an excuse for being caught napping on this one!

‘Nearly 1in 5 businesses suffer a major disruption every year – and only 28% of them had any form of continuity plan’ – reports Adam Bernstein who continues, in Business Continuity: the small firm view, to provide good, sound advice to small firms on how they should plan and prepare for their own business continuity challenge.

There are two additional things you should do: the first is to right down all the steps that you’ve worked out, together with contact details and critical information like bank contacts, insurance policy numbers and so on, and the second is to keep a copy of the business continuity plan somewhere away from your business, where you can access it when you need it but where it won’t be compromised if your office is not accessible.

The best place to write this stuff down is in a business continuity plan – and the inexpensive Business Continuity Toolkit (just £27.95) that you can download from our website is just the tool for that.

If a hacker issues a statement saying they have broken into your website and stolen 1 million plain text passwords, as well as compromising a whole lot of other information, what would you do?

And if you’re the same global corporation that was previously hacked and had 1 million other customer records compromised, what would you do the second time it happens?

Of course, you’d issue a statement saying that you were investigating the claims. That should do the trick, shouldn’t it?

Sony (Sony Pictures, this time) doesn’t appear to care about your security at all. Stored in plain text was a whole lot of useful personal information: name, address, telephone number, password……and all accessed by means of a basic SQL injection attack.

If you’re a corporation or run a website that stores personal data, you need to check it out for vulnerabilities (it’s called penetration testing - and it’s neither complex nor expensive, but it is essential – a bit like checking your front door to make sure that it really is locked and won’t fall over if pushed).

If you’re an individual who had a Sony Pictures account, you need to:

1. Go change your password on any other online account that has the same password;
2. Watch out for phishing attacks – targeted right at you, with very relevant information – something like guidance on what to do if you are worried that your personal details may have been stolen;
3. Watch out for vishing attacks – phishing attacks by VoIP – telephone callers asking you for critical missing information, like date of birth or mother’s maiden name – maybe claiming to call from your bank…….
4. Keep any eye on your credit record – investigate suspicious stuff asap (and, remember, your bank will probably want to sell you insurance against identify theft, even though this may be designed not to pay out under most reasonably imaginable circumstances);
5. Avoid Sony in future!!

The UK’s National Security Strategy (published 18 Oct 2010) identifies that, for the next five years, the four highest priorty risks faced by the UK are those arising from

• International terrorism;
• cyber attack;
• international military crises; and
• major accidents or natural hazards.

The reality, of course, is that international terrorists have an identifiable cyber capability, and any international military crisis is also likely to have an important element of cyber threat. And, as the information on which we depend to respond to almost any major national accident is stored in electronic information systems, you might argue that cyber risk is the most important risk facing the UK today. 

Cybersecurity standards

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO27001 is the most significant international best practice standard available to any organisation that wants an intelligently organized and structured framework for tackling its own cyber risks. ISO27001, as a specification for an ISMS, is clear and precise; it also lists 133 key security controls that should be at the heart of any organisation’s approach to securing its information assets.

Many organisations, though, think it makes sense to implement ISO27001 without ever seeking external certification. The increased focus, at a national level, on responding appropriately to cyber risks undermines this approach – increasingly, organisations will want to know that their supply chain is resilient against cyber attack. Supplier audits can consume a lot of time, and an accredited ISO27001 certificate is clear evidence that an organisation has taken proper security steps and has obtained independent verification that these steps are in line with recognised international best practice.

One of the most frequent questions I’m asked by CEOs is: “But what’s the real bottom-line benefit of more effective information security, or of an ISO27001-certificated Information Security Management System?”

One real benefit is the effective information security protects the bottom line. The reason you put money in a bank, is to protect it. The reason that you secure information, is to protect it – and the company that is responsible for the information. 

The recent security breach at ACS: Law has been widely reported. A law firm appears to have broken a basic law (the Data Protection Act), is now apparently under investigation by the Information Commissioner and by the Solicitors Regulation Authority and, in addition to the possibility of a fine of up to £500k, it faces unquantifiable current and future damage to its reputation, brand and future business. It’s not always clear that firms subject to this level of challenge will survive the resulting storms.

So, what might effective information security actually have cost ACS: Law? Well, a Web Application Penetration Test might have set them back £3k; implementation of an ISO27001 ISMS in a firm of this size might only have required an investment of about £10k (with another £3k or so for certification). Of course, effective information security also requires top management commitment as well as the deployment of internal time and resource – but, when you’re implementing an ISMS, you’re in control of the process. When you’re responding to a serious breach, you’re not.

Let me put it another way: an investment of about £20k, plus internal effort, might have been sufficient to prevent financial damages that could be somewhere between 10 and 100 times greater than the investment – or more. That’s the point about ‘unquantifiable damages’.

Prevention, in information security, is always better than cure.

A new AIIM study on SharePoint takeup has recently been published. This report builds on their survey of a year ago. Barb Mosher, writing about the AIIM report on CMS, draws this conclusion from the two surveys:

“SharePoint 2007 will be in use for a while to come, and SharePoint 2010 will likely see even more uptake by organizations for a number of reasons. The problems related to SharePoint, whether it’s 2007 or 2010, are not going to change. Not because of the platform itself, but because the strategy, planning and governance that are required to implement it are still not being taken seriously.

What will we see in surveys run next year? The way it looks now, nothing that different than this year or the year before.”

And that tends to be the story where project level governance is concerned: those organisations that plan ahead, that put in place methods for dealing with the wide range of SharePoint issues – from ghost sites through to backup failures – will usually end up with robust, effective and useful SharePoint services. Effective SharePoint governance really can be the difference between success and failure – both short and long term – with a SharePoint deployment. For this reason, Microsoft publish guidance on SharePoint Governance, and our own SharePoint Governance Toolkit helps with MOSS implementations.

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.