Alan Calder on IT Governance, information security & ISO 27001

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

Commonly accepted best practice on password security is that passwords should be complex, changed frequently and never written down. Password complexity (8 alphanumeric characters, case sensitivity plus special characters) increases the level of difficulty associated with cracking it; password change regularity decreases the likelihood of the password, having been inadvertently revealed, being improperly used. The easiest way into a computer or network is, of course, via the password that has been written down and is stored somewhere convenient - on a post-it note under the keyboard, behind the screen or in an unlocked drawer….

And, of course, the more complex the password, the more frequently it has to be changed, the more likely users are to forget it - and to write it down. And we’re not just talking about business users here: our experience is that many seasoned IT and information security professionals resort to writing passwords down - not least because we increasingly combine regularity of change with increasing volume of passwords, each of which have different rules.

And it’s the different rules that make it difficult for one to use one strong password in all the applications and websites to which one has access.

So, there’s the information security manager’s dilemma when dealing with user system access - enforce frequent password changes, enforce complexity, block reversions from new to old passwords, block password sequencing and all those sensible things, and you increase the likelihood of passwords being written down thereby potentially making unauthorised system access even easier.

The solution, for me, is to insist on password complexity - but to enforce change only irregularly - certainly no more than once a quarter - and, perhaps, no more frequently than once per year.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.

As this post by Michael Farnham at Computerworld highlights, many more companies are likely to be attacked in 2007 and too few are implementing robust procedures to counter this. As he says:

“It comes down to whether or not companies view the problem as enough of a risk to spend the capital. And many companies are still making the wrong decision.”

This is the beauty and purpose of information security toolkits, like our ISO 27001 Toolkit. Companies don’t have to spend a fortune on outside consultants or on every new security product that hits the market. If they implement their own ISMS in-house they can keep the cost of the process under control and only purchase the products that are right for them and for which they have a clearly demonstrable need.

Confirmation from PriceWaterhouseCoopers that small and medium-sized firms are underinvesting in IT security and suffering for it. PWC calls the difference in preparedness between large and smaller companies ‘a tale of two cities’, which seems pretty apt. As they say, too many SMBs are unaware of ISO 27001 and other measures that would provide vital help.

It’s all very well Alun Michael MP observing that low awareness is a problem, but what will the Government do to help change this? Not a lot, I fear, with it firefighting issues like NHS budgets, prison scandals, ministerial affairs and ‘cash for coronets’ - critical issues like ISMS just won’t receive the backing they need.

Instead, it will be up to the business community to resolve the issue itself, hence our work to produce books like A Business Guide to Information Security and our ISO 27001 Toolkit, both of which were created with SMBs very much in mind.

The FSA Handbook sets out clear requirements for the management of information security within its regulated sectors. The requirements are best met by implementing and maintaining an ISMS that meets the ISO27001 standard - ISO27001-certification is clear evidence that the firm has taken full account of ISO 17799, as laid down in SYSC 3A.7.8

SYSC 3A.7.7
Information security
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
SYSC 3A.7.8
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

Yoo Cheng Hwee told a HCMC conference on information security that more than 80% of of companies trying to implement an ISO 27001 ISMS had failed because they thought of the exercise as a one-off investment, rather than just the start of a life-long commitment to systematically and continuously improving information security.

He’s absolutely spot-on.

He went on to say that strong management support and tailored operational processes were essential to success. There are a few others as well (as I describe in Nine Steps to Success), but strong management support is undoubtedly the most important.

CSO Online from reports from Australia that ITIL is fast gaining popularity around the world, spurred on by regulatory factors such as SOX - read their article here. We’ve also seen a steep increase in demand for ITIL information so we’ve put together what we believe is the most comprehensive specialised ITIL and IT Service Management shop on the web, offering books, toolkits and exam-based distance learning products. Have a look here and let us know if there’s anything you can’t find.

Building an Information Security Management System (ISMS) from scratch can be a daunting task, particularly for mid-size organisations who may not have the luxury of generous budgets. To help eliminate the uncertainties and headaches we’ve launched a new ISO 27001 Toolkit, which in a single box gives provides everything you need to build a world-class system efficiently and at a fraction of the cost of calling in outside experts.

The Toolkit is an all-in-one programme for building an ISMS compliant with global best practice, in respect of ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006. It is based on our definitive guide to ISMS development, ‘A Manager’s Guide to Data Security and BS7799/ISO17799’. In addition to the third edition of this book, the Toolkit includes the ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006 standards and a CD-ROM with almost 400 densely packed pages of fit-for-purpose policies and procedures: a model Information Security Policy, a pre-written Information Security Manual, 110 pre-written policies, analysis tools, training materials and much more.

Since every organisation’s needs are different, purchasers benefit from our unique Drafting Support Service, which advises them on how to adapt the materials to their particular situation. They also receive our 12-month Automatic Update Service, which ensures that purchasers automatically benefit from any improvements to the Toolkit.

A robust ISMS is too important to be out of the reach of the middle market. We’ve deliberately priced this product at a significant discount to other options out there, so there can be no excuses!