Alan Calder on IT Governance, information security & ISO 27001

I agree entirely with John Verry’s description of today’s drivers for the adoption of ISO27001, which we expect to become more widely adopted over the next 15 years than ISO9001 is today (there are currently about 1 Million ISO9001 certifications worldwide).

“Driven to ISO 27001 … Driven by ISO 27001″ - presented by John Verry, principal consultant at Pivot Point Security (Hamilton, NJ) to the Unisys Community of Practice Group on June 15, 2010, focuses on three “pain” points driving organizations to the ISO-27001 framework as a simple and logical response. Verry cites the “cloud economy”, a “flatter world” and the growth of increasingly ambiguous and overlapping information security regulations as the main factors - and then explores how and why ISO 27001 is poised to change information security.

We’ve been working on ISO27001 since its inception and our unique, and uniquely comprehensive and integrated range of ISO27001 books, tools and resources is designed to help organisations around the world use this standard in their businesses - drawing on advice, tools, guidance, training or consultancy as required.

I’ve always believed that board support is essential for information security management projects to succeed across a business. I’ve also always recognised that not all security professionals naturally have the sales skills that are necessary to successfully pitch information security initiatives to boards of directors many of whom, themselves, combine sales skills with quite short attention spans. I originally wrote The Case  for ISO27001 to provide, in one place, the wide range of arguments that could be made in favour of an organisation adopting ISO27001 as the standard for its information security management system.

I’ve just written another book, Selling Information Security to the  Board, as a primer for those interested in developing their sales skills. The book originated in a presentation, Infosecurity As A Mindset: Selling IT To The Board, that I did at Infosec 2010 on exactly the same subject, and is (I hope) the first in a small collection of books and other products that are designed to expand the range of support available to IT professionals who, as part of their role, have to get management buy-in to an IT or information security project.

The idea of applying the governance concept to the deployment and use of SharePoint within organisations does, at one level, seem odd- it seems a very detailed level for the application of concept which is fundamentally about how the board governs the use of ICT within the organisation.

Microsoft Office SharePoint Server (MOSS) is an immensely useful collaboration and information sharing tool for organisations, teams and workgroups. However, poorly governed SharePoint deployments can create significant holes in organisational information structures as well as exposing the organisation and its information to a wide range of risks.

 Maximising value from your SharePoint deployment requires a joined−up approach that is aligned with the communication objectives and risk controls of the business − a governance approach. Microsoft introduced the idea of SharePoint governance with MOSS 2007 and has applied it to MOSS 2010 as well. The ITGP SharePoint Governance kit starts with the excellent Microsoft work and then goes substantially further, in terms of providing a practical and useful set of templates and tools that can integrate into any information security management system or IT Governance Framework.

Cloud computing has tremendous potential for organisations of all sizes; it also brings with it a specific set of risks, ranging from access management and business continuity through to data protection compliance. Cloud computing risk was very much on the agenda at this year’s RSA conference; we’ve also recently published a book which focuses very specifically on managing risk in the cloud. Titled ‘Above the Cloud: Managing RIsk in the World of Cloud Computing’, it seems to be hitting the spot in terms of providing specific guidance to security and IT professionals about this specific area of risk. It is also available from our US site.

Commonly accepted best practice on password security is that passwords should be complex, changed frequently and never written down. Password complexity (8 alphanumeric characters, case sensitivity plus special characters) increases the level of difficulty associated with cracking it; password change regularity decreases the likelihood of the password, having been inadvertently revealed, being improperly used. The easiest way into a computer or network is, of course, via the password that has been written down and is stored somewhere convenient - on a post-it note under the keyboard, behind the screen or in an unlocked drawer….

And, of course, the more complex the password, the more frequently it has to be changed, the more likely users are to forget it - and to write it down. And we’re not just talking about business users here: our experience is that many seasoned IT and information security professionals resort to writing passwords down - not least because we increasingly combine regularity of change with increasing volume of passwords, each of which have different rules.

And it’s the different rules that make it difficult for one to use one strong password in all the applications and websites to which one has access.

So, there’s the information security manager’s dilemma when dealing with user system access - enforce frequent password changes, enforce complexity, block reversions from new to old passwords, block password sequencing and all those sensible things, and you increase the likelihood of passwords being written down thereby potentially making unauthorised system access even easier.

The solution, for me, is to insist on password complexity - but to enforce change only irregularly - certainly no more than once a quarter - and, perhaps, no more frequently than once per year.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.

As this post by Michael Farnham at Computerworld highlights, many more companies are likely to be attacked in 2007 and too few are implementing robust procedures to counter this. As he says:

“It comes down to whether or not companies view the problem as enough of a risk to spend the capital. And many companies are still making the wrong decision.”

This is the beauty and purpose of information security toolkits, like our ISO 27001 Toolkit. Companies don’t have to spend a fortune on outside consultants or on every new security product that hits the market. If they implement their own ISMS in-house they can keep the cost of the process under control and only purchase the products that are right for them and for which they have a clearly demonstrable need.

Confirmation from PriceWaterhouseCoopers that small and medium-sized firms are underinvesting in IT security and suffering for it. PWC calls the difference in preparedness between large and smaller companies ‘a tale of two cities’, which seems pretty apt. As they say, too many SMBs are unaware of ISO 27001 and other measures that would provide vital help.

It’s all very well Alun Michael MP observing that low awareness is a problem, but what will the Government do to help change this? Not a lot, I fear, with it firefighting issues like NHS budgets, prison scandals, ministerial affairs and ‘cash for coronets’ - critical issues like ISMS just won’t receive the backing they need.

Instead, it will be up to the business community to resolve the issue itself, hence our work to produce books like A Business Guide to Information Security and our ISO 27001 Toolkit, both of which were created with SMBs very much in mind.

The FSA Handbook sets out clear requirements for the management of information security within its regulated sectors. The requirements are best met by implementing and maintaining an ISMS that meets the ISO27001 standard - ISO27001-certification is clear evidence that the firm has taken full account of ISO 17799, as laid down in SYSC 3A.7.8

SYSC 3A.7.7
Information security
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
SYSC 3A.7.8
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).