Alan Calder on IT Governance, information security & ISO 27001

Yoo Cheng Hwee told a HCMC conference on information security that more than 80% of of companies trying to implement an ISO 27001 ISMS had failed because they thought of the exercise as a one-off investment, rather than just the start of a life-long commitment to systematically and continuously improving information security.

He’s absolutely spot-on.

He went on to say that strong management support and tailored operational processes were essential to success. There are a few others as well (as I describe in Nine Steps to Success), but strong management support is undoubtedly the most important.

CSO Online from reports from Australia that ITIL is fast gaining popularity around the world, spurred on by regulatory factors such as SOX - read their article here. We’ve also seen a steep increase in demand for ITIL information so we’ve put together what we believe is the most comprehensive specialised ITIL and IT Service Management shop on the web, offering books, toolkits and exam-based distance learning products. Have a look here and let us know if there’s anything you can’t find.

Building an Information Security Management System (ISMS) from scratch can be a daunting task, particularly for mid-size organisations who may not have the luxury of generous budgets. To help eliminate the uncertainties and headaches we’ve launched a new ISO 27001 Toolkit, which in a single box gives provides everything you need to build a world-class system efficiently and at a fraction of the cost of calling in outside experts.

The Toolkit is an all-in-one programme for building an ISMS compliant with global best practice, in respect of ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006. It is based on our definitive guide to ISMS development, ‘A Manager’s Guide to Data Security and BS7799/ISO17799’. In addition to the third edition of this book, the Toolkit includes the ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006 standards and a CD-ROM with almost 400 densely packed pages of fit-for-purpose policies and procedures: a model Information Security Policy, a pre-written Information Security Manual, 110 pre-written policies, analysis tools, training materials and much more.

Since every organisation’s needs are different, purchasers benefit from our unique Drafting Support Service, which advises them on how to adapt the materials to their particular situation. They also receive our 12-month Automatic Update Service, which ensures that purchasers automatically benefit from any improvements to the Toolkit.

A robust ISMS is too important to be out of the reach of the middle market. We’ve deliberately priced this product at a significant discount to other options out there, so there can be no excuses!

Symantec have released a report saying that corporate IT vulnerabilities are hitting record levels, with 1,900 discovered in the past six months, the equivalent of 10 per day.

Interestingly, they are calling for companies to adopt precisely the sort of multi-layered response that an ISO 27001 ISMS is designed to create:

“People have to move beyond the idea that they can hide behind the firewall. You have to have integrated defenses.”

IDC has done some polling amongst IT managers and established that one of their top worries remains getting staff to play ball and follow IT security policy. As I have written before, the most thoroughly conceived corporate ISMS can be completely undone if an employee can introduce a virus from home just by plugging in a USB memory stick.

The answer is obviously internal communications and training, but many businesses are still falling woefully short in these areas. Such initiatives simply can no longer be seen as optional extras, as any company to have suffered a serious IT breach can confirm.

Infosecurity training needs to have three components:

* Users need to be competent to use their computers and understand the requirements of their user agreements and the acceptable use policy. E-learning is an ideal way to deliver this cost-effectively.
* They need to recognize and know how to deal with information security threats. We publish a book called the Internet Highway Code that is specifically designed to meet this need and ideal for issuing to all staff members. To underline importance of this issue, each employee should be required to sign a user agreement that includes reference to such guidance and confirms that they have read it.
* Users need to be kept aware of the changing risk environment so they can take adequate evading action. An effective solution is to formalize a user alert service, whether internally or externally sourced, to ensure that staff hear about the latest threats and know how to respond.

CIOs and their teams need to impress upon their boards that these are core requirements for the business and need funding and senior endorsement.

Outsourcing, particularly in the information security space, should be about helping clients improve their security performance, rather than about vendors improving their performance at the expense to their clients. A recent comment from security software firm Solutionary, as reported in SC Magazine here, was that security audits are a bad thing in that they can encourage complacency. While there is sometimes truth in the argument, I think this is bending reality a little too conveniently to suit someone’s own marketing agenda. Of course complacency is the last thing that we need if IT security is to be achieved, but the answer isn’t necessarily to outsource the whole problem to a (doubtless excellent) security provider like Solutionary. IT security is a real concern for a lot of businesses for whom a security audit is an integral part of a balanced and comprehensive approach to information security. For these firms, security audits are very definitely an essential part of an affordable security solution. The important point is to ensure that audits don’t exist in isolation but are part of a proper ISMS system that ensures compliance with - you guessed it - ISO 27001.

Positive developments in Portugal: a group of IT professionals has teamed up to form an ISMS community to promote best practice in information security, with a focus on ISO 27001 and ISO 17799. The community maintains a Portuguese blog and an English language page here describes its activities.

If anyone is asking what all the fuss is about ISO 27001, ISMS and all the rest of it, this article from SC Magazine should make them stop and think. Apparently, 1 in 4 Americans won’t be shopping online this Christmas because of security fears. On the upside, the article reveals that many consumers are taking sensible and active steps to protect themselves online. However, there is clearly a long way to go, and all that caution from millions of shoppers is bound to have a negative impact on prosperity in general. If this is true of the IT savvy United States, you can bet it is just as true elsewhere around the globe.

Where does ISMS fit into this? ISO 27001 is precisely the kind of confidence building measure that businesses need to put in place to make society more at ease with e-commerce. Getting certified is great for a company at the individual level (reducing business risks, reassuring customers, providing a competitive advantage), but it is also vitally important for society as a whole. We all know that the Internet is a long way from realising its full potential as a creator of wealth and improver of life quality; what more companies have to realise is that ISO 27001 is one of the vital building blocks that will help us reach that goal.

Recent reports of security breaches in India - security breaches of BS7799-certified companies - should be treated with all the sceptism they deserve. BS7799 is an international standard for best practice in information security management - it is a system for effectively, coherently and comprehensively managing information security which takes into account the certainty that every management system will, sooner or later, be bypassed, that every defence will be overwhelmed - which is why business continuity plans are such an important part of the information security management system.

BS7799 is most definitely not a guarantee that no attacker will ever be successful. Sooner or later, every company is overwhelmed by an attacker - particularly an insider - and insiders, statistically, are responsible for about half of all successful attacks - what BS7799 expects (before committing to an outsourcing contract) is that an organization will carry out an information risk assessment, and that this risk assessment will take into account the documented scope of the certified organization - and, if it is inadequate, the potential outsourcer will act appropriately - not go ahead, require additional safeguards, etc.

The fact that any one organization has a BS7799 certificate for an information security management system which doesn’t meet the requirements of the organization about to outsource its services is, usually, completely obvious. If the outsourcer nevertheless goes ahead and contracts to outsource the services, it deserves a bloody nose - the fault is in the inadequate judgement of the outsourcer, not in the standard itself.

Let’s make sure the really important lessons are learned here: scope of the certificate must be adequate, contractor is also responsible for carrying out a risk assessment and, sooner or later, an attacker will overcome the best defence. What matters is that the defender has a system for identifying and recovering from those attacks - and BS7799 gives them that.

BS7799/ISO17799 are big standards, as anyone who has ever successfully implemented an ISMS can attest. Updating my book to take account of the new standard, and putting together a tool to help people migrate from the 2000 version to the forthcoming 2005 version, drove home to me just how tough certification really is. And, while the revised version of 17799 brings the standard right up to date, and makes a number of useful improvements, I’m not convinced that it makes the process any more straightforward.

In fact, if anything, it makes the process tougher, not least because it now cross refers to a number of other, supporting (but not mandatory) standards, as well as shifting business continuity and disaster recovery management out of the standard, leaving behind only the information security aspects of both. Large organizations usually have the resources to tackle 17799; smaller ones don’t. The revised standard is not going to make it easier - smaller organizations really need a 17799-lite - one that clearly differentiates between what is essential (eg vulnerability management) and what is relevant only to certain types of companies (eg software development).

Until that happens, it’s going to be incumbent on consultants to help smaller companies find the simple ways of benefitting from the guidance in the standard, and achieving certification as well. If we can’t do that, the standard will survive only as something for larger organizations - which means it won’t survive in the form we know it today.