Alan Calder on IT Governance, information security & ISO 27001

Commonly accepted best practice on password security is that passwords should be complex, changed frequently and never written down. Password complexity (8 alphanumeric characters, case sensitivity plus special characters) increases the level of difficulty associated with cracking it; password change regularity decreases the likelihood of the password, having been inadvertently revealed, being improperly used. The easiest way into a computer or network is, of course, via the password that has been written down and is stored somewhere convenient – on a post-it note under the keyboard, behind the screen or in an unlocked drawer….

And, of course, the more complex the password, the more frequently it has to be changed, the more likely users are to forget it – and to write it down. And we’re not just talking about business users here: our experience is that many seasoned IT and information security professionals resort to writing passwords down – not least because we increasingly combine regularity of change with increasing volume of passwords, each of which have different rules.

And it’s the different rules that make it difficult for one to use one strong password in all the applications and websites to which one has access.

So, there’s the information security manager’s dilemma when dealing with user system access - enforce frequent password changes, enforce complexity, block reversions from new to old passwords, block password sequencing and all those sensible things, and you increase the likelihood of passwords being written down thereby potentially making unauthorised system access even easier.

The solution, for me, is to insist on password complexity – but to enforce change only irregularly - certainly no more than once a quarter – and, perhaps, no more frequently than once per year.

Businesses and organisations operating within the United States face particular challenges when it comes to regulatory demands. This is keenly felt in the area of information security, where it is necessary to satisfy a complex web of regulations. ISO 27001 is something of a magic bullet for many of these demands, and the US has seen rapidly building interest in the new standard. To meet the need for information on this topic we have just launched www.27001.com, a new website that is specifically tailored to the United States and provides a one-stop-shop for all the key ISO27001/ISO17799 standards, books and tools currently available.

Through www.27001.com organisations can find out how an ISO27001 ISMS works with ISO17799 to help them meet their business needs for cost-effective information security, while at the same time meeting their information-related regulatory compliance objectives and preparing them for new and emerging regulations. US regulatory requirements currently addressed by the site include HIPAA, GLBA, SB 1386 and other State breach laws, PIPEDA, FISMA and EU Safe Harbor regulations.

We have aimed to make the site the Neiman Marcus of IT governance and security. It showcases the very best products and services currently available, including works by the most respected industry thinkers as well as uniquely focused products developed by us. Whether you need C-Suite guides to the regulatory landscape, or highly practical guides for project managers, it is all available in a single place.

Given the increasing desire of businesses to be certified to ISO27001, risk assessment has emerged as an important skill for the infosec professional. While it is well-established in other areas, risk assessment is new to many in technology and requires mastering. There are various approaches, but ISO 27001 has particular requirements and compliance and certification can only be achieved if the right method is used. We have launched two new books to help different types of professional get the information they need in this area.

‘Risk Assessment For Asset Owners’ is a pocket guide aimed at people who need a quick overview of the facts. It is ideal for senior executives, people with peripheral involvement in a risk assessment or those who need a clear and concise place to start. Over 48 pages it explains the risk assessment requirements of ISO 27001 and how the entire assessment process should be managed, from identifying assets and assessing threats to selecting appropriate risk treatments and controls. The book is the latest in our series of Practical Information Security pocket guides and is available for only £7.95 / US$15.92/ EUR11.81 from.

For people directly responsible for conducting risk assessments a more detailed account is necessary, so we have also introduced ‘Information Security Risk Management for ISO27001/ISO17799’. Over 196 pages this provides step-by-step guidance on matters such as Impact and Asset Valuation, Risk Treatment and the Selection of Controls, and The Gap Analysis and Risk Treatment Plan. It also gives advice on the use of risk assessment tools, including vsRisk [link to item above]. Priced at £39.95/US$79.98/EUR59.37 it can be obtained from IT Governance here.

We’re pedalling fast to catch up following a very busy time in the run up to and aftermath of Infosecurity Europe in London recently. This was the first time we attended and we felt that things went well. We were pleased with the number of visitors to our stand (which was smartly branded with our now-standard strapline, ‘The one-stop-shop for information security books, tools, training and consultancy’) and felt that the general quality of delegate was good.

We used the show to launch several important new products, all of which were well received. Perhaps most excitingly, we introduced two new software tools that transform the process of becoming and remaining compliant with ISO 27001.

* Through Vigilant Software, a new joint venture with software house Top Solutions, we introduced vsRisk, an affordable and intuitive tool that transforms the process for performing an ISO 27001-compliant risk assessment. vsRiskTM is a unique, purpose built application that dramatically reduces the time and cost of pursuing ISO 27001 compliance and is compatible with multiple related standards. It is far more straightforward to use than many of the existing risk assessments tools and requires no specialist training – we think it will be particularly useful for mid-sized organisations. It also costs substantially less than other systems, which we know will make sense to any organisation! Bought directly from us it costs only £895.00/US$1,770.60/EUR1,330.35. It is also available from quality resellers at the regular retail price of £995.00.

* Q-Pulse for ISO 27001 is a product we have developed jointly with Gael, which is the UK market leader in compliance management software systems. It combines Gael’s best-selling compliance management technology with our proprietary toolkit for the documentation and process management of the ISO 27001 standard. By automating vital tasks, such as document approvals, and providing easy-to-use audit management tools, the system provides an efficient means for driving ISO 27001 workflows throughout the organisation and ensuring that compliance is upheld.

Read Compliance Week for 17 April 2007 – Battling the Wide World of Data Breaches – and be astonished that those who are responsible for such grievous breaches of basic data security aren’t just taken out and …..

If you want a regular dose of horror, get the RSS feed from the Attrition.org website. It seems clear to me that there are large numbers of organizations out there who truly, genuinely, don’t give a hoot about the security of their employee and customer personally identifiable information.

I mean, if the extent of the repercussions facing TJX don’t frighten CEOs and board directors – 18 class-action lawsuits (so far), 30 states conducting attorney-general investigations, a US$5 million pre-tax charge in Q4 of 2006, and the statement that: “beyond this charge, we do not have information to reasonably estimate losses we may incur arising from the computer intrusion” (and TJX does deserve it, allowing hackers to access credit card data from some 45.7 million customers) – then nothing will get their attention. After all, TJX is not the first example of gross incompetence on this scale, and it’s not as though the US doesn’t already have a battery of privacy and personal breach legislation on the books.

It’s also not as though best practice standards (eg ISO27001) don’t already exist; nor is it unobvious that laptops simply should not be loaded with personal data, not ever.

I think the only thing remaining is for everyone – customers, suppliers, partners – to simply cease dealing with organizations like TJX. Subscribe to Attrition.org and boycott those organizations that won’t get their act together.

One of the great virtues of an information security management system is that it helps steer you around the pitfalls of your own preconceptions. By having a rigorous process that reaches across the organisation and involves people at every level it becomes easier to spot vulnerabilities that you never knew were there. For example, Doug Schweitzer on ComputerWorld highlights that the modern office copier contains a hard drive that retains a record of the images it handles – how many people realise that? How many businesses have measures in place to ensure that vital data doesn’t just walk off the premises when a copier is upgraded? When technology evolves so quickly a best practice ISMS is an absolute must.

The FSA Handbook sets out clear requirements for the management of information security within its regulated sectors. The requirements are best met by implementing and maintaining an ISMS that meets the ISO27001 standard – ISO27001-certification is clear evidence that the firm has taken full account of ISO 17799, as laid down in SYSC 3A.7.8

SYSC 3A.7.7
Information security
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
SYSC 3A.7.8
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

ISO 27001 is of course an ideal solution to businesses that need to ensure they comply with Sarbanes Oxley IT control requirements. I’ll be doing a webinar on 25 January in collaboration with Compliance Online to discuss precisely how the standard draws together CobiT, ITIL and ISO 17799 to create the necessary multi-layered solution. Topics to be covered will include:

* Current and future governance and compliance requirements
* The role of enterprise risk management
* Linkages and similarities between state, national and international regulations
* Why the traditional approach to regulatory compliance no longer works
* Business risks arising from legal contradictions, overlaps and loopholes
* Scale and impact on corporate brand, market position and share value of regulatory failure
* Key governance requirements of directors
* Role of best practice frameworks Linkage between compliance requirements and best practice frameworks
* Background and history of CobiT, ITIL and ISO 17799 – similarities and differences
* Importance of the CobiT/ITIL/ISO17799 joint framework
* Benefits of deploying this best practice framework
* Critical success factors in deploying this framework

For more information or to make a booking, click here.

Information security is supposed to be a business enabler. Information security is supposed to be a business issue, not a technology one.

What this means is that, by ensuring the availability, confidentiality and integrity of information, organizations should be able to improve their effectiveness and enable themselves to use today’s electronic and communications media more competitively.

So far, so clear.

We all know that the electronic world is full of dishonest and nasty people, people whose idea of fun is creating and despatching worms, Trojans, viruses and assorted adware and spyware; we know that stealing data has become more than just a cottage industry; and we know that organizations must take steps to combat today’s mutating threats by implementing multi-layered vulnerability protection strategies.

In responding to the threats, many organizations have lost sight of the idea of ‘enablement’. Defences have been erected and are continuously ratcheted up in response to new threats, and as new technology becomes available.

But nobody bothers talking to the users, the people who are meant to be ‘enabled’ through the use of technology, the people at the business coalface, who are dealing every day with the changing competitive pressures and opportunities of commercial survival in the 21st Century. If they did, they would discover that users are becoming more and more inventive at finding ways of bypassing these controls – while it seems barmy to have go home, use your personal computer to surf the net to find the information that you want, download it to a USB stick, take your USB stick to work and then upload the information to your computer, this is what more and more people are doing – because it’s the only way left for them to get the information they need to actually do their jobs!

Of course, the organization is just as exposed to what may be residing on the site from which that determined employee downloaded the data – but they’re unlikely to have appropriate defences in place. Sooner or later, they’ll make the necessary investment to close off this loophole – and the workers will have to come up with a new way to get round the technology in order to get on with their jobs.

There is an alternative, far less expensive, far more business-focused, option: businesses could decide that business management – not the IT department – should determine what controls are appropriate – and the good news is that the number of organizations who take that approach is growing (just look at the growing number of BS7799 certified organizations) and, sooner or later, those that stick with the technology-age version of ostrich behaviour will go out of business.

It’s quite frustrating waiting for that to happen, though!

Positive developments in Portugal: a group of IT professionals has teamed up to form an ISMS community to promote best practice in information security, with a focus on ISO 27001 and ISO 17799. The community maintains a Portuguese blog and an English language page here describes its activities.