Alan Calder on IT Governance, information security & ISO 27001

Among the most common errors of judgement that I see from company directors is the failure to carry out regular and detailed reviews of their business continuity arrangements. For most boards, the whole discussion is boring. It becomes even more boring when the discussion has to work its way through identification of critical systems and processes, determination of Minimum Tolerable Periods of Disruption and Recovery Time Objectives, as well as identifying threats and vulnerabilities and estimating likelihoods and impacts of external events that might unacceptably disrupt key processes.

Inactions have consequences. DistributeIT.com.au ceased to exist as an independent business because it hadn’t identified the possible impact of a devastating hack attack: it didn’t have adequate offsite backups for the 4,800 websites it hosted.  And that’s what business continuity plans are for: to ensure that, as an organisation, you can survive when something terrible happens. You would have thought that an IT company would understand the importance of backups but, again, my experience is that most organisations never actually think through the circumstances in which they might have to recover from their backups and they are therefore never prepared when disaster strikes.

The good news, of course, is that there are internationally recognised standards for business continuity management – BS25999 (shortly to be ISO22301) and ISO/IEC 27031  - and there are Business Continuity Management Toolkits to help you with an BCM implementation – but there is no substitute for directors paying attention to what is going on in the risk world around us, and taking appropriate action to survive the unexpected. Right now, of course, being hacked is one of the more likely things to happen - so there really isn’t an excuse for being caught napping on this one!

Codemasters have just demonstrated the weakness of a fallback strategy, when attacked by hackers, of taking your website offline: the hackers will already have got away with a whole lot of valuable information. So Codemasters appear now to be in a position where their website is offline, their customers are upset – and a lot of their customers data is in the hands of those not entitled to have it. It’s not really a good way to run an Internet business, is it?

Sensible online organisations will usually do one – or both – of two things. The first is to run quarterly vulnerability scans across all websites that collect customer information – and one of the best tools for doing this is the HackerGuardian Scan service. It is PCI DSS compliant, which means that it meets requirements for e-commerce sites as well as scanning for all other website vulnerabilities.

The second thing to do is to have a detailed external penetration test carried out at least once per year and, ideally, on a quarterly basis – to make sure that your website and network access are both secured against attack. Pen testing is not expensive, and is not complicated – particularly when you purchase a pentesting package.

For most organisations, spending less than £10k per annum on Internet and network security testing must be a more sensible, more cost effective option than hoping that hackers won’t strike you – becasue they will.

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

Once upon a time, there was only BS7799 for information security – now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use – and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.

Perhaps – but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice – but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate – to go alongside their ISO27001 and ISO20000 certificates, no doubt.

Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?

The following is possibly the most arresting opening paragraph I have yet read in a security article:

‘The wave of cyberprobes or cyberattacks against Pentagon networks and government computer systems in France, Germany, New Zealand and the United Kingdom this summer appears to emanate from China, but no one in authority in the Defense Department or any of the other countries that have been victimized seems willing to finger the Chinese government or military as the culprit.’

While this sounds like a Tom Clancy thriller it is a serious account of a new front in the online battle, something that both governments and businesses need to be aware of. Military and industrial espionage are alive and well, and it is entirely plausible that businesses and even sovereign states will use the Internet both to gather intelligence and weaken their opposition.

This is a realization that would be worth spreading in the workplace. It can be hard to get all your colleagues to do their bit in safeguarding information assets. If more of them realized the nature of the foe they might feel more motivated to help out – we’re not just facing a threat from bored teenagers, but also from deadly serious criminals and even state agencies. If that sounds a little farfetched this article is worth a read, and BS25999 as a core component of an information security strategy makes real sense!