Alan Calder on IT Governance, information security & ISO 27001

Surrey County Council’s recent £120k fine from the Information Commissioner was for failing, on three separate occassions, to assess and address the security risks of sending sensitive personal information by email. In each case, highly sensitive information ended up in the wrong hands by mistake – and the fine wasn’t for the mistake, it was for failing to realise that sometimes emails are mis-directed and takin appropriate steps to control the risks.

And that’s one of the important points about the Data Protection Act – it expects organisations to assess risks to personal information, and then to take appropriate administrative, technical and organisational steps to control the identified risks. In the case of sending sensitive information by email, it should by now be self-evident that mistakes sometimes happen and that applying encryption to such emails, as a standard, should be as much a default information security control as applying encryption to laptops and mobile media and USB Sticks.

If criminals can use Twitter as an attack vector, and if Facebook walls are malware magnets, what should the social media aware organisation do to protect its information resources?

Well, staff training is obviously essential – and it should take place before there’s a problem. Staff training, though, is usually part of a social media governance initiative, an overall policy and plan for identifying what, some years back, I called ‘Threat 2.0′. So, one of the best ways for organisations to start tackling social media threats – and to ensure they get genuine advantage from their use of social media – is to initiate a social media governance project. The best place to start on such a project is by getting and deploying a social media governance toolkit. As with all toolkits, the immediate benefit of using one is that it saves you from having to re-invent the wheel – you can access a comprehensive collection of policies and procedures that are based on recognised best practice and start putting them to immediate use in your own organisation.

“We’re really, really sorry for the PlayStation Network outage” is, apparently, the gist of the Sony announcement on this issue. I guess it’s also, in essence, the message of the US organisations which experienced the 662 data breaches in 2010, exposing more than 16 million records (adding to an astonishing 480 million other records exposed in the US since 2005). These statistics are quoted in the just-published Ponemon report, together with the equally interesting finding of the CSO CyberSecurity Watch 2011 Survey, which found that 81% of respondents had experienced a data breach in the last 12 months.

Is ‘really, really sorry’ enough? When you look at the recent spate of hack attacks – Sony, Nintendo, Lockhead Martin, Google’s Gmail – you have to conclude that there are lots of people out there who like breaking into networks – and you probably also have to conclude that there are lots of organisations out there who don’t care enough about the personal data with which they’re entrusted to take adequate steps to look after it.

Let’s think about it for a minute. If you live in a neighbourhood where casual crime is rife – people popping in through windows left open, slipping in through front doors left ajar, and likely to make off with your car if you leave it in the street with the keys in the ignition – what would you do? Yes, you’d probably start locking doors and windows and stuff like that.

Well, if you have a website, you’re in a tough neighbourhood – called the Internet. And what’s the Internet equivalent of locking your doors? It’s patching vulnerabilities in your websites. And how do you do that? You deploy a penetration test - straightforward, easy to do – and then you fix (what’s called remediation) the security holes that are identified.

And how much does a penetration test cost? It does depend – but for the average website, it will cost marginally less than £2k - and is £2k a better investment than the millions that a successful breach might cost you? (The Ponemon report estimates that the average data breach costs USD 7.2 miillion).

It’s unusual to see India leading the way in terms of Information Security Management – dealing with cyber security threats in a structured, systematic way.
Rule 8 (4) of The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011)  says:”The body corporate or a person on its behalf who have implemented either ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government.”

That effectively makes accredited certification to ISO/IEC 27001 a legal requirement for Indian organizations. Maybe, with more organisations forced to follow Information Security Management best practice, we may see a gradual, long term improvement in the protection of personal data – worldwide.

If a hacker issues a statement saying they have broken into your website and stolen 1 million plain text passwords, as well as compromising a whole lot of other information, what would you do?

And if you’re the same global corporation that was previously hacked and had 1 million other customer records compromised, what would you do the second time it happens?

Of course, you’d issue a statement saying that you were investigating the claims. That should do the trick, shouldn’t it?

Sony (Sony Pictures, this time) doesn’t appear to care about your security at all. Stored in plain text was a whole lot of useful personal information: name, address, telephone number, password……and all accessed by means of a basic SQL injection attack.

If you’re a corporation or run a website that stores personal data, you need to check it out for vulnerabilities (it’s called penetration testing - and it’s neither complex nor expensive, but it is essential – a bit like checking your front door to make sure that it really is locked and won’t fall over if pushed).

If you’re an individual who had a Sony Pictures account, you need to:

1. Go change your password on any other online account that has the same password;
2. Watch out for phishing attacks – targeted right at you, with very relevant information – something like guidance on what to do if you are worried that your personal details may have been stolen;
3. Watch out for vishing attacks – phishing attacks by VoIP – telephone callers asking you for critical missing information, like date of birth or mother’s maiden name – maybe claiming to call from your bank…….
4. Keep any eye on your credit record – investigate suspicious stuff asap (and, remember, your bank will probably want to sell you insurance against identify theft, even though this may be designed not to pay out under most reasonably imaginable circumstances);
5. Avoid Sony in future!!

According to a recently published Which? report (based on the results of an FoI requesst to the ICO), there were, in the year up to August 2010, nearly 1,200 allegations of breaches of the DPA made to the ICO in respect of UK banks and building societies. The Which? report said that only 13% of people knew they could report DPA breaches to the ICO, suggesting that the number of actual breaches may be much, much higher.

And who could be surprised?  UK financial institutions – which once had a reputation for honesty and probity – have been implicated in scandal after scandal – pension mis-selling, the bank fee/charges scandal, the debt crisis and, more recently, the payment insurance scam. (They’re now selling insurance against identify theft – watch this turn into another scandal, with another multi-billion compensation pot.)

UK banks appear to have invested heavily in their complaint-suppression processes. Consumers are to be exploited, not cared for, appears to be their real philosophy. At least a Nigerian Advance Fee Fraud is self-evidently dishonest – UK banks cloak their schemes in legalese. glossy advertisements and implacable complaints processes. Failure to protect data is just one of the areas in which failure follows inadequacy follows absence of care. While we can avoid buying the banks’s schemes, we can’t avoid the fact that they have our personal data. We can – and should – insist that our data is maintained in line with the DPA. Banks will not do this voluntarily.

I believe that we have reached a point where financial institutions should be required to immediately report all DPA breaches to the ICO, that breaches should automatically attract a compensation award to the individuals affected and that repeated breaches should automatically attract a significant fine from the ICO, with the amount of the fine increasing with every subsequent breach.

What do you think?

“‘IT departments make the mistake of ignoring social media at one extreme or banning it at the other, when what they really need is a risk based strategy’, says Gartner research director Julie Short.”

She is of course correct. I’ve been arguing, since the appearance of Instant Messenger as a killer social media application, that it’s a mistake for IT departments to simply lock down or prohibit the use of new media and communications channels in the enterprise.

There are three reasons for this.

The first is that stopping people using applications which they already know will make communication quicker, easier, more dynamic and more effective makes IT departments appear Luddite - which is not exactly in line with what one might expect from that part of the business which is in charge of technology-based competitiveness.

The second is that good people will mostly tend to go and work for organisations that use technologies that they know about, rather than being forced to operate with outdated tools. And those organisations that limit themselves to recruiting from amongst the less ambitious will tend, over time, to destroyed by those who are more future-orientated.

The third, of course, is that we live and work in a fast-moving Internet world; organisations that prohibit or over-control use of social media technologies are cutting themselves out of competition and, eventually, out of business.

I recognise that there are risks – to the confidentiality, integrity and availability of information – in the unbridled use of new social media within an enterprise. A risk-based strategy involves identifying specific risks, adopting appropriate policies, selecting and enforcing relevant controls, and reviewing and monitoring activity. We made all of these tools available in our Social Media Governance Toolkit, on the basis that what most organisations want today is to deploy the controls and get on with exploiting the social media channel, rather than having to re-invent the social media policy wheel.

Epsilon’s statement that, on March 30th, it had detected that ”a subset [about 2%] of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system” has sparked a flurry of activity for a wide range of household names, whose email lists may have been exposed in this hack.

The fact that Epsilon has been hacked exposes one key myth about ISO27001 certification: it does not equate to 100% security. ISO27001 is simply a management system which, effectively deployed, improves an organisation’s information security and resilience. In Epsilon’s case (and Epsilon does have an ISO27001-certified ISMS) it would appear that there is an effective incident management procedure in place, as this breach seems to have been identified quickly, followed by appropriate noises about investigation and notifications.

On the other hand, it would appear that there was a significant failure in Epsilon’s risk assessment process. Risk assessment is at the heart of effective information security management and, in the case of an organisation that manages email data, the risk of an external cyber attack should be high on the list of worries. Epsilon’s IT infrastructure has been penetrated; cyber criminals have found one or more vulnerabilities in the Epsilon infrastructure and taken advantage of them to steal email data (and, remember, as email lists have real value to cyber criminals, the likelihood of a cyber attack on an email database is high).

Epsilon’s selected controls were inadequate to deal with this risk and, as a result, it is now suffering a highly significant impact, the full scale and cost of which have yet to emerge.

What should Epsilon have done differently? It needed (and needs) a much more comprehensive security or penetration testing regime than it clearly has. Organisations that have a low likelihood of cyber attack may feel confident that an annual penetration test (calling on a packaged penetration testing service) is an adequate check of the effectiveness of their cyber defences; organizations like Epsilon, where the likelihood and impact are both very high, should be looking at least at weekly penetration tests.

Regular penetration testing, for high value data systems like that of Epsilon, is essential but not enough. Zero day vulnerabilities are now common. Organizations need a systematic approach to tracking information about emerging vulnerabilities, identifiying occurrences on their systems, and rapidly remediating them. This requires a much more pro-active information security function than most organizations have in place – but it is exactly what is envisaged in the ISO27001 Annex A control 12.6.1 Control of Technical Vulnerabilities – see the best practice guidance in ISO/IEC 27002 for more information on this (and related) controls.

According to an article published today, local councillors must register with the ICO if they process personal data in their constituency offices. Apparently 6,000 are already registered and another 13,000 could and should. Of course, registration with the ICO is just the start – once registered, they also have to comply with the DPA. Compliance is relatively straightforward – the problem is that most organisations, particularly smaller ones, leave compliance until after they’ve been breached and then have to deal with all the sad repercussions of negative press coverage and distressed constituents. The penalties for compliance failures are potentially very significant.

Research giant Forrester has identified the need for Social Media Governance as the starting point for adopting social technologies in organisations. Social Media Governance is a complex topic – it starts with adopting a social media policy but it does then have to deal with a comprehensive range of headline issues such as:

• Social Media User Guidelines
• Roles & Responsibilities
• Metrics & Monitoring
• Records Management 
• Legal Guidance
• Communications Policy
• Branding & (Corporate) Style Guide
• Training

Security is a major area and should be linked with any ISO27001 or other ISMS that the organisation has in place. Key areas for the information security team to address include:

• Acceptable Use Policy
• User Name and Password Management
• Classification 
• Anti-malware
• Backup
• Incident Management
• Monitoring
• Privacy

And, finally, there probably need to be specific user guidelines or work instructions that cover, in some detail, at least the following social media activities:

• Blogging
• Facebook
• LinkedIn and LinkedIn Groups
• Instant Messenger – Organizational IM
• Instant Messenger – Third Party IM allowed
• Skype
• Twitter
• YouTube

The social media framework that we use in our own organisation is based on ITGP Social Media Governance Toolkit. These templates have made our life much easier and, of course, our own experience and that of our customers is then fed back into further improvements in the templates.