Alan Calder on IT Governance, information security & ISO 27001

“Sony suffers second data breach with theft of 25m more user details.” Actually, (according to the Guardian) this was their first loss – the Sony Online Entertainment (SOE) network was hacked on 16 & 17 April, while the PlayStation Network (PSN) was hacked between 17 & 19 April. Sony discovered the second hack first, didn’t think that the hackers had taken anything other than the initial 77 million records and then discovered that, actually, the hackers had already made off with 25 million other records. 102 million records - each with a value to hackers for whom identity theft is the new, wild opportunity – and, two weeks after the hack, Sony said: “on May 1, we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.”

Two weeks is not really as soon as possible, Sony, is it? Two weeks after the event is more than enough time for these records to have been used maliciously. A tried and tested incident response procedure - which combines forensic investigation with rapid client communication in the event of a breach – should be part of any organisation’s information security management system. Perhaps Sony should get itself an ISMS?

“Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” Sony is reported to have said to the 77 million customers whose personal data was compromised between 17 and 19 April 2011.

Why? Why was Sony storing credit card numbers? It’s a PCI DSS requirement that payment card numbers are never stored or, if there is a clear business reason why they must be stored, then they must be hashed in the database so that they are unreadable. Clearly not something Sony did, or it wouldn’t need to warn customers that this data may have been compromised. Does PCI DSS not apply to Sony, or what? Everyday, we see small e-commerce businesses being hounded into PCI compliance by their acquiring banks, often at expense far greater than the immediate value to their business – but apparently not Sony. Is Sony too big to comply?

And what exactly does Sony mean when they talk about ‘an abundance of caution’? They weren’t cautious enough to protect card holder data in the first place and, as Michael Paller was reported by Reuters to have said, Sony may also have a tendency to throw up unreviewed, unsecure code in a rush to get products to market – so, overall, not very cautious at all. Negligent, in fact, you might think.

“‘IT departments make the mistake of ignoring social media at one extreme or banning it at the other, when what they really need is a risk based strategy’, says Gartner research director Julie Short.”

She is of course correct. I’ve been arguing, since the appearance of Instant Messenger as a killer social media application, that it’s a mistake for IT departments to simply lock down or prohibit the use of new media and communications channels in the enterprise.

There are three reasons for this.

The first is that stopping people using applications which they already know will make communication quicker, easier, more dynamic and more effective makes IT departments appear Luddite - which is not exactly in line with what one might expect from that part of the business which is in charge of technology-based competitiveness.

The second is that good people will mostly tend to go and work for organisations that use technologies that they know about, rather than being forced to operate with outdated tools. And those organisations that limit themselves to recruiting from amongst the less ambitious will tend, over time, to destroyed by those who are more future-orientated.

The third, of course, is that we live and work in a fast-moving Internet world; organisations that prohibit or over-control use of social media technologies are cutting themselves out of competition and, eventually, out of business.

I recognise that there are risks – to the confidentiality, integrity and availability of information – in the unbridled use of new social media within an enterprise. A risk-based strategy involves identifying specific risks, adopting appropriate policies, selecting and enforcing relevant controls, and reviewing and monitoring activity. We made all of these tools available in our Social Media Governance Toolkit, on the basis that what most organisations want today is to deploy the controls and get on with exploiting the social media channel, rather than having to re-invent the social media policy wheel.

Epsilon’s statement that, on March 30th, it had detected that ”a subset [about 2%] of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system” has sparked a flurry of activity for a wide range of household names, whose email lists may have been exposed in this hack.

The fact that Epsilon has been hacked exposes one key myth about ISO27001 certification: it does not equate to 100% security. ISO27001 is simply a management system which, effectively deployed, improves an organisation’s information security and resilience. In Epsilon’s case (and Epsilon does have an ISO27001-certified ISMS) it would appear that there is an effective incident management procedure in place, as this breach seems to have been identified quickly, followed by appropriate noises about investigation and notifications.

On the other hand, it would appear that there was a significant failure in Epsilon’s risk assessment process. Risk assessment is at the heart of effective information security management and, in the case of an organisation that manages email data, the risk of an external cyber attack should be high on the list of worries. Epsilon’s IT infrastructure has been penetrated; cyber criminals have found one or more vulnerabilities in the Epsilon infrastructure and taken advantage of them to steal email data (and, remember, as email lists have real value to cyber criminals, the likelihood of a cyber attack on an email database is high).

Epsilon’s selected controls were inadequate to deal with this risk and, as a result, it is now suffering a highly significant impact, the full scale and cost of which have yet to emerge.

What should Epsilon have done differently? It needed (and needs) a much more comprehensive security or penetration testing regime than it clearly has. Organisations that have a low likelihood of cyber attack may feel confident that an annual penetration test (calling on a packaged penetration testing service) is an adequate check of the effectiveness of their cyber defences; organizations like Epsilon, where the likelihood and impact are both very high, should be looking at least at weekly penetration tests.

Regular penetration testing, for high value data systems like that of Epsilon, is essential but not enough. Zero day vulnerabilities are now common. Organizations need a systematic approach to tracking information about emerging vulnerabilities, identifiying occurrences on their systems, and rapidly remediating them. This requires a much more pro-active information security function than most organizations have in place – but it is exactly what is envisaged in the ISO27001 Annex A control 12.6.1 Control of Technical Vulnerabilities – see the best practice guidance in ISO/IEC 27002 for more information on this (and related) controls.

Gartner says that “IT & business leaders must face the fact that social colloboration is already a reality.” I agree. As a company, we have been working with social media in its varying, evolving forms for a number of years. This blog, for instance, has been in existence for five or six years – it’s never been a blog-a-day blog, but I’ve been writing about issues in and around information security and IT Governance irregularly for a long time. We published a Web 2.0 Best Practice Report in July 2008 and coined the phrase ‘Threat 2.0′ to describe the combination of threats to confidentiality, integrity and availability of date posed by the explosion in social media.

As a company, we’ve been producing the IT Governance blog for a couple of years, have a twitter feed (which we’ve just made the default way of ensuring that everyone inside the company is able to stay on top of our own news and developments), an IT Governance on Facebook page and a large number of topic-related IT Governance LinkedIn groups, all sitting under a single IT Governance profile.

We’ve grappled with social media for many years, from the early excitement of each of the ‘next big things’ through to the period of mainstream adoption, where issues like employee accountability, corporate resilience, privacy, compliance, confidentiality, data integrity and archiving are being taken increasingly seriously by business, IT and compliance leaders in organisations large and small across the world.

Our Social Media Governance Toolkit was developed out of a combination of our own experience, research and identification of existing good practice across the Internet. It continues to be informed by both internal and external feedback from actual use and we continue to make upgrades available to customers who have already purchased their own copy.  For instance, we will shortly be sending out a LinkedIn Group Policy template, reflecting our own experience with the need to ensure that LinkedIn Groups continue to be useful forums for exchanging information in a reasonably informal (but unspammed) environment.

We hope, as increasing numbers of organisations deploy our Social Media Governance Toolkit (or similar policies and practices), that we will between us keep the ‘free interchange’ aspect of the Internet working effectively.

The ICO has just issued two more fines for breaches of the DPA. Ealing and Hounslow councils are, between them, paying up £150,000 of money they probably don’t have to spare for the theft of just two laptops from an employee’s home.

There are three key learning points from this most recent set of fines:

1. Laptops must be encrypted – the ICO said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.” Our free Technical Briefing Paper describes clearly what has to be done to encrypt laptops and portable devices.

2. You cannot hand your data protection responsibilities over to a third party – you must have a clear contract in place, with the right of audit, and you must take action to ensure that your third party contractor complies with its responsibilities. The ICO said: ““The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected.”

3. Lax data protection practices will lead to fines. The ICO’s statement concluded with this warning: “Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”

And the fines are just the monetary tip of the iceberg: before the fine is even issued, there is an investigation to endure, there is highly damaging PR and you still end up having to comply with the DPA anyway. So the sensible thing is to comply in advance of a breach – because, sooner or later, every organisation has a breach.

The process of becoming compliant is straightforward: carry out a gap analysis to identify where your actual practices are deficient against the requirements of the DPA, create an action plan to close the gap, and execute that plan. We created a DPA Compliance Tooolkit specifically to put everything required for this process in one place. It costs £100. If both Ealing and Harrow had purchased – and deployed – their own copy of the toolkit, it might have saved them a joint £150,000. Not a bad return on investment!

According to an article published today, local councillors must register with the ICO if they process personal data in their constituency offices. Apparently 6,000 are already registered and another 13,000 could and should. Of course, registration with the ICO is just the start – once registered, they also have to comply with the DPA. Compliance is relatively straightforward – the problem is that most organisations, particularly smaller ones, leave compliance until after they’ve been breached and then have to deal with all the sad repercussions of negative press coverage and distressed constituents. The penalties for compliance failures are potentially very significant.

Research giant Forrester has identified the need for Social Media Governance as the starting point for adopting social technologies in organisations. Social Media Governance is a complex topic – it starts with adopting a social media policy but it does then have to deal with a comprehensive range of headline issues such as:

• Social Media User Guidelines
• Roles & Responsibilities
• Metrics & Monitoring
• Records Management 
• Legal Guidance
• Communications Policy
• Branding & (Corporate) Style Guide
• Training

Security is a major area and should be linked with any ISO27001 or other ISMS that the organisation has in place. Key areas for the information security team to address include:

• Acceptable Use Policy
• User Name and Password Management
• Classification 
• Anti-malware
• Backup
• Incident Management
• Monitoring
• Privacy

And, finally, there probably need to be specific user guidelines or work instructions that cover, in some detail, at least the following social media activities:

• Blogging
• Facebook
• LinkedIn and LinkedIn Groups
• Instant Messenger – Organizational IM
• Instant Messenger – Third Party IM allowed
• Skype
• Twitter
• YouTube

The social media framework that we use in our own organisation is based on ITGP Social Media Governance Toolkit. These templates have made our life much easier and, of course, our own experience and that of our customers is then fed back into further improvements in the templates.

I recently took all three leading eBook readers – Kindle, iPad and Sony – on holiday. I’ve been a convert to eBook readers for holiday reading for some years – they make life so much easier, in terms of weight and bulk, as well as in terms of being able to take a good selection of books with you to pick and choose as you like. 

iPad – it is far too heavy to use on the beach, and I gave up very quickly. The fact that the iPad doesn’t have mobile roaming (and I have a 3G iPad) is another drawback, which means that you can’t easily use it to purchase more books while travelling. For me, the iPad is a big NO where holiday eBook readers are concerned. (I don’t get newspapers on holiday so that capability isn’t too compelling for me.)

Kindle – apart from the dumb aspects of the Kindle (see my earlier Kindle post), the fact that it has internationally enabled Whispernet means that you can purchase and download books anywhere in the world – a definite plus. Both my Kindles, however, mulfunctioned – they’re both telling me that they’re out of battery power and re-charging them doesn’t make a difference. So, possibly a useful device but failure to function kind of set it back a lot for me. There’s also an obvious security issue with the Kindle (and with the iPad, if you have the Kindle App installed), which is that the Whispernet technology and one step purchasing means that a thief who makes off with your Kindle could relatively easily run up a significant credit card bill for you at the Amazon store.

Sony – this is the third holiday I’ve taken the Sony eBook Reader with me – and it’s still functioning perfectly. It’s got a bunch of books on it now (some of which are very thick and long and whcih I’ve been reading for more than a year), it’s got great battery life, and it works fine in sunshine and in the shade. It fits in a pocket, it’s lightweight, doesn’t have Whispernet technology and is capable of purchasing books from a much wider range of bookstores than just Amazon. (Not all publishers sell their books through Amazon, because of Amazon’s predatory pricing of eBooks). Of course, I take a laptop on holiday with me anyway, so downloading more books via the laptop is straightforward.

There were, according to the most recently published ISO certification survey, nearly 13,000 organisations worldwide certified to ISO27001 by the end of 2009. This is an increase of about 40% over the number certified the year before and reflects what I have said on many occasions – the number of certificates will go up exponentlally as more and more organisations work their way through their initial PDCA cycles, often lasting a year or more, prior to their first successful certification audit.

And, as organisations turn to their supply chains and partners, looking for equivalent approaches to information security management, so the pressure for compliance mounts on every organisation that has confidential, valuable or personal information to look after. 

Cyber risks, which emerge from the UK’s recently published National Defence Strategy  as the most critical risk facing the UK economy over the next five years, are best defended against by deploying ISO27001 – which is why the standard is increasingly known as the ‘Cyber Security Standard’. The fact that ISO27001 is also international best practice for meeting a wide range of information, computer and data security regulations and laws makes its ever more rapid adoption inevitable.