Alan Calder on IT Governance, information security & ISO 27001

I’ve recently added both a Kindle and an iPad to my collection of eBook readers. I’ve been using the Sony eBook reader since 2009 and thought it would be useful to compare the leading products as this area of hardware hots up. All eBook readers can carry more eBooks than you are likely to want to read in a month, and all eBook readers substantially reduce the effort required to carry today’s massive tomes around.

The Kindle, from Amazon, has two major strengths and a couple of significant weaknesses. The most impressive aspect is the Whispernet technology - the worldwide roaming 3G application which lets you search Amazon.com directly from the Kindle, and with one click to select, purchase and download books directly to the eBook reader. This is a brilliant innovation. The fact that browsing speeds are, relatively speaking, quite slow (3G doesn’t match most broadband connections for speed) and that searching for books isn’t as simple as doing it through a web browser are minor drawbacks in comparison to the overall facility of direct purchase and download.

The other big advantage is its size - you get a large screen, which means that you get more text on the screen in front of you than with the Sony Pocket. More text means fewer page turns, which means fewer clicks on the neatly placed ‘next page’ button. Size, though, is the first big draw back of the Kindle - unlike a book, the Kindle is not something that you can drop into a pocket, or a beachbag - it’s a chunky item, very slightly smaller than A4 in size and quite heavy. Of course, it’s a bit neater than today’s 500+ page book, but that doesn’t make it easy to cart about.

The second big limitation is that you are, effectively, limited to reading books available from Amazon. While it appears to be technically possible to transfer other eBooks and pdfs to the KIndle, it’s not a simple process and is one which still eludes me. The eBook selection on Amazon.com isn’t that great, to be frank - and far more useful selections of popular eBooks are available from retailers like Waterstones - but, of course, you can’t download a Waterstone’s eBook to your Kindle reader.

The Kindle is, in effect, a tool for buying and reading eBooks that are sold by Amazon.com. It is designed so that you can’t use it to buy eBooks from Amazon’s competitors. If Amazon was giving it away for free, as a device to encourage you to purchase eBooks from Amazon, there would be a justification for getting one - but it is a relatively expensive and very limited product. On this basis, the Kindle simply doesn’t compete with alternatives like the Sony eBook Reader - which is not only lightweight and pocket-sized, but with which you can purchase eBooks from any retailer or publisher, download and read them, and with which you can also read pdfs and other electronic documents from almost any source. As a practical, workaday tool, I would take the Sony eBook reader over the Kindle any day! 

I’ve just taken delivery of an iPad, so will be talking about that in due course.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

Virgin is a strong brand, so a welter of stories describing Virgin Media’s breach of the Data Protection Act, when it lost an unencrypted disc containing the details of some 3,000 customers, would not have been part of the PR strategy. As a result of a simple management failure - not requiring the encryption of all portable media that contain personal data - it now finds its name and brand logo alongside statements that Virgin Media has been guilty, ‘scolded, ‘reprimanded‘, ‘slammed‘ and ‘rapped‘ for inadequately protecting its customers’ data. Not a pretty outcome!

There is a simple way to avoid this sort of damage - encrypt all portable media! We wrote about this in our Data Breaches Report 2008 and, after the HMRC fiasco, one would have thought that all organisations would, at least, have carried out the encryption part of our recommendations.

I have written before about the need to prevent viruses entering a corporate system via employees’ thumb drives, and that the profusion of portable storage devices makes this a priority for businesses. Now SC Magazine reports that a number of Apple’s Video iPods have been discovered to be carrying the Windows virus RavMonE.exe. I see that Apple is not ISO27001-certified. Perhaps, if it were, this wouldn’t have happened.

I’ve written before about the fact that wireless kit usually ships with a default security set up of ‘no security’ - because that’s what makes it easy for consumers to get started right away on using the kit. ‘No security’ is obviously not a good default setting in today’s identify- and bandwidth-hijacking world.
California, as so often the case, is taking the lead in dealing with this issue. Assuming that Governor Schwarzenegger signs it into law, manufacturers will have to place appropriate warning labels on all wireless equipment. Of course, that won’t mean that users will improve their wireless security - but it will at least ensure that they’re made aware of the issue.
California’s Database Security Breach law has been widely copied by state legislatures across North America - I guess we’ll now see a rash of wireless-related legislation as well.

There is ongoing debate of how safe it is to work wirelessly, with much discussion about how likely it is that your digital information will be monitored and stolen while you are online in a coffee shop or wherever. Of course, by far the most common security threat related to wireless internet use is physical, not virtual - it is the theft or loss of the laptop or PDA on which you’re working. However, beyond taking sensible steps to ensure that a device remains in your possession there are a variety of other security measures that companies need to adopt. This article on Computerworld gives a good overview.

Officials in Westchester County, New York have recently attracted attention for their new law that requires businesses to secure their wi-fi hotspots. I’ve spoken before about the need for proper wireless security but, as usual, when businesses fail to take voluntary action sooner or later a regulator will pass a law to force them to act.

This is actually a pretty sensible law, but inevitably the reaction from many businesses will be to complain about the growing weight of legislation with which they have to comply. However, legislators all over the USA and elsewhere will be watching closely, so expect to see a spate of similar laws coming into force around the world soon.

Coming on the heels of my most recent post about the security risk posed by USB storage devices, here’s a story to chill the bones. It seems that classified military information is leaking out of Afghanistan and offered for sale on those wonderful flash drives that we love so much.

I spend most of my time trying to get businesses, and particularly mid-size businesses, to grasp the security nettle and put in place a proper ISMS. The military hasn’t been much of a priority for me because, apart from anything else, you would sort of hope they understood these things better than many. I guess not.

For any organisation, a fundamental part of the solution has to be an appropriate system of usernames, rights and privileges. To the greatest extent possible, you need to confine access to sensitive information to those people who really need it. Properly mapping out access rights and keeping them up to date is critical. For example, if someone leaves an organisation or moves within it their username must be withdrawn or access rights amended immediately, not three months later. Similarly, if someone needs particular access rights to do a project, those should be curtailed again as soon as the project is finished.

That might not prove popular, but it is part of the ‘soft skills’ requirements of modern IT managers to be able to sell their policies as well as implement them. They need to be explain persuasively why security is good for the employee as well as the organisation. (However, this article indicates that there is still a long way to go before the IT function develops the necessary people management skills. Note to the CEO – investing in this area is not a ‘nice to have’ item, it is an urgent requirement if you expect your IT to remain secure.)

It is also essential to have in place clear user agreements and acceptable use policies, (a) to ensure that employees understand what is expected of them and (b) to provide a basis for taking legal action against them if they flout this. These measures should include explicit instructions not to remove data without authorization and various other measures to safeguard the integrity of the system.

I have written in considerably more detail about these issues in various books. However, in light of profusion of USB storage devices today, I am thinking of adding one more measure to my recommendations, based on an item I read somewhere recently. If you are still worried that best practice policies and procedures aren’t enough, seal up the USB ports on people’s machines with glue!

I have blogged previously about how simple USB storage devices pose a serious threat to corporate IT security. This article from Computerworld shows how the issue is escalating with the advent of the iPod as THE must-have accessory. Not only is an iPod a neat way to store you music, it is potentially also a great way to remove other data without permission and to introduce malware (knowingly or otherwise).

Unsurprisingly, Apple were not prepared to comment on whether they would be stepping up iPod security in light of this. It naturally falls to companies to make sure that they have policies and procedures in place to address this gaping vulnerability. However…

Eric Ouellet, vice president of research for security at Gartner Inc. in Stamford, Conn., said that only about 10% of enterprises have any policies dealing with removable storage devices.

Oh dear.

According to Outlaw, a “global survey of 900 taxi drivers shows thousands of valuable mobile phones, PDAs and laptops are forgotten in taxis every day. Too often the devices are unsecured – and employers are urged to take responsibility.
Businesses are being urged to use the password and encryption facilities available on the recent crop of high memory capacity mobile smartphones to protect the data in the event of leaving the devices in the back of a cab.
In the last six months in London, 63,135 mobile phones, 5,838 PDAs and 4,973 laptops have been left in the city’s 24,000 licensed cabs. British cabbies also found a harp, a throne, £100,000 worth of diamonds, 37 milk bottles, a dog, a hamster, a suitcase from the fraud squad, and a baby.
In the past three and half years since the survey was first carried out there has been a sharp increase in the number of powerful, executive-focused mobile devices being forgotten in London taxis with 71% more laptops and 350% more PDAs being left than in 2001, which in the wrong hands could cause the owner and their company enormous damage.
The survey in London was conducted by TAXI, published by the Licensed Taxi Drivers Association, and mobile security experts Pointsec.”

One sometimes wonders why senior people - people considered mature enough to be issued with laptops, mobile phones and PDAs - are so incapable of looking after valuable data assets - their wilful negligence in relation to data protection and privacy regulation, as well as to confidentiality requirements, suggests the time is coming when people who lose one of these devices should be disciplined.

Thank heavens for the taxi drivers, who apparently re-united 80% of people with their cellphones and 96% of people with their laptops and PDAs. I hope they charged extra!