Alan Calder on IT Governance, information security & ISO 27001

Once upon a time, there was only BS7799 for information security - now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use - and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.

Perhaps - but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice - but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate - to go alongside their ISO27001 and ISO20000 certificates, no doubt.

Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?

Ian Kerr’s Computer Weekly article on the human dimension to infosecurity has good and bad points. He correctly highlights how critical it is to address employee behaviour within a security strategy - the smartest technological defences are of little help if your staff leave the front door wide open, whether by accident or design. However, he significantly misstates the way in which ISO 27001 tackles this in its specification for a best practice ISMS.

In fact, one out of 11 control sections (containing nine controls) of ISO 27001’s list of controls deals specifically with HR, and many of the others - such as password management and user access controls - also deal explicitly with the human component of threats. I would say that ISO 27001, when properly implemented, provides an extremely strong safeguard against ‘human weakness’ and insider/outsider attacks.

One of the great virtues of an information security management system is that it helps steer you around the pitfalls of your own preconceptions. By having a rigorous process that reaches across the organisation and involves people at every level it becomes easier to spot vulnerabilities that you never knew were there. For example, Doug Schweitzer on ComputerWorld highlights that the modern office copier contains a hard drive that retains a record of the images it handles - how many people realise that? How many businesses have measures in place to ensure that vital data doesn’t just walk off the premises when a copier is upgraded? When technology evolves so quickly a best practice ISMS is an absolute must.

A lack of trust is hampering take-up of online government services, according to a recent BCS Thought Leadership Debate. Of course it is – why would anyone entrust their most personal data and important transactions to IT systems without an assurance that they will remain secure? The Cabinet Office has done much to champion the cause of BS 7799/ISO 27001 as vital for the success of online public services, but far too few public sector organisations have become certified: a clear case of taking a horse to water. Public sector executives have to realise that until they provide ISO 27001 as a ‘badge of trust’ to their customers, departments and agencies will fail to deliver on the promise of eGovernment.

Building an Information Security Management System (ISMS) from scratch can be a daunting task, particularly for mid-size organisations who may not have the luxury of generous budgets. To help eliminate the uncertainties and headaches we’ve launched a new ISO 27001 Toolkit, which in a single box gives provides everything you need to build a world-class system efficiently and at a fraction of the cost of calling in outside experts.

The Toolkit is an all-in-one programme for building an ISMS compliant with global best practice, in respect of ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006. It is based on our definitive guide to ISMS development, ‘A Manager’s Guide to Data Security and BS7799/ISO17799’. In addition to the third edition of this book, the Toolkit includes the ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006 standards and a CD-ROM with almost 400 densely packed pages of fit-for-purpose policies and procedures: a model Information Security Policy, a pre-written Information Security Manual, 110 pre-written policies, analysis tools, training materials and much more.

Since every organisation’s needs are different, purchasers benefit from our unique Drafting Support Service, which advises them on how to adapt the materials to their particular situation. They also receive our 12-month Automatic Update Service, which ensures that purchasers automatically benefit from any improvements to the Toolkit.

A robust ISMS is too important to be out of the reach of the middle market. We’ve deliberately priced this product at a significant discount to other options out there, so there can be no excuses!

The importance and business benefits of ISO 27001 were underlined before Christmas by UK Government minister the Rt. Hon Alun Michael MP, Minister of State for Industry and the Regions.

Speaking at the fourth annual international ‘7799 Goes Global Conference’, he welcomed the launch of ISO 27001, saying, “The standard is a valuable tool that all organisations, including the DTI [Department of Trade & Industry], can use to manage the security of their information assets as a core business activity. This can bring information security into the mainstream of good business practice…Secure information should be at the heart of business thinking and not a technical issue. The standard will be used as a benchmark and will help suppliers and customers have greater confidence in doing business with each other.”

All spot on, and very good to see the Government supporting this. But what if your company is already certified to BS 7799-2: 2002, which the new standard has superseded? Such companies will need to convert to ISO 27001 on a timetable decided by their national accreditation bodies, but the good news is that the benefits significantly outweigh the additional work. Upgrading will both improve companies’ security through the improvements of ISO 27001 over BS 7999 and enable them to benefit from the greater international recognition of the new standard from customers and partners.

To help manage the transition to the new standard smoothly and cost-effectively we have launched an ISO 27001 Converter Kit. This guides you through the changes that must be implemented by mapping new controls to old ones and identifying all the key amendments. It can be purchased online and downloaded for £44.95 from IT Governance Limited here.

Information security is supposed to be a business enabler. Information security is supposed to be a business issue, not a technology one.

What this means is that, by ensuring the availability, confidentiality and integrity of information, organizations should be able to improve their effectiveness and enable themselves to use today’s electronic and communications media more competitively.

So far, so clear.

We all know that the electronic world is full of dishonest and nasty people, people whose idea of fun is creating and despatching worms, Trojans, viruses and assorted adware and spyware; we know that stealing data has become more than just a cottage industry; and we know that organizations must take steps to combat today’s mutating threats by implementing multi-layered vulnerability protection strategies.

In responding to the threats, many organizations have lost sight of the idea of ‘enablement’. Defences have been erected and are continuously ratcheted up in response to new threats, and as new technology becomes available.

But nobody bothers talking to the users, the people who are meant to be ‘enabled’ through the use of technology, the people at the business coalface, who are dealing every day with the changing competitive pressures and opportunities of commercial survival in the 21st Century. If they did, they would discover that users are becoming more and more inventive at finding ways of bypassing these controls - while it seems barmy to have go home, use your personal computer to surf the net to find the information that you want, download it to a USB stick, take your USB stick to work and then upload the information to your computer, this is what more and more people are doing - because it’s the only way left for them to get the information they need to actually do their jobs!

Of course, the organization is just as exposed to what may be residing on the site from which that determined employee downloaded the data - but they’re unlikely to have appropriate defences in place. Sooner or later, they’ll make the necessary investment to close off this loophole - and the workers will have to come up with a new way to get round the technology in order to get on with their jobs.

There is an alternative, far less expensive, far more business-focused, option: businesses could decide that business management - not the IT department - should determine what controls are appropriate - and the good news is that the number of organizations who take that approach is growing (just look at the growing number of BS7799 certified organizations) and, sooner or later, those that stick with the technology-age version of ostrich behaviour will go out of business.

It’s quite frustrating waiting for that to happen, though!

ISO 27001 finally made its debut last week – in fact, a bit earlier than many were expecting. However, I’m pleased to say that we were ready to go with our new books and toolkit, which were all launched straightaway. ‘The Case for ISO 27001‘ is an eBook we have written for non-technical directors and managers to help explain why information security is a C-Suite responsibility, and how the new standard meets the needs of corporate IT infrastructure, information risk and regulatory compliance. ‘Nine Steps to Success – an ISO 27001 Implementation Overview’ eBook is a practical guide for IT security project managers - it provides a rigorous approach to enable compliance and certification to be achieved efficiently. To help the whole process happen, we’ve also launched an ‘ISO 27001 Toolkit’ (based on our popular BS 7799 Toolkit), which is a comprehensive ‘do-it-yourself’ programme for achieving ISO 27001 compliance without calling in expensive consultants. If you’re interested, you can check them out and buy online at www.itgovernance.co.uk/bs7799.aspx.

I read a scary article in the UK’s Computing News last week - it reported that the EU Commission is launching a ‘five-year technology strategy to foster economic growth and job creation’ and goes on to say that, in order to make the EU the most competitive knowledge economy in the world, the EU strategy focuses on ‘regulation, R&D, and closing the digital divide.’

Now, the scary thing is that someone, somewhere, not only believes that regulation is a critical leg of a triune strategy to boost competitiveness, but also believes that we’re all going to buy into it. The only thing that regulation does is restrict competiveness, as the highly regulated and determinedly sclerotic economies of old Europe have been demonstrating for some time. Of course, some people do very well out of regulation - a major part of the BS7799 business is to do with demonstrating compliance with the regulation - so I shouldn’t complain!

Recent reports of security breaches in India - security breaches of BS7799-certified companies - should be treated with all the sceptism they deserve. BS7799 is an international standard for best practice in information security management - it is a system for effectively, coherently and comprehensively managing information security which takes into account the certainty that every management system will, sooner or later, be bypassed, that every defence will be overwhelmed - which is why business continuity plans are such an important part of the information security management system.

BS7799 is most definitely not a guarantee that no attacker will ever be successful. Sooner or later, every company is overwhelmed by an attacker - particularly an insider - and insiders, statistically, are responsible for about half of all successful attacks - what BS7799 expects (before committing to an outsourcing contract) is that an organization will carry out an information risk assessment, and that this risk assessment will take into account the documented scope of the certified organization - and, if it is inadequate, the potential outsourcer will act appropriately - not go ahead, require additional safeguards, etc.

The fact that any one organization has a BS7799 certificate for an information security management system which doesn’t meet the requirements of the organization about to outsource its services is, usually, completely obvious. If the outsourcer nevertheless goes ahead and contracts to outsource the services, it deserves a bloody nose - the fault is in the inadequate judgement of the outsourcer, not in the standard itself.

Let’s make sure the really important lessons are learned here: scope of the certificate must be adequate, contractor is also responsible for carrying out a risk assessment and, sooner or later, an attacker will overcome the best defence. What matters is that the defender has a system for identifying and recovering from those attacks - and BS7799 gives them that.