Alan Calder on IT Governance, information security & ISO 27001

Commonly accepted best practice on password security is that passwords should be complex, changed frequently and never written down. Password complexity (8 alphanumeric characters, case sensitivity plus special characters) increases the level of difficulty associated with cracking it; password change regularity decreases the likelihood of the password, having been inadvertently revealed, being improperly used. The easiest way into a computer or network is, of course, via the password that has been written down and is stored somewhere convenient – on a post-it note under the keyboard, behind the screen or in an unlocked drawer….

And, of course, the more complex the password, the more frequently it has to be changed, the more likely users are to forget it – and to write it down. And we’re not just talking about business users here: our experience is that many seasoned IT and information security professionals resort to writing passwords down – not least because we increasingly combine regularity of change with increasing volume of passwords, each of which have different rules.

And it’s the different rules that make it difficult for one to use one strong password in all the applications and websites to which one has access.

So, there’s the information security manager’s dilemma when dealing with user system access - enforce frequent password changes, enforce complexity, block reversions from new to old passwords, block password sequencing and all those sensible things, and you increase the likelihood of passwords being written down thereby potentially making unauthorised system access even easier.

The solution, for me, is to insist on password complexity – but to enforce change only irregularly - certainly no more than once a quarter – and, perhaps, no more frequently than once per year.

I did a presentation earlier this week at NITES, in Ireland.  My topic was data protection and governance. I took the opportunity to make a number of linked points:

1. We already have data protection legislation in the EU and US;
2. These regulations don’t have any real teeth;
3. Most company boards – particularly  in the financial sector – and public sector managements simply don’t care about data security – there are no rewards for doing a good job and no meaningful penalties for failure;
4. The Health and Safety Executive in the UK has a budget and staffing levels about 20 times higher than does the Information Commissioner, as well as powers to inspect and fine, so it’s hardly surprising that health and safety regulation shows progress and data protection doesn’t (remember, too, that our ICO’s tiny budget, the majority of which is provided by company registration fees, has to cover DPA compliance as well as FOI and Environmental Regulation compliance!) 
5. We care more about people using mobile phones while driving than we do about companies losing thousands/millions of sensitive personal records – we jail people for sending text messages while driving but do nothing about company directors whose reckless disregard of data protection regulations endangers the financial future of vast numbers of ordinary consumers;
6. It’s time for data security to be given proper emphasis – by which I mean custodial sentences for CEOs and senior civil servants whose organisations recklessly disregard the DPA – with ‘reckless disregard’ having characteristics like unencrypted laptops or USB sticks and failure to conform to BS10012 (when it is finalised and launched),
7. We also need a pan-European data breach directive, that requires companies who fail to protect personal data to meet in full the costs of restitution for those affected as well as paying substantial financial penalties (and, possibly, jail time for directors – see my earlier point).
8. It’s time for us, the consumers whose personal data is so regularly abused, to start demanding – through all the channels open to us – that our elected representatives start taking this subject seriously and enact legislation that will actually have teeth, and commit the level of financial support that will enable those teeth to bite.

You are welcome to download a copy of my NITES presentation: nites-feb-09.

Well, that’s a relief – the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective – it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.

Given the increasing desire of businesses to be certified to ISO27001, risk assessment has emerged as an important skill for the infosec professional. While it is well-established in other areas, risk assessment is new to many in technology and requires mastering. There are various approaches, but ISO 27001 has particular requirements and compliance and certification can only be achieved if the right method is used. We have launched two new books to help different types of professional get the information they need in this area.

‘Risk Assessment For Asset Owners’ is a pocket guide aimed at people who need a quick overview of the facts. It is ideal for senior executives, people with peripheral involvement in a risk assessment or those who need a clear and concise place to start. Over 48 pages it explains the risk assessment requirements of ISO 27001 and how the entire assessment process should be managed, from identifying assets and assessing threats to selecting appropriate risk treatments and controls. The book is the latest in our series of Practical Information Security pocket guides and is available for only £7.95 / US$15.92/ EUR11.81 from.

For people directly responsible for conducting risk assessments a more detailed account is necessary, so we have also introduced ‘Information Security Risk Management for ISO27001/ISO17799’. Over 196 pages this provides step-by-step guidance on matters such as Impact and Asset Valuation, Risk Treatment and the Selection of Controls, and The Gap Analysis and Risk Treatment Plan. It also gives advice on the use of risk assessment tools, including vsRisk [link to item above]. Priced at £39.95/US$79.98/EUR59.37 it can be obtained from IT Governance here.

More proof that the much vaunted convergence of information security and physical security is being made flesh: ‘Research from the Economist Intelligence Unit shows the number of CSOs taking ultimate responsibility for the security of a business has almost doubled year-on-year.’

As this article says, CSOs – and in my view CIOs too – need to understand the business and be able to relate security to its needs. The concept of the CSO is in principle a good one, but it calls for a very broad range of abilities and experiences, and I am a little concerned as to where that talent is being nurtured.

While there may have been a doubling in the number of CSOs, I worry that the difference between a good and an indifferent office holder may be down to luck for many employers. We need to see more work done in the area of defining the CSO’s role and consequently what training and career experience is appropriate for achieving this office. Only then can we begin to have some confidence that the CSO title will deliver the reassurance it suggests.

Getting to grips with best practice information security and governance often involves a steep learning curve, and this is a challenge facing more and more people: as infosecurity and governance become increasingly mainstream topics, so a wider range of professionals are being drawn into their ambit.

To help break the journey down into more manageable steps we are launching a new series of pocket book books under the headings Practical Information Security and Practical Governance. The range will ultimately include 13 titles and we have begun by launching three infosecurity guides that complement each other very well:

‘ISO 27001 – A Pocket Guide’ is ideal for organisations that are contemplating an information security management system, about to embark on an implementation, or simply wish to raise awareness of infosecurity among their employees. It succinctly covers the basics, including:

* An explanation of information security and how it can be managed using a globally recognised approach
* The factors that need to be considered in designing an information security regime
* What investments might be necessary to deliver a consistent level of assurance and how to gain maximum value from the available budget
* How to pursue and demonstrate compliance with the ISO 27001 standard

The book is written by my colleague Steve Watkins, a leading author, educator and consultant on information security management. Priced at £7.95/US$15.73/€11.82 it is available in softcover and e-book formats here.

‘A Dictionary of Information Security Terms, Abbreviations and Acronyms’ is a new book that Steve and I have written together. It is an invaluable resource for people grappling with security terminology for the first time. Rather than a dry technical dictionary, it is written in an accessible style that enables managers and novices to quickly grasp the meaning of terms such as ‘bluesnarfing’, ‘DDoS’, ‘pharming’ and ‘zombie’. The Dictionary is priced at £9.95/US$19.68/€14.79 and available in softcover and e-book formats here.

‘ISO 27001 Assessments Without Tears’ provides a helpful primer for organisations preparing to have their infosecurity regime independently assessed. It describes the assessment process, gives guidance on preparation and how to work with the auditor, and, if needed, advises on what to do if the auditor finds fault with any aspect of a system. Written by Steve Watkins, the book is priced at £5.95/US$11.77/€8.84 and available in softcover and e-book formats here.

Further pocket books will be introduced over coming months in the Practical Governance series and will address the following topics:

* Information Security Governance
* A Directors’ Guide to the UK Combined Code and Turnbull Report
* Sarbanes-Oxley
* BASEL 2
* Regulatory Compliance
* The Integrated Management System
* IT Governance
* Information Governance
* Project Governance
* Enterprise Risk Management

Watch this space!

SearchSecurity.com has published an interesting review of information security in 2006. Looking back at 2006 contains top security-related interviews of 2006, accessible in the form of a podcast. It’s a useful retrospective when considering 2007 and its upcoming challenges!

Confirmation from PriceWaterhouseCoopers that small and medium-sized firms are underinvesting in IT security and suffering for it. PWC calls the difference in preparedness between large and smaller companies ‘a tale of two cities’, which seems pretty apt. As they say, too many SMBs are unaware of ISO 27001 and other measures that would provide vital help.

It’s all very well Alun Michael MP observing that low awareness is a problem, but what will the Government do to help change this? Not a lot, I fear, with it firefighting issues like NHS budgets, prison scandals, ministerial affairs and ‘cash for coronets’ – critical issues like ISMS just won’t receive the backing they need.

Instead, it will be up to the business community to resolve the issue itself, hence our work to produce books like A Business Guide to Information Security and our ISO 27001 Toolkit, both of which were created with SMBs very much in mind.

The FSA Handbook sets out clear requirements for the management of information security within its regulated sectors. The requirements are best met by implementing and maintaining an ISMS that meets the ISO27001 standard – ISO27001-certification is clear evidence that the firm has taken full account of ISO 17799, as laid down in SYSC 3A.7.8

SYSC 3A.7.7
Information security
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
SYSC 3A.7.8
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).