Alan Calder on IT Governance, information security & ISO 27001

The following is possibly the most arresting opening paragraph I have yet read in a security article:

‘The wave of cyberprobes or cyberattacks against Pentagon networks and government computer systems in France, Germany, New Zealand and the United Kingdom this summer appears to emanate from China, but no one in authority in the Defense Department or any of the other countries that have been victimized seems willing to finger the Chinese government or military as the culprit.’

While this sounds like a Tom Clancy thriller it is a serious account of a new front in the online battle, something that both governments and businesses need to be aware of. Military and industrial espionage are alive and well, and it is entirely plausible that businesses and even sovereign states will use the Internet both to gather intelligence and weaken their opposition.

This is a realization that would be worth spreading in the workplace. It can be hard to get all your colleagues to do their bit in safeguarding information assets. If more of them realized the nature of the foe they might feel more motivated to help out – we’re not just facing a threat from bored teenagers, but also from deadly serious criminals and even state agencies. If that sounds a little farfetched this article is worth a read, and BS25999 as a core component of an information security strategy makes real sense!

An entertaining interview with Bruce Schneier in IT Security. He sets out in typically forthright style his view on big questions such as ‘Is security a solvable problem?’ He says, “Organizations need to be liable if they expose our personal information. That’s the kind of economic incentive that will result in more security.” Cases like the Nationwide Building Society’s recent £1 million fine demonstrate that this liability is becoming real, which will intensify the pressure on organizations to implement ISO 27001 as the best practice test of their infosecurity.

Two items here nicely illustrate the fact that IT leaders need to understand the business, not the other way around. Michael Farnum gives some examples that demonstrate it takes maturity on the part of infosec and IT professionals to realise that the interests of the business legitimately come before those of the IT function. While I fully agree with this point, the question arises of how IT professionals can acquire the broader business experience to develop this point of view.

Some potential answers are implied in a report from the Society for Information Management Advanced Practices Council, which calls for measures to increase the leadership ability of the next generation of CIOs. Its proposals, including structured career development, job rotation and performance metrics, appear to be confined mainly to the IT function. However, the same approach would surely make an excellent basis for exposing IT pros to the other functions within the business. Why not rotate promising IT leaders around appropriate roles in sales, finance and manufacturing too? That would produce a quantum leap in the business knowledge of CIOs and make them far better able to act strategically for the business.

David Lacey has a good post on his ComputerWeekly blog, questioning whether it makes sense to combine responsibility for both physical and information security. He highlights the potential benefits, but rightly points out that virtually nobody has all the skills required. It seems strange how many companies seem to be talking about appointing a Chief Security Officer when so few qualified candidates exist.

As I have said previously, this idea is good in principle, but is fashionable before its time. What are needed are some new training options to enable people to develop the necessary expertise. In the meantime, companies should put this bright idea back on the shelf and bring it down again in about five years, by which time supply may hopefully match demand.

Given the increasing desire of businesses to be certified to ISO27001, risk assessment has emerged as an important skill for the infosec professional. While it is well-established in other areas, risk assessment is new to many in technology and requires mastering. There are various approaches, but ISO 27001 has particular requirements and compliance and certification can only be achieved if the right method is used. We have launched two new books to help different types of professional get the information they need in this area.

‘Risk Assessment For Asset Owners’ is a pocket guide aimed at people who need a quick overview of the facts. It is ideal for senior executives, people with peripheral involvement in a risk assessment or those who need a clear and concise place to start. Over 48 pages it explains the risk assessment requirements of ISO 27001 and how the entire assessment process should be managed, from identifying assets and assessing threats to selecting appropriate risk treatments and controls. The book is the latest in our series of Practical Information Security pocket guides and is available for only £7.95 / US$15.92/ EUR11.81 from.

For people directly responsible for conducting risk assessments a more detailed account is necessary, so we have also introduced ‘Information Security Risk Management for ISO27001/ISO17799’. Over 196 pages this provides step-by-step guidance on matters such as Impact and Asset Valuation, Risk Treatment and the Selection of Controls, and The Gap Analysis and Risk Treatment Plan. It also gives advice on the use of risk assessment tools, including vsRisk [link to item above]. Priced at £39.95/US$79.98/EUR59.37 it can be obtained from IT Governance here.

As expected, blended threats continue to grow significantly. ComputerWeekly reports that in 2006 a company called ScanSafe encountered spyware growth of over 250 percent. What is more: “Not only did we see relentless growth in spyware throughout the year, but we saw that it is increasingly harbouring more sinister payloads.”

Other interesting trends highlighted include the increasing range of vulnerabilities linked to Instant Messaging: ‘Unauthorised internet chat and messaging sessions accounted for 15% of web filtering blocks, said ScanSafe. Internet Messaging systems, while increasingly popular at companies, are now a major target for malware spreaders.’

This amply demonstrates the need for companies to take a ‘whole business’ approach to their infosec issues – technological barriers will help in part, but educating the workforce is another critical component.

I would have thought by now that infosec professionals would have been aware of the extent to which spam is part of the malware armoury – but this article identifies the need to ensure that staff are also appropriately trained to identify and deal with those threats that inevitably bypass the best defences. ISO 27001, of course, provides clear guidance on staff training.

Here’s the tip of a nasty iceberg for all those multinationals that have happily offshored various functions in recent years. You sort of expect a bank to get its security right, don’t you? Maybe not…HSBC is now in pursuit of a former Indian employee who has compromised the bank’s security and defrauded 20 customers to the tune of $425k.

Is this a case of a bank failing to adapt its security policies and procedures to the local environment, or is it just a case of lax bank approaches to information security? It seems to me that banks spend an inordinate amount of money on technological security – all of which, one way or another, makes life more difficult and complicated for their long-suffering customers – but are unable to take appropriate actions at the human level. Yet, more than half of all information security incidents are generated by people inside an organisation’s secure perimeter.

I’m sure that the national skills registry the article talks of is a step in the right direction, but HSBC hadn’t even bothered to join it. The fact that this particular criminal wasn’t in the registry database is a separate issue; HSBC clearly doesn’t have a robust employee vetting process in place – something that ISO 27001 insists on as a basic information security management requirement.

While NatWest Bank in the UK seems to be doing nicely by boasting that its call centres are not offshored (although there is a big gap between the quality of their service and their rhetoric), Powergen is not alone in reversing its offshoring policy. But if offshoring made sense in the first place, why not follow through on that initial investment and develop an appropriate information security environment? Wouldn’t it be cheaper for these organisations to focus on the human aspects of information security – on proper employee vetting and on training and supervision, for example – than on investing in offshoring and then, equally expensively, reversing that decision?

As we know from the countless surveys that flood the industry, the good news is that an increasing number of companies are adopting a professional approach to information security; the bad news is that there are still many, many organisations that have yet to put their house in order.

From my experience, many of these are small to mid-size businesses that believe they lack the management bandwidth to deal with IT security right now (sure – technology is only mission critical when it stops working) or think it will prove hugely costly to tackle. So, instead of safeguarding their livelihoods, these businesses procrastinate and, as with anything we put off, the challenge becomes perceived as bigger than it is.

Knowledge is the weapon to kill inertia and the place to start is the 14 Infosec Basics. These apply to organisations of any size and ownership, although larger organisations will want to go beyond these in layering on additional measures. However, for SMEs and SMBs this is what you need to know – basic, but nonetheless vital:

1. Have a policy: make it real, practical and true to your business strategy.
2. Insist on accountability and responsibility: a basic rule of good management.
3. Identify asset ownership and classification: a comprehensive study of what needs protecting.
4. Address information security in all contracts, including employment and third party: let people know where they stand and ensure they can’t shirk responsibility for their actions.
5. Provide for the physical security of information systems: it seems so obvious until items go missing or get damaged.
6. Have up-to-date anti-malware software: naturally.
7. Implement and enforce user access controls: as I’ve blogged elsewhere, keep the tightest rein on this or risk the consequences.
8. Implement and enforce system access controls: you wouldn’t give a 10 year-old the keys to your car, so why would you put your IT system in the hands of someone unqualified?
9. Manage vulnerabilities: look for the chinks in your armour and patch them.
10. Have an incident response process: quick and clear communication stops dramas from becoming crises.
11. Have basic continuity and disaster recovery plans: how will you keep your customers happy if the roof falls in?
12. Monitor compliance: policies are great, provided that they are being followed.
13. Document essential policies, processes and procedures: share the critical information that people need to know.
14. Ensure that users are trained and aware of their responsibilities: give people the skills and knowledge to act responsibly.

Many organisations will have a few in place, but that’s not enough. You need the full 14 to ensure that you are making a professional response to security threats. But when you think about the consequence of failing to act, it’s not so hard now, is it?

IDC has done some polling amongst IT managers and established that one of their top worries remains getting staff to play ball and follow IT security policy. As I have written before, the most thoroughly conceived corporate ISMS can be completely undone if an employee can introduce a virus from home just by plugging in a USB memory stick.

The answer is obviously internal communications and training, but many businesses are still falling woefully short in these areas. Such initiatives simply can no longer be seen as optional extras, as any company to have suffered a serious IT breach can confirm.

Infosecurity training needs to have three components:

* Users need to be competent to use their computers and understand the requirements of their user agreements and the acceptable use policy. E-learning is an ideal way to deliver this cost-effectively.
* They need to recognize and know how to deal with information security threats. We publish a book called the Internet Highway Code that is specifically designed to meet this need and ideal for issuing to all staff members. To underline importance of this issue, each employee should be required to sign a user agreement that includes reference to such guidance and confirms that they have read it.
* Users need to be kept aware of the changing risk environment so they can take adequate evading action. An effective solution is to formalize a user alert service, whether internally or externally sourced, to ensure that staff hear about the latest threats and know how to respond.

CIOs and their teams need to impress upon their boards that these are core requirements for the business and need funding and senior endorsement.