Alan Calder on IT Governance, information security & ISO 27001

Coming on the heels of my most recent post about the security risk posed by USB storage devices, here’s a story to chill the bones. It seems that classified military information is leaking out of Afghanistan and offered for sale on those wonderful flash drives that we love so much.

I spend most of my time trying to get businesses, and particularly mid-size businesses, to grasp the security nettle and put in place a proper ISMS. The military hasn’t been much of a priority for me because, apart from anything else, you would sort of hope they understood these things better than many. I guess not.

For any organisation, a fundamental part of the solution has to be an appropriate system of usernames, rights and privileges. To the greatest extent possible, you need to confine access to sensitive information to those people who really need it. Properly mapping out access rights and keeping them up to date is critical. For example, if someone leaves an organisation or moves within it their username must be withdrawn or access rights amended immediately, not three months later. Similarly, if someone needs particular access rights to do a project, those should be curtailed again as soon as the project is finished.

That might not prove popular, but it is part of the ‘soft skills’ requirements of modern IT managers to be able to sell their policies as well as implement them. They need to be explain persuasively why security is good for the employee as well as the organisation. (However, this article indicates that there is still a long way to go before the IT function develops the necessary people management skills. Note to the CEO – investing in this area is not a ‘nice to have’ item, it is an urgent requirement if you expect your IT to remain secure.)

It is also essential to have in place clear user agreements and acceptable use policies, (a) to ensure that employees understand what is expected of them and (b) to provide a basis for taking legal action against them if they flout this. These measures should include explicit instructions not to remove data without authorization and various other measures to safeguard the integrity of the system.

I have written in considerably more detail about these issues in various books. However, in light of profusion of USB storage devices today, I am thinking of adding one more measure to my recommendations, based on an item I read somewhere recently. If you are still worried that best practice policies and procedures aren’t enough, seal up the USB ports on people’s machines with glue!

Building an Information Security Management System (ISMS) from scratch can be a daunting task, particularly for mid-size organisations who may not have the luxury of generous budgets. To help eliminate the uncertainties and headaches we’ve launched a new ISO 27001 Toolkit, which in a single box gives provides everything you need to build a world-class system efficiently and at a fraction of the cost of calling in outside experts.

The Toolkit is an all-in-one programme for building an ISMS compliant with global best practice, in respect of ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006. It is based on our definitive guide to ISMS development, ‘A Manager’s Guide to Data Security and BS7799/ISO17799’. In addition to the third edition of this book, the Toolkit includes the ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006 standards and a CD-ROM with almost 400 densely packed pages of fit-for-purpose policies and procedures: a model Information Security Policy, a pre-written Information Security Manual, 110 pre-written policies, analysis tools, training materials and much more.

Since every organisation’s needs are different, purchasers benefit from our unique Drafting Support Service, which advises them on how to adapt the materials to their particular situation. They also receive our 12-month Automatic Update Service, which ensures that purchasers automatically benefit from any improvements to the Toolkit.

A robust ISMS is too important to be out of the reach of the middle market. We’ve deliberately priced this product at a significant discount to other options out there, so there can be no excuses!

Symantec have released a report saying that corporate IT vulnerabilities are hitting record levels, with 1,900 discovered in the past six months, the equivalent of 10 per day.

Interestingly, they are calling for companies to adopt precisely the sort of multi-layered response that an ISO 27001 ISMS is designed to create:

“People have to move beyond the idea that they can hide behind the firewall. You have to have integrated defenses.”

IDC has done some polling amongst IT managers and established that one of their top worries remains getting staff to play ball and follow IT security policy. As I have written before, the most thoroughly conceived corporate ISMS can be completely undone if an employee can introduce a virus from home just by plugging in a USB memory stick.

The answer is obviously internal communications and training, but many businesses are still falling woefully short in these areas. Such initiatives simply can no longer be seen as optional extras, as any company to have suffered a serious IT breach can confirm.

Infosecurity training needs to have three components:

* Users need to be competent to use their computers and understand the requirements of their user agreements and the acceptable use policy. E-learning is an ideal way to deliver this cost-effectively.
* They need to recognize and know how to deal with information security threats. We publish a book called the Internet Highway Code that is specifically designed to meet this need and ideal for issuing to all staff members. To underline importance of this issue, each employee should be required to sign a user agreement that includes reference to such guidance and confirms that they have read it.
* Users need to be kept aware of the changing risk environment so they can take adequate evading action. An effective solution is to formalize a user alert service, whether internally or externally sourced, to ensure that staff hear about the latest threats and know how to respond.

CIOs and their teams need to impress upon their boards that these are core requirements for the business and need funding and senior endorsement.

Congratulations to Attenda on gaining their ISO 27001 certification from the BSI. This makes them one of the first UK businesses to announce this achievement. For a managed services business having this in place is a must, so well done to them for being onto it quickly.

India has also seen its first ISO 27001 certification and the base of ISMS certifications did actually double last year – the total was 1,000 in December 2004, and it had reached 2,050 or so by early January 2006. I’d bet that there will be another 1,500 to 2,000 successful certifications this year – truly an increasingly essential standard.

In parallel, according to the United Kingdom Acceditation Service the number of accredited Certification Bodies in the UK for Information Security Management Systems has apparently risen over the past few months from half a dozen to 17, a clear sign that the issue is developing its own momentum – and good news, I hope, in terms of prices staying competitive!

Outsourcing, particularly in the information security space, should be about helping clients improve their security performance, rather than about vendors improving their performance at the expense to their clients. A recent comment from security software firm Solutionary, as reported in SC Magazine here, was that security audits are a bad thing in that they can encourage complacency. While there is sometimes truth in the argument, I think this is bending reality a little too conveniently to suit someone’s own marketing agenda. Of course complacency is the last thing that we need if IT security is to be achieved, but the answer isn’t necessarily to outsource the whole problem to a (doubtless excellent) security provider like Solutionary. IT security is a real concern for a lot of businesses for whom a security audit is an integral part of a balanced and comprehensive approach to information security. For these firms, security audits are very definitely an essential part of an affordable security solution. The important point is to ensure that audits don’t exist in isolation but are part of a proper ISMS system that ensures compliance with – you guessed it – ISO 27001.

Positive developments in Portugal: a group of IT professionals has teamed up to form an ISMS community to promote best practice in information security, with a focus on ISO 27001 and ISO 17799. The community maintains a Portuguese blog and an English language page here describes its activities.

If anyone is asking what all the fuss is about ISO 27001, ISMS and all the rest of it, this article from SC Magazine should make them stop and think. Apparently, 1 in 4 Americans won’t be shopping online this Christmas because of security fears. On the upside, the article reveals that many consumers are taking sensible and active steps to protect themselves online. However, there is clearly a long way to go, and all that caution from millions of shoppers is bound to have a negative impact on prosperity in general. If this is true of the IT savvy United States, you can bet it is just as true elsewhere around the globe.

Where does ISMS fit into this? ISO 27001 is precisely the kind of confidence building measure that businesses need to put in place to make society more at ease with e-commerce. Getting certified is great for a company at the individual level (reducing business risks, reassuring customers, providing a competitive advantage), but it is also vitally important for society as a whole. We all know that the Internet is a long way from realising its full potential as a creator of wealth and improver of life quality; what more companies have to realise is that ISO 27001 is one of the vital building blocks that will help us reach that goal.

Recent reports of security breaches in India – security breaches of BS7799-certified companies – should be treated with all the sceptism they deserve. BS7799 is an international standard for best practice in information security management – it is a system for effectively, coherently and comprehensively managing information security which takes into account the certainty that every management system will, sooner or later, be bypassed, that every defence will be overwhelmed – which is why business continuity plans are such an important part of the information security management system.

BS7799 is most definitely not a guarantee that no attacker will ever be successful. Sooner or later, every company is overwhelmed by an attacker – particularly an insider – and insiders, statistically, are responsible for about half of all successful attacks – what BS7799 expects (before committing to an outsourcing contract) is that an organization will carry out an information risk assessment, and that this risk assessment will take into account the documented scope of the certified organization – and, if it is inadequate, the potential outsourcer will act appropriately – not go ahead, require additional safeguards, etc.

The fact that any one organization has a BS7799 certificate for an information security management system which doesn’t meet the requirements of the organization about to outsource its services is, usually, completely obvious. If the outsourcer nevertheless goes ahead and contracts to outsource the services, it deserves a bloody nose – the fault is in the inadequate judgement of the outsourcer, not in the standard itself.

Let’s make sure the really important lessons are learned here: scope of the certificate must be adequate, contractor is also responsible for carrying out a risk assessment and, sooner or later, an attacker will overcome the best defence. What matters is that the defender has a system for identifying and recovering from those attacks – and BS7799 gives them that.

BS7799/ISO17799 are big standards, as anyone who has ever successfully implemented an ISMS can attest. Updating my book to take account of the new standard, and putting together a tool to help people migrate from the 2000 version to the forthcoming 2005 version, drove home to me just how tough certification really is. And, while the revised version of 17799 brings the standard right up to date, and makes a number of useful improvements, I’m not convinced that it makes the process any more straightforward.

In fact, if anything, it makes the process tougher, not least because it now cross refers to a number of other, supporting (but not mandatory) standards, as well as shifting business continuity and disaster recovery management out of the standard, leaving behind only the information security aspects of both. Large organizations usually have the resources to tackle 17799; smaller ones don’t. The revised standard is not going to make it easier – smaller organizations really need a 17799-lite – one that clearly differentiates between what is essential (eg vulnerability management) and what is relevant only to certain types of companies (eg software development).

Until that happens, it’s going to be incumbent on consultants to help smaller companies find the simple ways of benefitting from the guidance in the standard, and achieving certification as well. If we can’t do that, the standard will survive only as something for larger organizations – which means it won’t survive in the form we know it today.