Alan Calder on IT Governance, information security & ISO 27001

Part of our business is advising companies that wish to become ISO27001 certificated and we are delighted that two clients recently passed their independent audits with flying colours. Gemserv is an independent consultancy in the energy sector while Easynet is a network management and hosting company owned by BSkyB. In each case we worked with them to scope and set the critical path for their compliance project, provide the necessary training for their in-house project team and then act as on-call coach throughout their risk assessment, risk treatment and pre-audit phases.

From working with various firms we have identified the several factors that determine how quickly they will succeed in achieving ISO27001 compliance. To any organisation about to embark on this process we make the following strong recommendations:

1. Get senior management buy-in from the outset – if you don’t, you won’t get the money, time and resources you need and will find it harder to get other colleagues to play their part.
2. Establish a project board, including a senior sponsor and a well qualified project manager, and a motivated project team to run the process day-to-day.
3. Choose and use a good project management methodology – the compliance process reaches right through the organisation and has many interlocking parts; if you don’t keep a tight grip it can quickly slip out of your control.
4. Communicate and train at every level – not only does your project team need to be given the skills and knowledge for their task, but all your other colleagues need to understand what is being delivered and why. If not, your work may quickly unravel.
5. Lastly, recognize that there is no end point to the project – becoming certificated is just the start; you have to make the information security management system an ongoing part of your business and broadcast this message consistently from the start.

The recent report from the House of Lords Science and Technology select committee into ‘Personal internet security’ highlights the fact that businesses are not doing enough to protect their customers from the dangers of e-crime and on-line fraud. Clearly this is not exactly a ground breaking conclusion; however it is certainly an important one.

The report emphasises my long held views that organisations need to take action to protect valuable data. ISO 27001, the information security standard, is the benchmark for first-rate information security and certification is the best method of protection an organisation can have. Organisations should get certified to ISO 27001 as soon as possible in order to protect their customers as well as themselves.

Surely it is time that the National High Tech Crime Unit (NHTCU) was re-banded in order to tackle e-crime effectively and hopefully deter those responsible. Since it was disbanded and absorbed into the new Series Organised Crime Agency (SOCA) there has generally been nowhere that e-crime can be reported to and local police forces are often ill equipped to deal with e-crime especially where the perpetrator is based in some other jurisdiction. For example: e-crime can be committed by people based in Russia, who have stolen the credit card of people in the US and are now using it to purchase from a site owned by a UK company but hosted on a Canadian server. This simple example illustrates just how vitally important a co-ordinated national police approach is to dealing with e-crime. PCI DSS will not be enough, on its own. The complexities of e-crime need a dedicated unit, so bring back the NHTCU!

Meanwhile, whilst organisations are making the necessary changes to protect sensitive information, individuals should also take action to protect themselves and the ‘Internet Highway Code’ is the benchmark here. It sets out ten straightforward, no-nonsense, plain English rules for staying safe online and arms anyone using a computer with the knowledge of how to avoid all the problems that make the newspaper headlines.

Any organization based or operating in the United States needs to be prepared for possible lawsuits. Under the recently amended Federal Rules of Civil Procedure organizations face tough new requirements for preserving their electronically stored information, such as email and word-processingdocuments, so that it can swiftly be produced in the event of a lawsuit. However, even though legal demands are common for larger organizations, it appears that very few are ready for these new E-Discovery rules, leaving the majority open to costly fines and adverse rulings.

According to ESG Research, 91 percent of organizations with over 20,000 employees have been through an E-Discovery event in the past 12 months. However, amazingly, a recent survey of corporate attorneys by Pike and Fisher revealed that only 7 percent feel that their companies are ready to meet these new requirements.

Therefore, to help corporations adapt to the new requirements, we called on Bradley J Schaufenbuel, senior manager in IT Risk and Security at Zurich Financial Services in Illinois, to write ‘E-Discovery and the Federal Rules of Civil Procedure’ as the latest in our series of Practical IT Governance pocketguides. Over 68 pages, he provides an easily absorbed account of the background and detailsof the new rules and explains what organizations must do immediately to ready themselves for possible future lawsuits. It’s a must for any US organization preparing for the stark realities of life.The book is priced at $29.95 and in softback hard copy and may be ordered for shipping here; alternatively, an e-book version may be purchased for immediate download here.

David Lacey has spelt out some of the real financial impact that business face when they suffer ‘data leakage’. In the case of TK Maxx he speculates that the cost could actually run into billions, rather than the mere $5m they have provided for to date. He breaks out a sobering list of costs that businesses face for being slack on data security:

“…for example the costs of investigations, remedial work, lost customers, loss of brand value, additional regulatory demands, fines, lawsuits, PR costs, and the costs of re-issuing credit cards. Not to mention the overall impact on e-Business from customers switching to cash payments.”

He then rounds off his post as follows:

“The risks and impact will continue to rise until organisations achieve much higher levels of security, including tighter platform and network security, better staff awareness and more aggressive auditing and monitoring of operational processes.”

Until more business are certificated to ISO 27001, in other words.

An entertaining interview with Bruce Schneier in IT Security. He sets out in typically forthright style his view on big questions such as ‘Is security a solvable problem?’ He says, “Organizations need to be liable if they expose our personal information. That’s the kind of economic incentive that will result in more security.” Cases like the Nationwide Building Society’s recent £1 million fine demonstrate that this liability is becoming real, which will intensify the pressure on organizations to implement ISO 27001 as the best practice test of their infosecurity.

Businesses and organisations operating within the United States face particular challenges when it comes to regulatory demands. This is keenly felt in the area of information security, where it is necessary to satisfy a complex web of regulations. ISO 27001 is something of a magic bullet for many of these demands, and the US has seen rapidly building interest in the new standard. To meet the need for information on this topic we have just launched www.27001.com, a new website that is specifically tailored to the United States and provides a one-stop-shop for all the key ISO27001/ISO17799 standards, books and tools currently available.

Through www.27001.com organisations can find out how an ISO27001 ISMS works with ISO17799 to help them meet their business needs for cost-effective information security, while at the same time meeting their information-related regulatory compliance objectives and preparing them for new and emerging regulations. US regulatory requirements currently addressed by the site include HIPAA, GLBA, SB 1386 and other State breach laws, PIPEDA, FISMA and EU Safe Harbor regulations.

We have aimed to make the site the Neiman Marcus of IT governance and security. It showcases the very best products and services currently available, including works by the most respected industry thinkers as well as uniquely focused products developed by us. Whether you need C-Suite guides to the regulatory landscape, or highly practical guides for project managers, it is all available in a single place.

Given the increasing desire of businesses to be certified to ISO27001, risk assessment has emerged as an important skill for the infosec professional. While it is well-established in other areas, risk assessment is new to many in technology and requires mastering. There are various approaches, but ISO 27001 has particular requirements and compliance and certification can only be achieved if the right method is used. We have launched two new books to help different types of professional get the information they need in this area.

‘Risk Assessment For Asset Owners’ is a pocket guide aimed at people who need a quick overview of the facts. It is ideal for senior executives, people with peripheral involvement in a risk assessment or those who need a clear and concise place to start. Over 48 pages it explains the risk assessment requirements of ISO 27001 and how the entire assessment process should be managed, from identifying assets and assessing threats to selecting appropriate risk treatments and controls. The book is the latest in our series of Practical Information Security pocket guides and is available for only £7.95 / US$15.92/ EUR11.81 from.

For people directly responsible for conducting risk assessments a more detailed account is necessary, so we have also introduced ‘Information Security Risk Management for ISO27001/ISO17799’. Over 196 pages this provides step-by-step guidance on matters such as Impact and Asset Valuation, Risk Treatment and the Selection of Controls, and The Gap Analysis and Risk Treatment Plan. It also gives advice on the use of risk assessment tools, including vsRisk [link to item above]. Priced at £39.95/US$79.98/EUR59.37 it can be obtained from IT Governance here.

We’re pedalling fast to catch up following a very busy time in the run up to and aftermath of Infosecurity Europe in London recently. This was the first time we attended and we felt that things went well. We were pleased with the number of visitors to our stand (which was smartly branded with our now-standard strapline, ‘The one-stop-shop for information security books, tools, training and consultancy’) and felt that the general quality of delegate was good.

We used the show to launch several important new products, all of which were well received. Perhaps most excitingly, we introduced two new software tools that transform the process of becoming and remaining compliant with ISO 27001.

* Through Vigilant Software, a new joint venture with software house Top Solutions, we introduced vsRisk, an affordable and intuitive tool that transforms the process for performing an ISO 27001-compliant risk assessment. vsRiskTM is a unique, purpose built application that dramatically reduces the time and cost of pursuing ISO 27001 compliance and is compatible with multiple related standards. It is far more straightforward to use than many of the existing risk assessments tools and requires no specialist training – we think it will be particularly useful for mid-sized organisations. It also costs substantially less than other systems, which we know will make sense to any organisation! Bought directly from us it costs only £895.00/US$1,770.60/EUR1,330.35. It is also available from quality resellers at the regular retail price of £995.00.

* Q-Pulse for ISO 27001 is a product we have developed jointly with Gael, which is the UK market leader in compliance management software systems. It combines Gael’s best-selling compliance management technology with our proprietary toolkit for the documentation and process management of the ISO 27001 standard. By automating vital tasks, such as document approvals, and providing easy-to-use audit management tools, the system provides an efficient means for driving ISO 27001 workflows throughout the organisation and ensuring that compliance is upheld.

A BBC TV programme, Inside Out, recently caused some red faces in the UK House of Commons by revealing that a six year-old girl was easily able to break into the parliamentary computer system by installing a keylogger on the PC of an MP.

Having managed to sneak the device in under the noses of one of the UK’s most vigilant security teams, the girl was able to swiftly attach the device while the MP agreed to leave her PC unattended for 60 seconds as part of the test.

This has brilliantly highlighted the increasing threat posed by keyloggers, which in the programme’s words are proving the “weapon of choice” for many fraudsters and criminals.

The real vulnerability that organisations face here is human, not technological. The keylogger is installed by someone physically attaching it to the PC, which can only be accomplished through the negligence, naivety or active help of someone within the organisation. A best practice information security management system adhering to ISO 27001 is the best possible defence against such vulnerabilities, as it addresses the staff training and awareness issues surrounding infosecurity in addition to technological defences.

This exchange on the blog of Doug Schweitzer adds some more useful colour here and highlights a couple of books that focus on the startling truth that the greatest security threat an organisation faces is from within.

Ian Kerr’s Computer Weekly article on the human dimension to infosecurity has good and bad points. He correctly highlights how critical it is to address employee behaviour within a security strategy – the smartest technological defences are of little help if your staff leave the front door wide open, whether by accident or design. However, he significantly misstates the way in which ISO 27001 tackles this in its specification for a best practice ISMS.

In fact, one out of 11 control sections (containing nine controls) of ISO 27001′s list of controls deals specifically with HR, and many of the others – such as password management and user access controls – also deal explicitly with the human component of threats. I would say that ISO 27001, when properly implemented, provides an extremely strong safeguard against ‘human weakness’ and insider/outsider attacks.