Alan Calder on IT Governance, information security & ISO 27001

In his ComputerWeekly blog David Lacey gives welcome airtime to the need for ISO security certification to be the cornerstone of an enterprise security programme. With organisations like Camelot, Misys, Nokia, The Co-operative Bank, COLT, Serious Fraud Office and Halifax Bank of Scotland already certified in the UK, we are surely going to see a wave of others following suit.

David notes that “closing the loop”, as he puts it, is presently quite a manual and time-intensive process, and muses on what the future might bring for managing the compliance process. I am pleased to say that at the forthcoming Infosecurity Europe show we will announce at least part of the answer, in the shape of the world’s first automated ISO 27001 compliance management system, which we have developed jointly with Gael, the UK’s leader in compliance management technologies.

Many other, complementary systems will doubtless follow, which will be excellent news for all of us concerned about information security management. Not only will these further simplify the task of building a best practice ISMS, but, crucially, they should make it far easier to uphold compliance after certification.

Getting to grips with best practice information security and governance often involves a steep learning curve, and this is a challenge facing more and more people: as infosecurity and governance become increasingly mainstream topics, so a wider range of professionals are being drawn into their ambit.

To help break the journey down into more manageable steps we are launching a new series of pocket book books under the headings Practical Information Security and Practical Governance. The range will ultimately include 13 titles and we have begun by launching three infosecurity guides that complement each other very well:

‘ISO 27001 – A Pocket Guide’ is ideal for organisations that are contemplating an information security management system, about to embark on an implementation, or simply wish to raise awareness of infosecurity among their employees. It succinctly covers the basics, including:

* An explanation of information security and how it can be managed using a globally recognised approach
* The factors that need to be considered in designing an information security regime
* What investments might be necessary to deliver a consistent level of assurance and how to gain maximum value from the available budget
* How to pursue and demonstrate compliance with the ISO 27001 standard

The book is written by my colleague Steve Watkins, a leading author, educator and consultant on information security management. Priced at £7.95/US$15.73/€11.82 it is available in softcover and e-book formats here.

‘A Dictionary of Information Security Terms, Abbreviations and Acronyms’ is a new book that Steve and I have written together. It is an invaluable resource for people grappling with security terminology for the first time. Rather than a dry technical dictionary, it is written in an accessible style that enables managers and novices to quickly grasp the meaning of terms such as ‘bluesnarfing’, ‘DDoS’, ‘pharming’ and ‘zombie’. The Dictionary is priced at £9.95/US$19.68/€14.79 and available in softcover and e-book formats here.

‘ISO 27001 Assessments Without Tears’ provides a helpful primer for organisations preparing to have their infosecurity regime independently assessed. It describes the assessment process, gives guidance on preparation and how to work with the auditor, and, if needed, advises on what to do if the auditor finds fault with any aspect of a system. Written by Steve Watkins, the book is priced at £5.95/US$11.77/€8.84 and available in softcover and e-book formats here.

Further pocket books will be introduced over coming months in the Practical Governance series and will address the following topics:

* Information Security Governance
* A Directors’ Guide to the UK Combined Code and Turnbull Report
* Sarbanes-Oxley
* BASEL 2
* Regulatory Compliance
* The Integrated Management System
* IT Governance
* Information Governance
* Project Governance
* Enterprise Risk Management

Watch this space!

ZDNet reports that new research from IDC is predicting a sixfold increase in the amount of digital information created over the next four years, which could have serious implications for compliance and IT departments.

The report, entitled ‘The Expanding Digital Universe’, says that much of the data created through new tools and applications will be subject to compliance rules such as Sarbanes-Oxley, Basel II and other legislation. IDC warns that companies will have to improve their IT infrastructure to make sure that their compliance strategies can cope with this rising tide of data.

What is just as important, I would argue, is to have in place the compliance processes that can satisfy this web of regulatory demands. An ISMS built according to ISO 27001 provides just the tool to achieve this, which explains why certification is being pursued by more and more companies.

Nationwide, the building society, has been heavily fined by the UK´s financial regulator for weak data security following the theft from an employee’s home of a laptop containing confidential data of almost 11 million customers. In light of the lax security that made this possible, and the fact that the Nationwide did not start an investigation until three weeks after the theft, the building society was fined £980,000.

The size of this fine should send a clear message not only to banks and building societies but to businesses in all sectors: customer data is a top priority and businesses that fail to put in place appropriate security measures can expect harsh penalties. This is a wake up call that must be heard and we will hopefully see many more businesses stepping up their infosecurity compliance as a result.

In addition to our existing expert guides and toolkits, which make ISO 27001 compliance and certification accessible and affordable for most businesses, we are presently working on a new software solution that will simplify matters even further – expect more news at Infosecurity Europe next month.

ISO 27001 is not only about safeguarding corporate information assets – it is also a godsend for organisations struggling to deal with regulatory compliance demands.

SOX, HIPAA, Gramm-Leach-Bliley, SB 1386, OPPA and others generate a welter of often overlapping requirements, which can quickly create a huge drain on management resources. However, ISO 27001 provides a highly effective way of cutting through this burden, resulting in very real efficiencies, as this case study shows:

“My audit preparation time dropped from about 2 months to under two days for the Federal Financial Institutions Examination Council (FFIEC) audit (done by the people who were concerned about SOX controls.)”

“My time spent with the auditors was reduced by 50% over a three week time span.”

Show that to people who question whether getting certified creates an ROI.

The British Standards Institute has found a significant improvement in companies’ business continuity planning in the past 12 months. However, of the 100 FTSE-250 firms interviewed, “Only 45% … had comprehensive plans in place for a supply chain failure, and 21% of companies said they required all suppliers to have business continuity plans in place.”

Nobody should kid themselves that this can remain the case: any company is potentially vulnerable to a continuity failure if a supplier lets them down. For that reason, expect to see suppliers increasingly called upon to prove that they have measures in place to ensure their dependability. This will be one of the main drivers for the growth of ISO 27001 certification in the next five years. Companies that have it will prosper; companies that don’t will get left behind.

A lack of trust is hampering take-up of online government services, according to a recent BCS Thought Leadership Debate. Of course it is – why would anyone entrust their most personal data and important transactions to IT systems without an assurance that they will remain secure? The Cabinet Office has done much to champion the cause of BS 7799/ISO 27001 as vital for the success of online public services, but far too few public sector organisations have become certified: a clear case of taking a horse to water. Public sector executives have to realise that until they provide ISO 27001 as a ‘badge of trust’ to their customers, departments and agencies will fail to deliver on the promise of eGovernment.

More meat on the bones of worries about Instant Messaging. A recent survey found that 81% of IT managers reported a security incident due to Instant Messaging or other ‘greynets’, such as Skype. These incidents cost companies real money – nearly $130,000 annually to be precise. The survey also shows that more users are adopting greynet applications, yet little progress has been made toward combating greynet-related attacks.

This being the case it is all the more vital to tackle the human dimension. Companies that implement ISO 27001 will have clearly communicated policies in place to cover such applications, audit processes to check that rules are being followed and unambiguous penalties for individuals who go against their responsibilities to the company and their colleagues.

Here is an article addressing an important topic, and written by someone who knows a thing or two about security having previously edited SC Magazine. So how, therefore, can it be possible for this lengthy piece to make absolutely no reference to ISO 27001?

Many of the measures suggested by interviewees are spot on, but where is the glue that holds all of these ideas together? This is precisely what ISO 27001 is for and it would be good to see titles like ComputerWeekly doing more to champion this vital management tool.

I would have thought by now that infosec professionals would have been aware of the extent to which spam is part of the malware armoury – but this article identifies the need to ensure that staff are also appropriately trained to identify and deal with those threats that inevitably bypass the best defences. ISO 27001, of course, provides clear guidance on staff training.