Alan Calder on IT Governance, information security & ISO 27001

An entertaining interview with Bruce Schneier in IT Security. He sets out in typically forthright style his view on big questions such as ‘Is security a solvable problem?’ He says, “Organizations need to be liable if they expose our personal information. That’s the kind of economic incentive that will result in more security.” Cases like the Nationwide Building Society’s recent £1 million fine demonstrate that this liability is becoming real, which will intensify the pressure on organizations to implement ISO 27001 as the best practice test of their infosecurity.

More sobering stats. A report by IBM’s Internet Security Systems division says that 2007 will be a bumper year for IT vulnerabilities. It talks of a major growth in vulnerabilities in 2006, with 20 new ones reported every day, and says the trend is set to accelerate in 2007.

We see similar figures on a regular basis so in itself this story is alarming but hardly earth shattering. What would make a difference would be if companies like IBM joined the chorus to encourage businesses to get certified to the relevant security standards.

Information security is about three things – confidentiality, integrity and availability. IT security people who think that it’s only about the first two of these have lost touch with where the money to pay their salaries comes from. For information security to be effective it has to be fair and reasonable in the eyes of most employees or it will never work. Communication and getting buy-in is as critical as having the right policies in the first place.

So, good on the people at Privacy International for their campaign to shame those organisations that overstep the mark by introducing truly mindless and overbearing security. They are doing nobody any favours and deserve a good pelting.

This research from Harvard and Carnegie Mellon universities shows that that large companies have no clear stock price-related incentive to prevent privacy breaches. Despite clear evidence of vulnerabilities that could seriously harm their interests, investors fail to give major quoted companies more than a mild slap on the wrist if their IT security is shown to be so lacking that there is a major breach of one or more privacy laws. After an initial dip, share prices quickly return to normal.

CIOs shouldn’t take this as a green light to reduce the cost of investment in protecting consumer privacy. The fact is that few institutional investors yet really understand the potentially very high direct and indirect costs of these breaches and so can’t yet make informed investment decisions.

As they become more knowledgeable (particularly with regulators becoming more determined around privacy), so the share price impact of a serious breach will become more dramatic and more prolonged. That, plus the possibility of SEC investigations and class-action suits, should be enough to keep CIOs and boards focused on their responsibilities around protecting personal information.

Get Safe Online is out banging the drum for improved Internet security awareness amongst consumers and small businesses. As expected, their new survey reveals some strikingly relaxed attitudes (e.g. 25% of respondents were either not aware of phishing scams, or were unsure of how to protect themselves from being lured to fraudulent websites). Their government-backed website provides a good primer in some of the basics of Internet security, but for businesses that are growing from the sapling to young tree stage it is also helpful to have some more detail, hence my chapter for small businesses in ‘A Business Guide to Information Security’.

The UK’s Department of Trade and Industry periodically undertakes its own survey on IT security threats. The latest one, conducted for the DTI by PriceWaterhouseCoopers, has revealed that amid the general improvement in the level of preparedness by companies, small and medium-sized businesses are less likely to be adequately prepared and are suffering as a consequence.

In response to this, we have decided to launch a series of low-cost IT security courses to give growing firms the knowledge and skills to protect themselves.

‘ISO 27001: Introduction and Overview’ is a one-day course designed for business owners and executives, IT managers and project managers who are at the initial stages of investigating information security management systems. It helps delegates to understand the key concepts and benefits of ISO 27001 as the best practice solution to countering IT threats. It also gives an overview of how ISO 27001 implementations can be managed in-house without calling in expensive consultants. I am leading this course and basing it upon my books, ‘The Case for ISO 27001’ and ‘Nine Steps to Success: an ISO 27001 Implementation Overview’. The first course will be held in London on 29th June, with further courses to be held in July and September. Delegate fees are £395.00 and bookings may be made here.

For ISO 27001-project leaders and their teams, the ‘ISO 27001 MasterClass’ provides three days of intensive tuition on the entire implementation process, including project scoping, risk assessments, documentation, management review and preparation for a successful certification audit. I am leading the course jointly with Steve Watkins and we are basing the sessions upon our definitive guide to information security management, ‘IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799’, which is the core text of the Open University’s postgraduate course in Information Security. The first MasterClass will be held in London on 6 – 8 June, with further sessions planned for July and September. Delegate fees are £1,495.00 and bookings may be made here.

As we know from the countless surveys that flood the industry, the good news is that an increasing number of companies are adopting a professional approach to information security; the bad news is that there are still many, many organisations that have yet to put their house in order.

From my experience, many of these are small to mid-size businesses that believe they lack the management bandwidth to deal with IT security right now (sure – technology is only mission critical when it stops working) or think it will prove hugely costly to tackle. So, instead of safeguarding their livelihoods, these businesses procrastinate and, as with anything we put off, the challenge becomes perceived as bigger than it is.

Knowledge is the weapon to kill inertia and the place to start is the 14 Infosec Basics. These apply to organisations of any size and ownership, although larger organisations will want to go beyond these in layering on additional measures. However, for SMEs and SMBs this is what you need to know - basic, but nonetheless vital:

1. Have a policy: make it real, practical and true to your business strategy.
2. Insist on accountability and responsibility: a basic rule of good management.
3. Identify asset ownership and classification: a comprehensive study of what needs protecting.
4. Address information security in all contracts, including employment and third party: let people know where they stand and ensure they can’t shirk responsibility for their actions.
5. Provide for the physical security of information systems: it seems so obvious until items go missing or get damaged.
6. Have up-to-date anti-malware software: naturally.
7. Implement and enforce user access controls: as I’ve blogged elsewhere, keep the tightest rein on this or risk the consequences.
8. Implement and enforce system access controls: you wouldn’t give a 10 year-old the keys to your car, so why would you put your IT system in the hands of someone unqualified?
9. Manage vulnerabilities: look for the chinks in your armour and patch them.
10. Have an incident response process: quick and clear communication stops dramas from becoming crises.
11. Have basic continuity and disaster recovery plans: how will you keep your customers happy if the roof falls in?
12. Monitor compliance: policies are great, provided that they are being followed.
13. Document essential policies, processes and procedures: share the critical information that people need to know.
14. Ensure that users are trained and aware of their responsibilities: give people the skills and knowledge to act responsibly.

Many organisations will have a few in place, but that’s not enough. You need the full 14 to ensure that you are making a professional response to security threats. But when you think about the consequence of failing to act, it’s not so hard now, is it?

I have blogged previously about how simple USB storage devices pose a serious threat to corporate IT security. This article from Computerworld shows how the issue is escalating with the advent of the iPod as THE must-have accessory. Not only is an iPod a neat way to store you music, it is potentially also a great way to remove other data without permission and to introduce malware (knowingly or otherwise).

Unsurprisingly, Apple were not prepared to comment on whether they would be stepping up iPod security in light of this. It naturally falls to companies to make sure that they have policies and procedures in place to address this gaping vulnerability. However…

Eric Ouellet, vice president of research for security at Gartner Inc. in Stamford, Conn., said that only about 10% of enterprises have any policies dealing with removable storage devices.

Oh dear.

Symantec has brought out its ninth Internet Security Threat Report, providing a pretty comprehensive overview of the most recent trends. Here are some of the highlights, which underline that companies have to protect themselves against increasingly deliberate, professionally and financially-motivated attacks.

* The new threat landscape is shown to be increasingly dominated by attacks and malicious code that are used to commit cybercrime, criminal acts that incorporate a computer or Internet component. Attackers have moved away from large, multipurpose attacks on network perimeters and toward smaller, more focused attacks on client-side targets.
* Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud, for financial gain.
* For the fifth consecutive reporting period, the Microsoft® SQL Server Resolution Service Stack Overflow Attack was the most common attack, accounting for 45% of all attacks.
* The average number of denial of service (DoS) attacks detected per day was 1,402, an increase of 51% from the first half of 2005.
* Financial services was the most frequently targeted industry.

News in that a school in the States is teaching its students about IT security. I have mixed feelings about this – great that it is happening, yet at the same time, how can we have got to 2006 and this is a news story? As has been reported already, this year sees the 20th anniversary of the discovery of the first computer virus. In IT terms, 20 years is Forever. How can it be that schools are only now beginning to address this vital skill? Plaudits to the school in question for doing this (and making some PR capital of it too), but a big raspberry to national governments (particularly our own in the UK) for not doing enough to put this on the agenda. ‘IT Security Skills or woolly lessons in Citizenship – which is more important? Discuss.’