Alan Calder on IT Governance, information security & ISO 27001

Search Security published this, on 29 July 2008:

Last week, the MoD was forced, in an answer to a parliamentary question, to admit that during the last four years, 658 of its laptops were stolen, and another 89 lost. Only 32 of the devices have been recovered. In addition, 121 USB memory sticks have been taken or misplaced since 2004, with 26 of the losses happening this year, including three that contained information classified as “secret” and 19 that were “restricted”.

What makes the news even more depressing is that earlier estimates of losses had put the scale of the problem much lower (at 347 laptops stolen between 2004 and 2007). Defence Secretary Des Browne explained that there had been “anomalies” in the earlier reporting process.

Of course, any organisation that can undercount the number of lost laptops over a three year period by about 50% doesn’t actually have a functioning system for accounting for its laptops. A functioning system, in an organisation like the MOD, might have components like:

* Loss of any laptop treated as an information security incident;
* Centralised collation of reports of lost laptops;
* Regular physical checks on the continued existence and status of all laptops;
* Automated monthly online updates of all laptops that both ensure that laptops are not running illegitmate software, that all anti-malware software is up to date, and so on – and, of course, that the laptop is still active and authenticating correctly.
* Any failures in any of these checks should be reconciled with the physical check and the incident reports.

If the MOD had any of these systems in place, it would at least know how many laptops it had lost. As it doesn’t know this (those ‘anomalies’) one’s conclusion must be that it simply hasn’t put in place systems that are adequate to this task. And if it hasn’t bothered even to make sure that it knows where its laptops actually are, how can it really be sure that all of those lost laptops are encrypted and that none of them have been used in a way that would breach data protection law or the security of the realm?

And what makes anyone certain that the more recent figure is any more correct than the earlier underestimate? How does the MOD know that actual laptop losses aren’t running into the thousands?

Now’s a good opportunity to add your views to the consultation around handing out prison terms to employees who knowingly breach the Data Protection Act – remembering that, while strengthening the law is probably a good idea, the absence of adequate resources for investigating possible breaches and pursuing and then prosecuting those who break the law will simply create yet more red tape for those companies who behave properly anyway, without doing anything meaningful to reduce data abuse.

Recent reports of security breaches in India – security breaches of BS7799-certified companies – should be treated with all the sceptism they deserve. BS7799 is an international standard for best practice in information security management – it is a system for effectively, coherently and comprehensively managing information security which takes into account the certainty that every management system will, sooner or later, be bypassed, that every defence will be overwhelmed – which is why business continuity plans are such an important part of the information security management system.

BS7799 is most definitely not a guarantee that no attacker will ever be successful. Sooner or later, every company is overwhelmed by an attacker – particularly an insider – and insiders, statistically, are responsible for about half of all successful attacks – what BS7799 expects (before committing to an outsourcing contract) is that an organization will carry out an information risk assessment, and that this risk assessment will take into account the documented scope of the certified organization – and, if it is inadequate, the potential outsourcer will act appropriately – not go ahead, require additional safeguards, etc.

The fact that any one organization has a BS7799 certificate for an information security management system which doesn’t meet the requirements of the organization about to outsource its services is, usually, completely obvious. If the outsourcer nevertheless goes ahead and contracts to outsource the services, it deserves a bloody nose – the fault is in the inadequate judgement of the outsourcer, not in the standard itself.

Let’s make sure the really important lessons are learned here: scope of the certificate must be adequate, contractor is also responsible for carrying out a risk assessment and, sooner or later, an attacker will overcome the best defence. What matters is that the defender has a system for identifying and recovering from those attacks – and BS7799 gives them that.