Alan Calder on IT Governance, information security & ISO 27001

Coming on the heels of my most recent post about the security risk posed by USB storage devices, here’s a story to chill the bones. It seems that classified military information is leaking out of Afghanistan and offered for sale on those wonderful flash drives that we love so much.

I spend most of my time trying to get businesses, and particularly mid-size businesses, to grasp the security nettle and put in place a proper ISMS. The military hasn’t been much of a priority for me because, apart from anything else, you would sort of hope they understood these things better than many. I guess not.

For any organisation, a fundamental part of the solution has to be an appropriate system of usernames, rights and privileges. To the greatest extent possible, you need to confine access to sensitive information to those people who really need it. Properly mapping out access rights and keeping them up to date is critical. For example, if someone leaves an organisation or moves within it their username must be withdrawn or access rights amended immediately, not three months later. Similarly, if someone needs particular access rights to do a project, those should be curtailed again as soon as the project is finished.

That might not prove popular, but it is part of the ‘soft skills’ requirements of modern IT managers to be able to sell their policies as well as implement them. They need to be explain persuasively why security is good for the employee as well as the organisation. (However, this article indicates that there is still a long way to go before the IT function develops the necessary people management skills. Note to the CEO – investing in this area is not a ‘nice to have’ item, it is an urgent requirement if you expect your IT to remain secure.)

It is also essential to have in place clear user agreements and acceptable use policies, (a) to ensure that employees understand what is expected of them and (b) to provide a basis for taking legal action against them if they flout this. These measures should include explicit instructions not to remove data without authorization and various other measures to safeguard the integrity of the system.

I have written in considerably more detail about these issues in various books. However, in light of profusion of USB storage devices today, I am thinking of adding one more measure to my recommendations, based on an item I read somewhere recently. If you are still worried that best practice policies and procedures aren’t enough, seal up the USB ports on people’s machines with glue!

I have blogged previously about how simple USB storage devices pose a serious threat to corporate IT security. This article from Computerworld shows how the issue is escalating with the advent of the iPod as THE must-have accessory. Not only is an iPod a neat way to store you music, it is potentially also a great way to remove other data without permission and to introduce malware (knowingly or otherwise).

Unsurprisingly, Apple were not prepared to comment on whether they would be stepping up iPod security in light of this. It naturally falls to companies to make sure that they have policies and procedures in place to address this gaping vulnerability. However…

Eric Ouellet, vice president of research for security at Gartner Inc. in Stamford, Conn., said that only about 10% of enterprises have any policies dealing with removable storage devices.

Oh dear.

IDC has done some polling amongst IT managers and established that one of their top worries remains getting staff to play ball and follow IT security policy. As I have written before, the most thoroughly conceived corporate ISMS can be completely undone if an employee can introduce a virus from home just by plugging in a USB memory stick.

The answer is obviously internal communications and training, but many businesses are still falling woefully short in these areas. Such initiatives simply can no longer be seen as optional extras, as any company to have suffered a serious IT breach can confirm.

Infosecurity training needs to have three components:

* Users need to be competent to use their computers and understand the requirements of their user agreements and the acceptable use policy. E-learning is an ideal way to deliver this cost-effectively.
* They need to recognize and know how to deal with information security threats. We publish a book called the Internet Highway Code that is specifically designed to meet this need and ideal for issuing to all staff members. To underline importance of this issue, each employee should be required to sign a user agreement that includes reference to such guidance and confirms that they have read it.
* Users need to be kept aware of the changing risk environment so they can take adequate evading action. An effective solution is to formalize a user alert service, whether internally or externally sourced, to ensure that staff hear about the latest threats and know how to respond.

CIOs and their teams need to impress upon their boards that these are core requirements for the business and need funding and senior endorsement.

I thought that, by now, most organizations might have spotted the risk posed by USB sticks. Not so. I was in a household name organization a couple of days ago – one of those organizations were there’s restrictions on internet access, tight controls on software purchases, instant dismissal for breach of the Internet Acceptable Use Policy, and so on, and watched in stupefaction as the event organizer set up his slide presentation.
He pulled a USB stick from his pocket, put it into a port on his laptop – which was plugged into the network – and downloaded the presentation. I presumed that there must be some form of port protection installed but no.
In fact, I learned, this was the simple way that people who didn’t have laptops took work home – because of the internet gateway restrictions on document export to non-business addresses, staff simply put their work onto their (privately acquired) USB sticks, took it home, did their work, and then uploaded it again in the morning.
And no one seemed to think this was strange.