28 September 2007

Putting the Information into Security

Organisations need ISO 27001 to create an information security regime that truly meets their compliance needs, argues Alan Calder of IT Governance

Driven by Moore’s Law, technological evolution is rapidly intensifying. More and more information is stored in databases, and ever more sophisticated computer and communications technologies are used by ever greater numbers of people.  Unsurprisingly, this evolution is seldom without error, which leaves software and hardware vulnerable to attack, internal fraud and human error, any of which can destroy an organisation in a matter of hours.

Traditionally, the person in charge of IT has tried to deal with the most obvious computer security threats by implementing appropriate controls. For instance, the virus threat is dealt with by deploying anti-virus software, the hacker is kept out by means of a firewall, and the business continuity risk dealt with by a combination of uninterruptible power supplies and regular backups.

However, that point-by-point approach is now demonstrably inadequate. Today, organisations could be faced with sophisticated ‘blended attacks’, whereby mass-mailing virus delivery mechanisms are used to insert Trojans into target systems, which hackers can then use to bypass the firewall.  Phishing attacks go a step further, encouraging people to come out from behind their firewalls and hand over valuable personal data. The USB (‘flash’) sticks on digital cameras or MP3 players can export more illegal corporate data than did any micro-dot, while mobile camera phones allow insider dealers to share market-sensitive information at the push of a ‘Send’ button

It is not just corporate information that is at risk, of course. Databases containing individual and consumer personal data proliferate daily. They are attractive targets for identity thieves, who know they can use this information to steal millions of pounds and remove it to the other side of the world noiselessly, unobtrusively, and without danger to themselves.

Unfortunately, consumers do little to protect themselves against these threats, either at home or in work. However, regulators have caught on and, as a result, data protection and personal privacy legislation is proliferating across the OECD.  All EU countries have implemented stringent regulations, and more than half the US state legislatures have done the same. Of course, there is no co-ordination between any of this legislation, so organisations operating in more than one jurisdiction are exposed to untested and possibly contradictory laws and regulations.

There are also specific sectoral requirements, like HIPAA (Health Insurance Portability and Availability Act) and GLBA (Gramm-Leach-Bliley Act) in the US, the payment card industry requirements which apply in all outlets that accept Visa and Master Card, the Financial Services Act regulations, and so on. There are also the increasingly complex audit requirements of corporate governance, which want assurance that the information and communications systems, on which the organisation’s accounts depend, are secure and controlled.

‘IT Security’ - the selection and implementation of controls by the IT team - is not an effective solution to the complex range of issues the organisation now faces. What every organisation requires is a coherent, comprehensive approach to ‘Information Security management’ that is capable of being tailored to its specific needs and circumstances.

ISO 27001, the increasingly popular global information security management standard, defines information security as the “preservation of confidentiality, integrity and availability of information. In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved”:

· Availability – “being accessible and usable upon demand by an authorised entity”

· Confidentiality – “information is not made available or disclosed to unauthorised individuals, entities, or processes”

· Integrity – “safeguarding the accuracy and completeness of assets”

The standard systematically describes how management can ensure the availability, confidentiality and integrity of information within an organisation. It recognises that threats to information arise and must therefore be addressed.

The challenge, though, is that, even if managers are able to identify all the real information security risks and the appropriate controls for them, controls cost money to implement, and it is unlikely that implementing every possible control is affordable, reasonable, or even necessary.

Therefore, ISO 27001 introduced the ‘PDCA’ model (‘Plan, Do, Check, Act’) to guide the development of an information security management system (ISMS) appropriate to the real needs of each organisation.  Taking each stage of this cycle in turn, the standard requires one to:

· Plan - define the scope of the ISMS; define the information security policy; define and conduct a systematic risk assessment – at the individual information asset level; identify and evaluate options for the treatment of these risks; select the control objectives and controls for each risk treatment decision and prepare a statement of applicability

· Do - produce the risk treatment plan, including planned processes and procedures; implement the risk treatment plan and controls; provide training and awareness for staff; manage operations and resources in line with ISMS; implement procedures for diction of and response to security incidents

· Check - this stage is that of monitoring, testing, audit and review

· Act - the findings from the ‘check’ stage should be reviewed and action should be acted upon, including actions required to address changes in any factors affecting the risk

However, while ISO 27001 provides a rigorous specification for a coherent, integrated information security management system - and one that is vendor and technology neutral - it is not a panacea. Designing and implementing an ISO 27001 system is not for the faint-hearted, and real success depends very much on three things: the risk assessment process, the real level of management commitment, and the practical, day-to-day involvement of staff and users.

It is a key principle of ISO 27001 that the only controls implemented should be those that help the business protect itself cost-effectively without undermining the business objectives. Organisations that apply this principle are those in which the information security team are seen as business enablers, not business blockers. This only happens when management - from the CEO down - understand and embrace information security as a system and a philosophy inside the organisation. When management provides business guidance for the security people, and helps define and implement (on an ongoing basis) the approach to risk assessment, then the organisation tends to evolve a constructive approach to information security.

Information security becomes more high profile every day. As corporate governance and legislative requirements develop they are increasingly including more information-related aspects. In the UK, the Turnbull Guidance on internal control and risk management gives directors of public companies a clear responsibility to act on IT governance, the effective management of risk in IT projects and on computer security. It is a topic that, in the information age, is here to stay.

Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk) the one-stop-shop for information security books, tools, training and consultancy. He is co-author of ‘IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799’, a plain-English guide to achieving ISO 27001 certification.