Back to previous page   Print page

IRCA
Click here to visit the main IRCA website

Printer friendly version

IT under scrutiny

IT security has a reputation as a being a barrier, rather than an aid, in the workplace. That’s starting to change, and ISO 27001, the new information security standard, is already helping refocus organizational IT security activity on the actual needs of the business, say Alan Calder and Steve Watkins

ISO 27001 is the world’s first formal, internationally recognized specification for an information security management system. It has a much broader use than people might imagine but used wrongly it could become a fossil, left behind by the rapid evolution of technology and technological threats.

A new profession

Information security is a relatively new profession, but then so is the modern computer and the modern computer network. It wasn’t IBM’s invention of the PC, or the founding of Microsoft, but the emergence of the internet in the mid-1970s that gave birth to a new, online world in which digital data could be moved and stored in ever greater quantities and by increasing numbers of people.

Computer hackers have existed for almost as long as organizations have stored information on computers. Before the internet, hackers had to physically access a machine before they could attempt to access its data. But once the machine was permanently connected to others, the remote hacker gained opportunities galore. Then followed the virus: the first computer virus emerged only 20 years ago. And today? There are over 120,000 viruses live ‘in the wild’ - free on the internet.

We think of the 21st century as the information age. If this is so, then the most important component of any corporate balance sheet is its intellectual capital - the intangible assets that include:

  • intellectual property, such as brands, trademarks, copyrighted and patented items
  • customer and supplier databases
  • individual and departmental staff know-how
  • business processes
  • organizational competence (the complex of know how, processes, systems and experience that enable an organization to achieve its business objectives)

Intellectual capital depends for its very existence on IT and, as we’re aware, IT is vulnerable to external attack. It is also vulnerable to internal fraud in a way that, as Barings Bank learned to its cost, can destroy an organization within a matter of hours. It is also vulnerable to simple human error.

Personal privacy

It is not just corporate information which is at risk, of course. Databases containing individual and consumer personal data - names, addresses, social security numbers, credit card details - proliferate daily. They are attractive targets for identity thieves, who know they can use this information to steal millions of pounds and remove it to the other side of the world noiselessly, unobtrusively, and without danger to themselves.

Unfortunately consumers do not do much to protect themselves against these threats, either at home or in work. In a recent survey, 85 per cent of participants compromised their individual password secrecy for a Starbucks coffee – participants were offered a free coffee if they could remember (and share) their corporate password – and those who didn’t want to give it away, were mostly prepared to confirm whether or not it was their mother’s maiden name, or their child’s birthday. Regulators have caught on: they suspect that there are votes in protecting consumers against the theft of their individual data and, as a result, data protection and personal privacy legislation is proliferating across countries belonging to the Organization for Economic Cooperation and Development (OECD).

All EU countries have implemented stringent regulations, and more than half the US state legislatures have done the same. Of course, there is no coordination between any of this legislation, so organizations operating in more than one jurisdiction (or, in some cases, having consumers from more than one jurisdiction on their database) are exposed to possibly contradictory - certainly untested - laws and regulations.

PC security should be a major concern for any organization

Regulatory compliance

General personal privacy is just the tip of the iceberg. There are specific sectoral requirements, like HIPAA (Health insurance portability and availability act) and GLBA (Gramm-Leach-Bliley Act) in the US, the payment card industry requirements which apply in all outlets that accept Visa and Master Card, the Financial Services Act regulations, and so on. There are also the increasingly complex audit requirements of corporate governance, which want assurance that the information and communications systems, on which the organization’s accounts depend, are secure and controlled.

‘IT security’ - the selection and implementation of controls by the IT team - is not an effective solution to the complex range of issues the organization faces. What every organization requires is a coherent, comprehensive approach to information security that is capable of being tailored to its specific needs and circumstances. The answer is not just IT security, but information security.

In ISO 27001, information security is defined as the ‘preservation of confidentiality, integrity and availability of information. In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved’:

  • availability - ‘being accessible and usable upon demand by an authorized entity’
  • confidentiality - ‘information is not made available or disclosed to unauthorized individuals, entities, or processes’
  • integrity - ‘safeguarding the accuracy and completeness of assets’

ISO 27001 systematically describes how to ensure the availability, confidentiality and integrity of information within an organization. It recognizes that threats to information arise and must therefore be addressed.

These are obviously risks that need identifying and, as with most risks, the sensible management approach is to introduce a degree of control. The challenge though is that, even if managers are able to identify all the real information security risks and the appropriate controls for them, controls cost money to implement, and it is unlikely that implementing every possible control is affordable, reasonable, or even necessary.

In the UK, organizations must also take into account the requirements of the:

  • Data Protection Act
  • Computer Misuse Act
  • privacy regulations
  • Copyright, Designs and Patents Act
  • and for public sector organizations, the Freedom of Information Act

All of these have a direct impact on information management.

In 1998 a new accredited certification scheme was introduced for a standard specifying the requirements for information security management. The standards were BS 7799 parts 1 and 2 (with part 1 being a code of practice and part 2 providing the management system specification against which organizations could be assessed).

In 2000, part 1 was re-issued, with some slight amendments, as an international standard, ISO/IEC 17799. It has since been substantially revised and was re-issued in 2005, still defining a code of practice that consists largely of a list of controls to address specific risks. It has been widely adopted and its principles are reflected in standards as diverse as the payment card industry standard and US Federal Information Security Management Act.

The management system specification BS 7799 part 2, was revised in 2002, introducing the PDCA model. By 2005, the various localized versions of BS7799-2 that had been introduced around the world were replaced with a single international standard - ISO 27001 - largely based on the evolved British standard.

ISO 27001 defines the PDCA cycle as a means of introducing and implementing an information security management system (ISMS). Taking each stage of this cycle in turn, the standard requires:

  • plan - define the scope of the ISMS; define the information security policy; define and conduct a systematic risk assessment – at the individual information asset level; identify and evaluate options for the treatment of these risks; select the control objectives and controls for each risk treatment decision and prepare a statement of applicability
  • do - produce the risk treatment plan, including planned processes and procedures; implement the risk treatment plan and controls; provide training and awareness for staff; manage operations and resources in line with ISMS; implement procedures for diction of and response to security incidents
  • check - this stage is that of monitoring, testing, audit and review
  • act - the findings from the ‘check’ stage should be reviewed and action should be acted upon, including actions required to address changes in any factors affecting the risk

ISO 27001 and ISO 17799

Appendix A of ISO 27001 is a list of controls. There are 134 controls, contained in 12 major control areas. These controls address all the potential risk areas, from virus and mobile code through to intellectual property theft, business continuity and access control. The Annex A controls replicate those contained in ISO 17799, to which the user is directed as the source of good practice guidance for implementing the controls. In effect, ISO 27001 mandates the use of ISO 17799 while providing the management system that enables ISO 17799 controls to be part of an integrated framework.

As part of the plan phase, the organization has to prepare a statement of applicability. This, in principle, is a statement as to which of the controls listed in Annex A applies to the organization and how it is implemented. The control statement for clause 5.1 of Annex A might, for instance, be that the organization has an information security policy, which is signed off by the board, and is available to all staff and appropriate third parties on the organizational intranet. Where one of the controls is not applied, there has to be an explanation, such as the statement that controls on software development are not required as the organization sources all its software from third party suppliers.

Be business-able

While ISO 27001 provides a rigorous specification for a coherent, integrated information security management system, and one that is vendor and technology neutral, it is not a panacea. Designing and implementing an ISO 27001 system is not for the faint-hearted, and real success depends very much on three things: the risk assessment process, the real level of management commitment, and the practical, day-to-day involvement of staff and users.

It is a key principle of ISO 27001 that the only controls implemented should be those that help the business protect itself cost-effectively without undermining the business objectives. organizations that apply this principle are those in which the information security team are seen as business enablers, not business blockers. This only happens when management - from the CEO down - understand and embrace information security as a system and a philosophy inside the organization. When management provides business guidance for the security people, and helps define and implement (on an ongoing basis) the approach to risk assessment, then the organization tends to evolve a constructive approach to information security.

Memory sticks are not as secure as many people think

Evolving technology

Instant messaging, voiceover IP telephone systems, wireless networking and blogs are all technologies which are being rapidly deployed throughout the corporate world. These were originally seen as consumer technologies; they do not have the robustness of typical enterprise products or the level of inbuilt security that is now expected of enterprise products. They are, however, extremely useful, extremely easy to get into action and a nightmare for the IT security people - unless they are alert to changing technology trends and evolving threat scenarios.

In many global organizations, the information security network access policy is set by the IT team without reference to the business. As a result, the business users routinely circumvent the system by using USB sticks to move data between computers - with all the attendant risk of data loss, data corruption, and data duplication. The right response to this situation is not to deploy USB blocking technology but, all too often, that is what does happen.

These are the organizations in which information security strangles the business. Deploying an ISO 27001 system, with its emphasis on risk-based controls and management direction, might just save such an organization from itself. Inevitably though, there will be organizations that deploy ISO 27001 prescriptively, insist on implementing all the controls and ignore the principle of risk-based controls and business-orientated solutions. These organizations will not survive the changing threats that emerge from the fast-changing technology market. For instance, they will respond to users who wish to use instant messaging by disabling it, ban blogs, and make web surfing difficult. 

Information security becomes more high profile every day. As corporate governance and legislative requirements develop they are increasingly including more information-related aspects. In the UK, the Turnbull guidance on internal control and risk management gives directors of public companies a clear responsibility to act on IT governance, the effective management of risk in IT projects and on computer security. It is a topic that, in the information age, is here to stay.

About the author

Alan Calder and Steve Watkins run IT Governance Limited, a company whose website (www.itgovernance.co.uk) provides a comprehensive range of books, toolkits, advice and guidance to help organizations tackle IT governance and information security issues, including ISO 27001. Their book IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799 is a plain-English guide to achieving ISO 27001 certification.

©2005 IRCA. All rights reserved www.irca.org Contact Abbreviations