IT security has a bad reputation as a barrier, rather than an aid, in the workplace. That’s starting to change, and ISO 27001, the new information security standard, is already helping re-focus organisational IT security activity on the actual needs of the business, say Alan Calder and Steve Watkins, in an article that first appeared in the March 2007 edition of QualityWorld, the magazine for the Chartered Quality Institute (www.thecqui.org/qualityworld)
ISO 27001 is the world’s first formal, internationally recognised specification for an information security management system. It has a much broader use than people might imagine but used wrongly it could become a fossil, left behind by the rapid evolution of technology and technological threats. To understand the standard’s benefits (and potential drawbacks), we must first understand the evolution of information security.
Information security is a new profession…
Information security is a relatively new profession, but then so is the modern computer and the modern computer network. It wasn’t IBM’s invention of the PC, or the founding of Microsoft , but the emergence of the internet in the mid-1970’s that gave birth to a new, online world in which digital data could be moved and stored in ever greater quantities and by increasing numbers of people.
Computer hackers have existed for almost as long as organisations have stored information on computers. Before the internet, hackers had to physically access a machine before they could attempt to access its data. But once the machine was permanently connected to others, the remote hacker gained opportunities galore. Then followed the virus: the first computer virus emerged only 20 years ago. And today? There are over 120,000 viruses live ‘in the wild’; free on the internet.
Driven by Moore’s Law (which says that data density on chips will double every 18 months, for the foreseeable future), the technological evolution is rapidly intensifying. Software gets more complex and sophisticated to take advantage of the increases in computing power, and users demand ever more of the software. More and more information is stored in databases, and more and more sophisticated computer and communications technologies are used by ever greater numbers of people: nearly one quarter of the world’s population are now online.
Unsurprisingly, this evolution is not always without error, which leaves software and hardware vulnerable to attack.
The ‘information age’ and digital danger
We think of the 21stcentury as the information age. If this is so, then the most important component of any corporate balance sheet is its intellectual capital - the intangible assets that include:
- intellectual property
- customer and supplier databases
- staff know-how
- business processes
- organisational competence
Intellectual capital depends for its very existence on IT and, as we’re aware, IT is vulnerable to external attack. It is also vulnerable to internal fraud in a way that can destroy an organisation within a matter of hours. It is also vulnerable to simple human error.
That said, it we are dependent on IT as never before. In the ‘Information Security Breaches Survey’ (2004), DTI found that:
- 49 per cent of organisations believe that information is critical or sensitive because it will be of benefit to competitors
- 49 per cent believe that it is critical to maintaining customer confidence
- 58 per cent have highly confidential information stored on their computer systems (77 per cent of which were large businesses)
- 90 per cent send e-mail, browse the web and have a website
- 87 per cent now identify themselves as ‘highly dependent’ on electronic information and the systems that process it, compared to 76 per cent in 2002
What if there’s trouble?
What would you do if you were the person in charge of your organisation’s IT? You arrive in the office one Monday morning to find all the computer systems are down. You cannot access email or any of the information on your customer relationship management system (let alone pay suppliers, contact details of staff etc). You don’t know what has caused the problem: is it a virus? A hack attack? A power failure? Human error? Whatever it is, you do know that paralysed the business can’t last for long.
Traditionally, the person in charge of IT has tried to deal with the most obvious computer security threats by taking direct action against them - implementing appropriate controls. For instance, the virus threat is dealt with by deploying anti-virus software, the hacker is kept out by means of a firewall, and the business continuity risk [ie? could you briefly explain what this is?] is dealt with by a combination of UPSs (uninterruptible power supplies) and regular backup tapes.
Information warfare
That point-by-point approach is now demonstrably inadequate. Today organisations could be faced with sophisticated ‘blended attacks’ whereby mass-mailing virus-delivery mechanisms are used to insert Trojans (software that opens illegal ‘back doors’) into target systems, which hackers can then use to bypass the firewall.
‘Phishing attacks’ (e-mails which pose as a request from, for instance, your bank, to log onto a website and update your security details) go one step further: they encourage people to come out from behind their firewalls and hand their valuable personal data over to the criminals directly. The USB (‘flash’) sticks on digital cameras or MP3 players can export more illegal corporate data than did any micro-dot and with far less hassle. Mobile camera phones enable insider dealers to share market-sensitive information at the push of a ‘send’ button
The UK National High Tech Crime Unit’s (
www.nhtcu.org) 2004 survey illustrates the size of the problem:
- 167 out of 201 respondents experienced high tech crime in 2003
- the total estimated cost of these crimes exceeded £195 million
- three out of 44 financial services companies experienced financial fraud of over £60 million between them
- almost three-quarters of respondents agreed that the single most important impact of a computer-enabled crime was whether the company could continue to operate and do business with its customers
Personal privacy
It is not just corporate information which is at risk, of course. Databases containing individual and consumer personal data - names, addresses, social security numbers, credit card details - proliferate daily. They are attractive targets for identity thieves, who know they can use this information to steal millions of pounds and remove it to the other side of the world noiselessly, unobtrusively, and without danger to themselves.
Unfortunately consumers do not do much to protect themselves against these threats, either at home or in work. In a recent survey, 85 per cent of participants compromised their individual password secrecy for a Starbucks coffee. Regulators have caught on: they suspect that there are votes in protecting consumers against the theft of their individual data and, as a result, data protection and personal privacy legislation is proliferating across the OECD.
All EU countries have implemented stringent regulations, and more than half the US state legislatures have done the same. Of course, there is no co-ordination between any of this legislation, so organisations operating in more than one jurisdiction (or, in some cases, having consumers from more than one jurisdiction on their database) are exposed to possibly contradictory - certainly untested - laws and regulations.
Regulatory compliance
General personal privacy is just the tip of the iceberg. There are specific sectoral requirements, like HIPAA (Health insurance portability and availability act) and GLBA (Gramm-Leach-Bliley Act) in the US, the payment card industry requirements which apply in all outlets that accept Visa and Master Card, the Financial Services Act regulations, and so on. There are also the increasingly complex audit requirements of corporate governance, which want assurance that the information and communications systems, on which the organisation’s accounts depend, are secure and controlled.
‘IT security’ - the selection and implementation of controls by the IT team - is not an effective solution to the complex range of issues the organisation faces. What every organisation requires is a coherent, comprehensive approach to information security that is capable of being tailored to its specific needs and circumstances. The answer is not just IT security, but information security.
Not IT security - information security!
In ISO 27001, information security is defined as the ‘preservation of confidentiality, integrity and availability of information. In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved’:
· availability - ‘being accessible and usable upon demand by an authorised entity’
· confidentiality - ‘information is not made available or disclosed to unauthorised individuals, entities, or processes’
· integrity - ‘safeguarding the accuracy and completeness of assets’
ISO 27001 systematically describes how to ensure the availability, confidentiality and integrity of information within an organisation. It recognises that threats to information arise and must therefore be addressed.
These are obviously risks that need identifying and, as with most risks, the sensible management approach is to introduce a degree of control. The challenge though is that, even if managers are able to identify all the real information security risks and the appropriate controls for them, controls cost money to implement, and it is unlikely that implementing every possible control is affordable, reasonable, or even necessary.
In the UK, organisations must also take into account the requirements of the:
- Data Protection Act
- Computer Misuse Act
- privacy regulations
- Copyright, Designs and Patents act
- and for public sector organisations, the Freedom of Information Act
All of these have a direct impact on information management.
Where the standard comes in…
In 1998 a new accredited certification scheme was introduced for a standard specifying the requirements for information security management. The standards were BS 7799 parts 1 and 2 (with part 1 being a code of practice and part 2 providing the management system specification against which organisations could be assessed).
In 2000, part 1 was re-issued, with some slight amendments, as an international standard, ISO/IEC17799. It has since been substantially revised and was re-issued in 2005, still defining a code of practice that consists largely of a list of controls to address specific risks. It has been widely adopted and its principles are reflected in standards as diverse as the payment card industry standard and US Federal Information Security Management Act.
The management system specification BS 7799 part 2, was revised in 2002, introducing the PDCA model. By 2005, the various localized versions of BS7799-2 that had been introduced around the world were replaced with a single international standard - ISO 27001 - largely based on the evolved British standard.
ISO 27001 defines the PDCA cycle as a means of introducing and implementing an information security management system (ISMS). Taking each stage of this cycle in turn, the standard requires:
- plan - define the scope of the ISMS; define the information security policy; define and conduct a systematic risk assessment – at the individual information asset level; identify and evaluate options for the treatment of these risks; select the control objectives and controls for each risk treatment decision and prepare a statement of applicability
- do - produce the risk treatment plan, including planned processes and procedures; implement the risk treatment plan and controls; provide training and awareness for staff; manage operations and resources in line with ISMS; implement procedures for diction of and response to security incidents
- check - this stage is that of monitoring, testing, audit and review
- act - the findings from the ‘check’ stage should be reviewed and action should be acted upon, including actions required to address changes in any factors affecting the risk
ISO 27001 and ISO 17799
Appendix A of ISO 27001 is a list of controls. There are 134 controls, contained in 12 major control areas. These controls address all the potential risk areas, from virus and mobile code through to intellectual property theft, business continuity and access control. The Annex A controls replicate those contained in ISO 17799, to which the user is directed as the source of good practice guidance for implementing the controls. In effect, ISO 27001 mandates the use of ISO 17799 while providing the management system that enables ISO 17799 controls to be part of an integrated framework.
As part of the plan phase, the organisation has to prepare a statement of applicability. This, in principle, is a statement as to which of the controls listed in Annex A applies to the organisation and how it is implemented. Where one of the controls is not applied, there has to be an explanation.
Be business-able
While ISO 27001 provides a rigorous specification for a coherent, integrated information security management system, and one that is vendor and technology neutral, it is not a panacea. Designing and implementing an ISO 27001 system is not for the faint-hearted, and real success depends very much on three things: the risk assessment process, the real level of management commitment, and the practical, day-to-day involvement of staff and users.
It is a key principle of ISO 27001 that the only controls implemented should be those that help the business protect itself cost-effectively without undermining the business objectives. Organisations that apply this principle are those in which the information security team are seen as business enablers, not business blockers. This only happens when management - from the CEO down - understand and embrace information security as a system and a philosophy inside the organisation. When management provides business guidance for the security people, and helps define and implement (on an ongoing basis) the approach to risk assessment, then the organisation tends to evolve a constructive approach to information security.
Evolving technology
Instant Messaging, Voiceover IP telephone systems, wireless networking and blogs are all technologies which are being rapidly deployed throughout the corporate world. These were originally seen as consumer technologies; they do not have the robustness of typical enterprise products or the level of inbuilt security that is now expected of enterprise products. They are, however, extremely useful, extremely easy to get into action and a nightmare for the IT security people - unless they are alert to changing technology trends and evolving threat scenarios.
In many global organisations, the information security network access policy is set by the IT team without reference to the business. As a result, the business users routinely circumvent the system by using USB sticks to move data between computers - with all the attendant risk of data loss, data corruption, and data duplication. The right response to this situation is not to deploy USB blocking technology but, all too often, that is what does happen.
These are the organisations in which information security strangles the business. Deploying an ISO 27001 system, with its emphasis on risk-based controls and management direction, might just save such an organisation from itself. Inevitably though, there will be organisations that deploy ISO 27001 prescriptively, insist on implementing all the controls and ignore the principle of risk-based controls and business-orientated solutions. These organisations will not survive the changing threats that emerge from the fast-changing technology market. For instance, they will respond to users who wish to use Instant Messaging by disabling it, ban blogs, and make web surfing difficult.
Information security becomes more high profile every day. As corporate governance and legislative requirements develop they are increasingly including more information-related aspects. In the UK, the Turnbull guidance on internal control and risk management gives directors of public companies a clear responsibility to act on IT governance, the effective management of risk in IT projects and on computer security. It is a topic that, in the information age, is here to stay.
Alan Calder and Steve Watkins run IT Governance Limited, a company whose website (
>www.itgovernance.co.uk) provides a comprehensive range of books, toolkits, advice and guidance to help organisations tackle IT governance and information security issues, including ISO 27001. Their book
IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799is a plain-English guide to achieving ISO 27001 certification.