A to Z of Information Security Management

A to Z of

Information

Security

© Mark Conway - Oak Consult 2014

Introduction

The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.

Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.

In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.

Accredited Certification

Like other ISO management system standards, certification to ISO27001 is not obligatory. Some organisations choose to implement the standard in order to benefit from the best practice it contains, while others decide they also want to get certified to reassure customers and stakeholders that its recommendations have been followed. Customers are increasingly asking for certification of their suppliers and for that reason many suppliers are also demanding certification of their supply chain.ISO27001 Certification is a shrewd investment for any organisation, acting as an immediate, universally recognised indicator of an independently audited, best practice approach to information security, risk management & the protection of client data.Achieving ISO27001 Certification does require an investment of time, effort & budget from an organisation, but there are significant regulatory, commercial, operational & reputational benefits that will repay the initial investment several times over.

Best Practice

ISO27002 is a code of practice - a generic, advisory document, not a formal specification like ISO27001. It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity and availability of information. Organisations that adopt ISO27002 must assess their own information security risks, clarify their control objectives and apply suitable controls (or indeed other forms of risk treatment) using the standard for guidance.Just as ISO 27002 provides a set of guidelines for best practice in implementing an Information Security Management System (ISMS), ISO 27005 provides best practice guidelines for risk management. As part of constructing a suitable and secure information security management system, you must assess the risks to your information and be prepared to mitigate these risks. The standard is structured logically around groups of related security controls. See F

Controls

An administrative, procedural, technical, physical or legal means of preventing or managing the impact upon an asset of an information security event or incident. The following types of control exist: – Preventative - prevents impact upon an asset. – Detective - detects impact upon an asset. – Reactive - reacts to impact on an asset, includes:

Corrective - actively reduces impact. Recovery - restores an asset after impact.

Controls may reduce information security threats or impacts, although most reduce vulnerabilities.

Data Protection

Within the 1998 Data Protection Act, it identifies the security obligation for controllers of personal data. In summary, controllers of personal data are required to:– Implement appropriate technology that will keep data safe and secure,

taking into account the state of technological development, the cost of the technology, the nature of the data that is being protected and the harm that might result from a security breach.

– Hire reliable staff and take steps throughout their employment to ensure their reliability. This will extend to pre-employment vetting and ongoing monitoring where appropriate.

– Use data processors who provide sufficient guarantees about security, who agree to work only pursuant to a contract and who agree to process data only on the controller's instruction. The controller must take appropriate steps to ensure the reliability of the processor.

Collectively these provisions address all the major themes within a comprehensive information security management system, and they dovetail nicely with the headline requirements of ISO27001.

Employee Engagement

Many employees do not understand what information security is all about. You need to explain to your colleagues why information security is needed, the implications of not putting controls in place and how to perform certain tasks. In addition to training, awareness must give an answer to the question Why? - explain to your employees why they should accept information security as a normal working practice.There are many methods you can use, for example:– Include employees in documentation development– Presentations - organise short meetings, conference calls or webinars where you can explain what

new policies and procedures are being published and ask your employees for opinions about them, as well as clarify any misunderstandings.

– Articles on your intranet or internal newsletters - simple stories (with as many examples as possible)

– E-learning - you can create short online training modules that explain the significance of these topics, as well as train your employees in spotting key areas of risk and how they can help mitigate them.

– Videos - they are a very powerful presentation method - you can distribute them via email, through the intranet or use them at team / company events.

– Team Meetings - use regular meetings that are organised in your organisation to briefly present what you are doing and how it affects your colleagues.

– Day-to-day conversations - you have to sell the idea of information security / business continuity.– You should prepare a plan defining which of these methods you will perform, and how often as

well as regular measurement as to how effective they are.

Fourteen Security Controls

Categories

Control Categories

IS Policies

Organisation

Human Resources

Asset Management

Access Control

Cryptography

Physical & Environmental

Operations

Communications

System Acquisition,

Development / Maintenance

Supplier Relationships

Incident Management

Business Continuity

Compliance

Governance

Information security governance is the system by which an organisation directs and controls Information security. It also describes the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.In simplest terms, it is a subset of the discipline of corporate governance, focused, unsurprisingly on information security.As discussed later senior management’s fundamental commitment to information security is the most important aspect of effectively managing the security risk to an organisation’s information assets also referred to as leadership duty of care or due care.To be successful information security governance activities must be driven by the board of directors, senior management and designated key personnel. These activities should be undertaken in a manner consistent with an organisation’s risk management and strategic plans, compliance requirements, organisational structure, culture and management policies.A key aspect of security governance is the need to define decision rights and accountability. Achieving this both in theory and practice requires the right culture, policy frameworks, internal controls and defined practices.

Human Resources

HR is key to an organisation’s information security health, which is why ISO27001/2 has a section dedicated to all matters HR.It not only outlines possible information security controls, but also includes vital implementation guidance in each of its sections related to the employment lifecycle, providing advice in relation to pre-employment, employment and post-employment activities.

1. Pre-employment phaseCovers areas such as screening or vetting and contracts/terms and conditions.

2. Employment stageDuring employment, all staff members have a duty of care towards their organisation’s information assets.The IT department is usually expected to take care of security but, in fact, it takes care of IT security. The scope of an organisation’s information assets are much broader and are subject to a great many higher risks than IT can reasonably be expected to cover.It is generally accepted that around 80% of organisational data breaches are caused by people rather than technical failure. This may be the result of staff using USBs to carry data that perhaps they shouldn’t be.

3. Post-employment periodThe post-employment period is a very risky one in terms of organisations’ information security. They can end up being the target of malice, theft or reputational damage.ISO27002 offers clear guidance on suitable policies and procedures for the termination process, which includes advice on how staff should return assets and on how best to remove their access rights. It also offers clear guidelines on how to implement such policies.

Integrity, Availability and

Confidentiality

At the heart of an Information Security Management System is the preservation of confidentiality, integrity and availability of information

Other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved

Integrity

Availability

Confidentiality

Justification for ISO27001

With information and data now the lifeblood of many organisations, putting measures in place to protect such information from threats, breaches of security and theft is often essential for ensuring the longevity and reputation of your business.– Safeguarding your organisation’s information which will lead to reduced incidents,

disruptions and accidents– Provides customers and stakeholders with confidence in how you manage risk– Allows for secure exchange of information and keeps confidential information secure– Reduces customer audit impacts– Allows you to ensure you are meeting your legal obligations– Helps you to comply with other regulations– Potentially provides you with a competitive advantage– Consistency in the delivery of your service or product– Manages and minimises risk exposure and builds a culture of security within the

organisation– Develops opportunities for positive PR for your organisation– Reduces possible negative media stories which are generated from data and information

breaches– Protects the company, assets, shareholders and directors

Knowledge and Training

Adequate resources (people, time, money) should be allocated to the operation of the Information Security Management System (ISMS) and all security controls. In addition, the staff who must work within the ISMS (maintaining it and its documentation and implementing its controls) must receive appropriate training. The success of the training program should be monitored to ensure that it is effective. You should also establish a plan for how you will determine the effectiveness of the training. What you will need: – A list of the employees who will work within the ISMS – All of the ISMS procedures used for identifying what type of training is needed and which

members of the staff or interested parties will require training – Management agreement to the resource allocation and the training plans

Specific documentation is not required in the ISO standards. However, to provide evidence that resource planning and training has taken place, you should have documentation that shows who has received training and what training they have received. In addition, you might want to include a section for each employee that lists what training they should be given.

Leadership and Management Buy-in

The leadership and management team of an organisation plays an important role in the success of an Information Security Management System. The Management responsibility section of ISO27001 states:

Management must make a commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS.

Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS

have the proper training, awareness, and competency.

Establishment of the following demonstrates management commitment: – An information security policy; this policy can be a standalone document or part of an

overall security manual that is used by an organisation – Information security objectives and plans; again this information can be a standalone

document or part of an overall security manual that is used by an organisation – Roles and responsibilities for information security; a list of the roles related to information

security should be documented either in the organisation’s job description documents or as part of the security manual or ISMS description documents.

– Announcement or communication to the organisation about the importance of adhering to the information security policy.

– Sufficient resources to manage, develop, maintain, and implement the ISMS.

Measurement and Monitoring

To ensure that the ISMS is effective and remains current and fit for purpose ISO27001 requires: – Management to review the ISMS at planned intervals. The review must include assessing opportunities for improvement,

and the need for changes to the ISMS, including the security policy and security objectives, with specific attention to previous corrective or preventative actions and their effectiveness.

– Periodic internal audits - The results of the reviews and audits must be documented and records related to the reviews and audits must be maintained.

To perform management reviews, ISO27001 requires the following input: – Results of ISMS internal and external audits and reviews – Feedback from interested parties – Techniques, products, or procedures which could be used in the organisation to improve the effectiveness of the ISMS – Preventative and corrective actions (including those that might have been identified in previous reviews or audits) – Incident reports, for example, if there has been a security failure, a report that identifies what the failure was, when it

occurred, and how it was handled and possibly corrected. – Vulnerabilities or threats not adequately addressed in the previous risk assessment – Follow-up actions from previous reviews – Any organisational changes that could affect the ISMS – Recommendations for improvement

To perform internal audits on a periodic basis, you need to define the scope, criteria, frequency, and methods. You also need the procedure that identifies the responsibilities and requirements for planning and conducting the audits, and for reporting results and maintaining records. The results of a management review should include decisions and actions related to: – Improvements to the ISMS – Modification of procedures that effect information security at all levels within the organisation – Resource needs

The results of an internal audit should result in identification of nonconformities and their related corrective actions or preventative actions. ISO27001 lists the activity and record requirements related to corrective and preventative actions.

Not just a tick in a box

If implemented properly and with management buy-in to the process the value that ISO27001 can bring to your organisation can be significant. 87% of respondents to recent BSI Erasmus survey stated that implementing ISO 27001 had a "positive" or "very positive" outcome with 39% reported decreased down-time of IT Systems and the same number a decrease in the number of security incidentsOf those that were certified to the standard:– 78% reported increased ability to meet compliance requirements– 56% an increased ability to respond to tenders– 51% an increased external customer satisfaction– 62% increased relative competitive position– ROI / sales increased despite rise in cost to develop and support IT

Organisation Objectives

An organisation’s ISMS is influenced by the needs and objectives, security requirements, the organisational processes used and the size and structure of the organisation.

It is essential that any security arrangements that are to be implemented relate to (or support) overall organisation objectives and strategy. They must be productive and reflect stakeholder requirements.

Understanding this relationship enables you to adopt strategies and make recommendations that will promote the business and for information security to enjoy the support of top management.

Policy, Process and Procedures

An Information Security Policy is the cornerstone of an Information Security Management System. It should reflect the organisation's objectives and the agreed upon management strategy for securing key assets.

In order to be useful in providing authority to execute the remainder of the Information Security Management System, it must also be formally agreed upon by executive management.

The essence of a good information security policy:

– Keep it as short as possible– Keep it relevant to the audience– Keep it aligned to the needs of the business– Keep it aligned to the legislation and regulatory frameworks in which you operate– Do not marginalise it by aiming to "tick the box", as the policy needs to add value to the employee

and the overall outcomes and behaviours you are looking to promote– Share it with all of your key stakeholders internally and externally

The policy document is exactly that - a high-level statement of the organisation’s position on the chosen topic (the "why"), not to be confused with the procedural documentation which deals with "how" the policy is to be enacted. Procedures are sometimes necessarily much longer documents if they are describing complex processes which must be followed.

Ideally, the policy should be brief and to the point about the user’s responsibilities towards the information they collect, use, access or otherwise process, and to sign-post them to the other relevant policies and procedures for the areas in which they operate.

Quality Management System

Approach

If you already have a Quality Management System / ISO9001 certification some of the elements you have implemented for your organisation can be used for your ISMS as well, namely:– Setting the organisation goals and tracking whether they have been achieved - the same

mechanism is laid down in both standards.– Management review - the principles for management review are the same for both

management systems.– Document management - the procedures used for document management can be used

for the same purpose in ISMS with minor adjustments.– Internal audit - the same procedures can be used for both QMS and ISMS, although you

might use different people.– Corrective and preventive actions - the procedures used for QMS can be used for the

same purpose in ISMS.– Human resources management - the same cycle of HR planning, training and evaluation is

used for both management systems.

Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO27001 - you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called "integrated audits", which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.

Risk Assessment and Treatment

In order to comply with ISO27001 an organisation must define a risk assessment methodology for Information Security risks.They must identify criteria for accepting risks and identify the acceptable levels of risk and develop a Risk Treatment Plan

Risk AssessmentIdentify all assets of the organisation relating to information security and compile an Asset Register.Identify combinations of threats and vulnerabilities relating to the asset, and then identify the impacts that losses of confidentiality, integrity and availability may have on the asset using an Asset Risk Assessment Report.The impacts take into account the business, legal or contractual obligations that the company has.The assessment then looks at the likelihood of the security failure occurring by a combination of the frequency and the likelihood of the threatA combination of the impact and likelihood of the security failure provides a level of the risk normally in three categories:– Low Risk: No immediate action required although there may be improvements in processes/technology that reduce the

impact of the security failure.– Medium Risk: Must be included in the management review of the IMS with actions identified if required and inclusion in the

Risk Treatment Plan.– High Risk: Must be included in the Risk Treatment Plan for positive actions to reduce the risk.

Risk TreatmentSelecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks. = ISO 31000:2009

Standards

The ISO27000 family of Standards is broad in scope. As technology evolves, new standards are continually being developed to meet the requirements of information security. ISO 27001 is a specification. It sets out specific requirements, all of which must be followed, and against which an organisation's Information Security Management System (ISMS) can be audited and certified. All the other Standards in the ISO27000 family are Codes of Practice. They provide non-mandatory best practice guidelines which organisations may follow, in whole or in part.A key feature of the standards is that they are applicable to any organisation, in any sector, of any size. Key concepts which govern the standards are:– Organisations are encouraged to assess their own information security risks– Organisations should implement appropriate information security controls according to

their needs– Guidance should be taken from the relevant standards– Implement continuous feedback and use of the Plan, Do, Check, Act model– Continually assess changes in threat and risk to information security issues.

Testing

Effective Penetration Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and conducted by a certificated, ethical professional tester. The resulting findings provide a basis upon which security measures can be improved.There are specific points in your Information Security Management System (ISMS) project where penetration testing has a significant contribution to make:– As part of the risk assessment process: uncovering vulnerabilities in

any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.

– As part of the Risk Treatment Plan, ensuring that controls that are implemented actually work as designed.

– As part of the ongoing corrective action/preventive action and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

Understanding internal and

external context

A key element of ISO27001 is the organisation’s context both internal and external with regard to information security. A deep understanding should be gained at the outset of an ISO27001 implementation and also reviewed at least annually or when any major changes occur e.g. changes to regulations.

External contextAny of the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local. (ISO27000)Key drivers and trends having an impact on the objectives of the organisationRelationships with, and perceptions and values of external stakeholders

Internal contextOrganisation’s cultureGovernance, organisational structure, roles and responsibilitiesPolicies and objectives and the strategies in place to achieve themCapital in terms of resources and knowledge (e.g. money, time, processes, systems, people and technology)Informal and formal information systems, information flows and decision making processesAdopted standards, guidelines, frameworks and models already in placeRelationships with internal stakeholders

Vulnerabilities

A non-

exhaustive list

of the kind of

vulnerabilities

you should

think about as

part of your risk

assessments

and risk

treatments:

Who should be in the

ISMS Project Team?

Your ISMS Project Team should be drawn from senior managers from those parts of your organisation most likely to be impacted by the management system and should also include some functional areas such as IT, facilities, procurement and HR, but absolutely should not be owned or driven by IT. Ideally you would also have an experienced project manager and a board level sponsor that is actively engaged and who chairs project boards.

XSS (Cross-Site Scripting) and

other Cyber Attacks

According to the recently published Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and conducted by PWC, Cyber attacks have continued to grow in frequency and intensity over the last year and the focus seems to have shifted back towards large organisations. The proportion of large organisations that were successfully hacked continues to rise - up to nearly a quarter of respondents this year. One in four large organisations reported penetration of their networks, up by 4% from a year ago.More worryingly, most of the affected companies were penetrated not just once but once every few weeks during the year - nearly a tenth of those affected are being successfully penetrated every day. Small businesses experienced fewer outsider attacks with 12 % of them being penetrated (down from 15% last year). Different industries experience different levels of network penetration attacks. Telecommunication companies were the most affected; nearly a quarter of them reported penetration. Roughly one in six utility companies and banks were also affected.The UK Government have provided some useful guidance for organisations to follow - Cyber security guidance for business

Yielding Better Results

Investing time and resource upfront with Senior Management, Key Stakeholders and carrying out robust risk assessments within the right contexts will pay dividends on a number of levels.Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organisation to adapt to change and adhere to internal processes.The more prepared you and your people are to comprehend the need for implementation, accept that some processes will require change and have the commitment to make it happen, the better the results for your organisation.

Zipping through ISO27001

I hope that this A to Z of Information Security hasn’t put you off! As you will have seen, there are significant benefits both from a business protection basis and that of bringing on new business. For smaller businesses, based in one building with less than 20 employees, the implementation process doesn’t need to be too arduous and can be completed within a few short months and doesn’t need to cost a fortune.It is a requirement of UKAS accreditation that the certification body does not provide consultancy services which it then itself certifies. Oak Consult can work with you to implement an Information Security Management System that will be fit for accredited certification. As part of our service, we will help you select a certification body whose fees will be appropriate and who can respond appropriately to your need for certification.