ISO17799 and ISO27001 Newsletter - Issue 12

Welcome to the latest issue of the ISO 27001 / ISO 17799 newsletter, designed to provide news and updates regarding the ISO information security standards.

Included in this edition are the following topics:
1) Recruitment and Security Risks
2) BS25999 Published
3) User Acceptance Testing: The Basics
4) Information Security News
5) More Frequently Asked ISO17799/ISO27001 Questions
6) ISO 17799 Related Definitions

RECRUITMENT AND SECURITY RISKS
One obvious potential weak link in your information security profile are the new recruits to your organization. If you do not advise them about your information security requirements and critical information security procedures in a timely fashion, then they may collectively create a significant risk to your information assets.

ALL management and staff are responsible for Information Security, including those new to the organization. It is vital therefore that they are brought 'up to speed' as quickly as possible.

Issues to be considered when addressing this include the following:
- Confidential data may be lost, damaged or compromised by staff with insufficient training.
- Data may be lost in error or through negligence because staff do not fully understand the risks involved.
- Data may be lost because Information Security measures have been installed incorrectly and their alarms and messages are misinterpreted.
- Confidential information may be compromised if new staff are not made aware of the scope of the organisation's Information Security policies.

To overcome this potential exposure, we recommend that you document the critical security issues and procedures in an easy-to-understand booklet and provide formal induction training immediately upon the new recruit’s arrival. The recruits should also be obliged to sign a formal statement confirming that they have read, and understand, this document.

BS 25999 PUBLISHED
The long awaited standard for business continuity planning, which supports ISO17799 and ISO27001, has now been published. As with many international standards, BS 25999 will comprise two distinct parts: a code of practice (as ISO17799) and a specification (as ISO27001).

The first of these was published by BSI in December 2006. The specification will appear later in 2007.

The standard is designed to align with the BCM section within ISO 17799. It covers topics as diverse as strategy and plan maintenance, and even how to embed business continuity management into the organizational culture.

BS 25999 will have a significant impact upon the whole business continuity and disaster recovery landscape. As the first credible standard developed to provide clear and objective metrics, it is not hard to see why predictions regarding positive insurance implications, and market leverage, as so common.

USER ACCEPTANCE TESTING (UAT)
User acceptance testing (UAT) is a critical phase of any systems project and requires significant participation by the 'End Users'. To be of real benefit, an Acceptance Test Plan (ATP) should be developed in order to plan precisely, and in detail, the means by which 'Acceptance' will be achieved. The final part of the UAT can also include a parallel run to prove the system against the current system.

The user acceptance test plan will vary from system to system but in general the testing should be planned in order to provide a realistic exposure of the system to all reasonably expected events/threats. The testing can be based upon the User Requirements Specification to which the system should conform.

As in any system though, problems will arise, and it is important to have determined what should be the expected and required responses from the various parties concerned; including Users; Project Team; Vendors and possibly Consultants / Contractors.

In order to agree what such responses should be, the end users and the project team need to develop and agree a range of 'severity levels'. These levels will range from (say) 1 to 5 and will represent the relative severity, in terms of business / commercial impact, of a problem with the system, found during testing. Here is an example which has been used successfully - '1' is the least severe; and '5' has the most impact :-
1. Cosmetic; [e.g. print colors; fonts; etc.]
2. Minor; [Both testing and live operations may progress. This problem should be corrected, but little or no changes to business processes are envisaged.]
3. Major Problem; [Testing can continue but live this feature will cause severe disruption to business processes]
4. Critical Problem; [Testing can continue but the change cannot go into live operation]
5. Show Stopper; [It is impossible to continue with the testing because of the severity of this error / bug.]

The users of the system, in consultation with the executive sponsor of the project, must then agree upon the responsibilities and required actions for each severity of problem.

Even where the severity levels and the responses to each have been agreed by all parties; the allocation of a problem into its appropriate severity level can be a subjective matter. To avoid the risk of protracted exchanges over the categorization of problems therefore; we strongly advised that a range of examples are agreed in advance to ensure that there are no fundamental areas of disagreement; or, if there are, that these will be known in advance and your organization is forewarned.

INFORMATION SECURITY NEWS
1) A number of Google related vulnerabilities have recently been highlighted, largely focused around Google's cookies. These have exposed user documents, Gmail emails and search histories. All those so far identified have now been fixed, but this development does illustrate the increasing risks which are likely to occur as Google integrates more and more functionality into its product portfolio.

2) McAfee report that the nature of spam is again changing. Whereas text based spam used to be the norm, image spam is becoming increasingly common. According to their figures this now accounts for around 65% of all spam. Image spam uses images rather than text chracters to deliver the usual nonsense. This of course poses different challenges to the anti-virus agencies, but they are adapting quickly.

On a related note, the overall volume of spam continues to increase, with Postini reporting that it now comprises 94% of all email.

3) Two traffic engineers in Los Angeles, California, have been charged with hacking a computer system to: disable traffic lights! It is alleged that this was motivated by an ongoing labor dispute.

4) OpenDNS report that the top five most targetted phishing firms are: PayPal, Barclays, eBay, Fifth Third Bank and Bank of America. Unfortunately, phishing is yet another area of rapid increase in terms of volume, and increased sophistication of attack techniques.

5) The importance of protecting your online identity has been highlighted again by McAfee. They report that online identity theft has increased by 250% since January 2004. The cost of the to the United States economy alone is believe to be around $40 billion per year.

MORE FREQUENTLY ASKED ISO 17799 / 27001 QUESTIONS
1) What Is ISO 27000 All About?
This is ISO's projected series of information security related standards. ISO 27001 already exists, and it is proposed that ISO 17799 may be renamed to ISO 27002 later this year.

2) Where Does COBIT Fit Into The Equation?
Issue 11 of this newsletter explained the mapping between ISO17799 and COBIT in detail.

3) Has BS7799 Now Been Replaced?
BS7799-1 evolved into ISO17799. with BS7799-2 evolving into ISO27001. However, BS7799-3 was published late last year. This offers guidelines for information security risk management (ISRM), and it is expected that it too will evolve to become an ISO standard.

4) What is IRCA?
IRCA is the 'International Register of Certified Auditors', which offers professional recognition of auditing 'competence'. It is basically the body which certifies auditors to audit against the ISO security standards.

ISO 17799 / ISO 27001 Related Definitions
In each newsletter we include a selection of definitions to explain some of the jargon used by Information Security professionals. In this edition, we have provided a selection of terms that start with the letter ‘H’. Handshake
An electronic exchange of signals between items of equipment (fax machines, computers, etc.,) to establish that each has the necessary protocols installed to allow communication between them. An extension of the normal confirmation routine (handshake) is the 'Challenge Handshake' that is a demand for proof of identity and authorization.

Hose and Close
An off-putting practice of some Support/Help Desk staff. In response to a question from a distressed user, Support responds with a deluge of technobabble which the user doesn't understand, issues a series of abstruse command instructions, which the user cannot follow, and then hangs up before the user can come back with a request for a simple explanation.

Housekeeping
Routine care of a computer system to ensure that it is kept running in the most efficient manner. Housekeeping will normally include: routines to delete items such as temporary files, remove duplicates of files, check the integrity of the disk records, and generally tidy up the filing system.

Hot Desking
A relatively new approach to working whereby staff do not have their own dedicated facilities, but share them with others. Two scenarios are common :- 1. Call centers and similar functions which run 24 x 7 on shifts. As one staff member logs off and leaves, another takes over, logging on with a new ID and password. 2. 'Field' staff such as sales representatives check in to base to complete paperwork, upload/download files, etc.. Such staff will use any desk/computer that happens to be free. In either case password control systems and audit trails are essential to monitor which user is doing what.

Hardware Inventory
Master Hardware Inventory: A detailed list of all hardware owned by the organization, showing, amongst other things:- type, make, model, cost, location, and asset reference number. Unit Hardware Inventory: A detailed list of hardware in order of user (individual or department). This sheet may be used for Audit checks to confirm that any given user still has the equipment detailed and no unauthorized additions, removals, or modifications have taken place.