ISO27000 Newsletter - Issue 14
Welcome to the latest issue of the ISO 27000 newsletter, designed to provide news and updates regarding the ISO information security standards.
Included in this edition are the following topics:
1) The Benefits of Adopting ISO 27001 and ISO 27002
2) Covering the Risks from Teleworking
3) Deciding how much Risk is Acceptable
4) More ISO 27001 / 27002 Frequently Asked Questions
5) Information Security News
6) ISO 27000 And BS 25999
7) ISO 27002 Related Definitions and Terms
The Benefits of Adopting ISO 27001/2
There are of course a wide range of benefits and advantages in taking on the standards. These will vary from organization to organization. The following is an extracted starter list of some of the most common advantages reported:
Improved Information Security
Adopting the standards undoubtedly drives the process to improve security, and reduce risk.
Management and others can be more assured of the quality of a system or other entity if a recognized framework is followed.
Compliance with (or certification for) an international standard can be used to demonstrate due diligence.
The standard is often used as a measure of status within a peer community. Compliance with it can provide a bench mark for both the current position and future progress.
Adherence toh the standard is often used as a beneficial differentiator in the commercial market place.
Systems from diverse sources are more likely to work correctly together if they follow a common guideline or structure.
Implementation of the standards normally results in greater security awareness within the organization.
Because the implementation of ISO 27001 requires the involvement of both business and technical management, greater Information Technology and Business alignment often results.
Where to start?
The obvious starting point is to obtain the standards themselves, or the toolkit (see left panel). From there, review the contents of these and research externally (with respect to the standard), and internally (with respect to scoping).
With the requisite knowledge you should then be positioned to set out your objectives, define the scope, and create a project plan. The adventure thus begins...
Covering the Risks from Teleworking
In the aftermeth of several recent cases of security breach using teleworking exposures, it is worth reflecting that ISO 27002 provides related guidance/support (See Section 11.7.2).
Teleworking is the use of communications technology to enable remote working from an external location. These activities can represent a high risk area unless adequately protected with applicable controls and follow-up. Before allowing these activities, therefore, organizations should ensure that suitable policies and procedures have been implemented covering the information security aspects of teleworking operations.
In particular the following factors should be taken into consideration:
• Physical security of teleworking site/location
• Suitability of teleworking environment
• Protection of intellectual property rights (IPR)
• Security of communications
• Threat of unauthorized access to information and resources
• Protection of wireless systems
• Compliance with software licensing requirements
• Suitability of anti-virus and firewall arrangements
The bottom line is that teleworking should only be authorized where appropriate security arrangements and controls are demonstrably in place. These safeguards and controls should fully protect against equipment and information theft; unauthorized access to confidential data; unauthorized remote access to the organizations internal systems and networks.
Deciding how much Risk is Acceptable
A key part of formulating and establishing information security policies for your organization is in deciding how much risk is acceptable and how to minimize unacceptable risk. This process initially involves undertaking a formal risk assessment which is a critical part of any ISMS.
Fortunately, the ISO 27000 standards provide some guidance on how this risk assessment process is to be undertaken. This guidance is summarized and annotated below:
• Use systematic approach to estimate magnitude of risks (risk analysis)
• Compare estimated risks against risk criteria to measure the significance of the risk (risk evaluation)
• Define the scope of the risk assessment process to improve effectiveness (risk assessment)
• Undertake risk assessments periodically to address changes in assets, risk profiles, threats, safeguards, vulnerabilities and risk appetite (risk management)
• Risk measurement should be undertaken in a methodical manner to produce verifiable results (risk measurement)
The risks identified through this process will then need to be “treated”. This will involve looking at existing controls and potential new control upgrades that will be employed to reduce the frequency of incidents and/or reduce the impact from such incidents. It will also be necessary to assess the effectiveness of these safeguards.
From this process the identification of residual risk will result. That is the remaining risks after the risks and vulnerabilities have been “treated”. These residual risks must be reviewed to ensure that the results are both accurate and realistic and also that they represent an acceptable level of risk for the organization. Realistically, this must be done by the Board in close co-operation with the executive management team. If the residual risk levels are considered to unacceptably high then further treatment will be necessary, involving additional investment in appropriate safeguards and controls.
Future editions of this newsletter will consider risk in much more detail, and will outline future likely developments with respect to international standardization in this field.
More ISO 27001 / 27002 Frequently Asked Questions
1) How does the ISO 27001 certification process work?
The process is much the same as for other ISO standards, such as ISO 9001. The clearest representation of this we have seen on the internet is in the ISO 27001 section of 27000.org
2) Is there actually a specific ISO 27000 standard?
No. Although one is proposed, ISO 27000 is currently just the generic name covering the standards within the series.
3) Are all the controls in ISO 27002 mandatory?
No. The concept is that they should be selected based upon risk assessment and the guidelines offered in ISO 27001.
4) Does BS 7799 still exist?
BS 7799 was the original standard upon which ISO 17799 (now ISO 27002) was based. When the latter was published a different BS 7799 standard was developed, known as BS 7799-2. This eventually evolved to become ISO 27001. Last year a third 7799 standard was produced: BS 7799-3. This is a standard covering risk analysis: "Guidelines for information security risk management". This too may eventually evolve into an ISO standard.
Information Security News
1) This years annual survey by the Computer Security Institute (gocsi.com) shows that average annual loss for a US based business is now $350,424. This is more than double last years figure. It also showed that for the first time financial fraud losses were greater than losses caused by virus attacks.
2) The US DOJ has announced that a 23 year old man has pleaded guilty to stealing credit card, bank account and Social Security numbers via spam and phishing emails sent to AOL users. Working with other unidentified individuals, between 2002 to 2006 he used malicious software to collect AOL account names from chat rooms. He then sent electronic greeting cards purporting to be from Hallmark, which when opened downloaded a Trojan preventing account access unless personal information was entered.
3) The Chinese 'Peoples Liberation Army' have been accused of attacking both US and UK government computer systems. The Financial Times (London) reports that US government figures believe the Chinese military was behind a major Pentagon military computer network hack in June, which resulted in more than 1,500 computers going offline. The Guardian newspaper reports that the Foreign Office and other UK government departments also came under attack by Chinese hackers
4) 20% image spam emails captured last month contained a scam PDF document, according to research by messaging security vendor MessageLabs (messagelabs.com). A number of messaging security vendors are also reporting that Excel attachments are increasingly being used for spam.
In another report, Sophos (sophos.com) reveals that 80% of newly infected web pages are on legitimate websites which have been compromised by malware. 5) The UN's website was hacked last month and defaced with anti-American slogans. A page intended to display statements from the UN Secretary General was attacked using an SQL injection, which is a common method for this type of hack. Having restored the page, the UN are investigating, and have stated that they will be implementing a number of changes to prevent a repetition.
ISO 27000 And BS 25999
Business continuity management (BCM) is a core aspect of information security, and thus, appropriately, has an entire section of ISO 27002 dedicated to it (see Section 14). This documents potential controls to identify and reduce risks, and "limit the consequences of damaging incidents, and ensure that information required for business processes is readily available". It is one of the most important sections of the standard from a business perspective.
However, the overall scope of business continuity management exceeds this remit. It embraces the role of anybody who has responsibility for delivery of any operation (IT or non-IT), and thus the continuity of that operation.
For this reason BSI have published a specific standard for Business Continuity Management (BCM), known as BS 25999. This establishes the processes, principles and terminology for BCM, and provides a defined system based upon BCM good practice. It is intended for use for all levels of the organization, and for organizations of all shapes and sizes.
BS 25999 defines a lifecycle approach, documenting the following elements: Business continuity programme management; Strategy Determination; Understanding the organization; Developing a business continuity response; Exercise, maintenance and review; Embedding into the organizational culture. In due course a certification scheme for the standard will be introduced.
The standard of course was developed with the ISO 27001/2 in mind, and thus compliments these, with appropriate cross references. It is likely to emerge as one of the most important standards in the information security arena.
ISO 27002 Related Definitions and Terms
Vendor support can be a major source of information security risk. Although a system may meet functional requirements, if the vendor does not have adequate support arrangements serious consequences may result in certain scenarios. Vendors will always play down this aspect, for they wish to make the sale. However, your system and information may be at risk if you are unable to obtain adequate support within a reasonable time frame.
Virtual Private Network (VPN)
A Virtual Private Network is a network which emulates a private network, although running over public network lines and infrastructure. Using specialist hardware/software, a VPN may also be established running over the Internet. The use of encryption and a ‘tunneling protocol’ maintains privacy.
A virus is a form of malicious code and as such it is potentially disruptive. It may also be transferred unknowingly from one computer to another. The term Virus includes all sort of variations on a theme, including the nastier variants of macro-viruses, Trojans, and Worms, but, for convenience, all such programs are classed simply as ‘viruses’. Viruses are a very real problem for both organization and individual computer users and are normally dealt with through the installation of firewalls and virus checkers.
An individual who is not a regular user of the system and has no registered or recognized identifier or password.
A visitor password is a generic password, with extremely limited access rights, to be used by visitors. Use of such passwords should be rigorously controlled.
Volume Testing, as its name implies, is testing that purposely subjects a system (both hardware and software) to a series of tests where the volume of data being processed is the subject of the test. Such systems can be transactions processing systems capturing real time sales or could be database updates and or data retrieval. Volume testing will seek to verify the physical and logical limits to a system’s capacity and establish whether such limits are acceptable to meet the projected capacity of the organization’s business processing.