ISO 27001 / 27002 Newsletter - Latest Edition

Welcome to the latest issue of the ISO 27001 / 27002 newsletter, intended to provide news and updates regarding the information security standards.

Included in this issue are the following topics:
1) Security Risk Management
2) ISMS Based Document Controls via ISO/IEC 27001
3) Trials and tribulations of a Part-time Information Security Officer
4) Information Security News
5) Information Security Within Your Business Continuity Process
6) ISO 27001 / 2: Common Mistakes Part 3
7) ISO 27000 Related Definitions and Terms
8) Protecting Against Malicious Code Attacks

Security Risk Management

The management of risk is core to the implementation of ISO 27001. It is a theme covered throughout the standard. But what is security risk management? What is risk assessment?

A classical definition of Risk Assessment is one which describes it as a process to ensure that the security controls for a system are fully commensurate with its risks. This 'process', however, can be complex in itself. Most methods though employ the following interrelated elements:

These are things that can go wrong or that can 'attack' the system or business. Examples might include fraud or fire. Threats are ever present for every business and information system.

These make a system more prone to attack by a threat, or make an attack more likely to have some 'success’ or undesired impact. For example, for fire a vulnerability would be the presence of highly flammable materials (e.g. paper).

These are the countermeasures for vulnerabilities. There are basically four types:

Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
Corrective controls reduce the effect of an attack
Detective controls discover attacks and trigger preventative or corrective controls.
Deterrent controls reduce the likelihood of a deliberate attack

It is common for all these to be weighed against each other to produce a set of metrics, which enable business decisions regarding security to be more easily taken. Hence references to 'risk level', 'risk score' and so on.

Once risk has been measured, it has to be managed (risk management). This can involve, for example, treatment, mitigation or transfer of the residue risks.

Adopting a comprehensive and formal risk management approach requires a sound understanding of the principles of risk. Fortunately, as with the standards themselves, a kit has emerged to educate and to assist with all stages of the exercise. This is documented on its own site:

ISMS Based Document Controls via ISO/IEC 27001

ISO 27001 requires that documents associated with the design and implementation of the Information Security Management System (ISMS) are carefully controlled and protected. In order to achieve full compliance with this section (4.3.2) it is necessary to define and implement suitable procedures to cover this activity.

These procedures should be practical and effective. Included should be controls and requirements embracing the following aspects:
- approval of documents to ensure adequacy prior to issue;
- update and review of critical documents and re-approval;
- change management controls and revision status identification;
- correct versions of applicable documents are available to users;
- legibility of information and readily identifiable ownership;
- availability of documents for those who are authorized;
- transfer and storage;
- document disposal controls in accordance with their classification;
- documents of external origin are separately identified;
- control of document distribution;
- protection and destruction of obsolete documents; and
- identification of documents as obsolete if they are retained

Implementation of a well designed and controlled ISMS will result in fewer information security related incidents, lower organizational risks, enhance reputation and significantly lower financial risks.

These are fundamental issues, not just theory. Now is a good time to review your compliance in this area!

Trials and tribulations of a Part-time Information Security Officer

For those of you who have been reading in these newsletters the problems I have been having with my various information security projects at Whithertech, I can give you a quick update.

After much cajoling of my colleagues and other project team members we eventually completed the information classification exercise. It is one of those jobs that takes quite a while to set up retrospectively, but once you get the hang of it is not too much trouble to keep running. If you are interested in obtaining more information about how I got started on this classification project please read Issue 18 of this Newsletter.

Whithertech hit a new problem during the last week after our systems went down and the live data became corrupted. This cost us nearly 24 hours in lost production time and the bosses have been complaining bitterly. Utilizing some of the usual fire fighting practices that Whithertech seems to be well known for, the techies solved the problem, but after problem resolution it became clear that we did not have any workable procedures for protecting the live environment when emergency amendments needed to be made. In fact the programmers did not even hesitate to amend the live programs directly in the live environment. The problem therefore appeared to be solved in about 2 hours but then the untested emergency coding amendments created additional problems that took another 20 hours to resolve! A bit of a security nightmare really.

My manager called me in yesterday and said that he had been instructed by the Board to improve the security procedures in this area and as the part-time Information Security Officer it was (again) my job to put it right. He said he would fully support me throughout the project but then also said he wanted it sorted by the time he got back from holiday on Friday week. Usual hands-on support then, I thought!

My first task, as always, was to consult my trusty Information Security Officer’s Manual. This wealth of advice and guidance could usually be relied upon to provide assistance when I did not know how to implement information security related solutions. The manual stated that it was normally forbidden for amendments to be made to live data. This is to ensure that the integrity of the data is preserved and that live data files are not accessed by individuals with malicious intent, or who may corrupt live files accidentally. For these reasons, access to the live data files is normally prevented through the application of stringent access control and procedural mechanisms.

Software development and maintenance activities should never take place using live data. The developers and maintenance engineers should always work strictly within a development environment, and a controlled testing program must be applied before software amendments are incorporated into the live operational environment.

Any emergency data amendments must only be carried out within the parameters of agreed procedures, and the manual stated that it is normally the responsibility of the Information Security Officer to ensure that such procedures are strictly complied with. The manual further stated that the emergency data amendments should only be permitted where:
- Organizational standards and procedures exist for amending live data
- Such amendments are dealt with under emergency procedures
- Controls are placed over related audit trails
- Management's prior approval is obtained wherever possible
- Dual controls are applied to the changes
- Prints of affected data are taken both before and after the changes
- Files are adequately backed up prior to starting work
- Persons carrying out the amendment are specifically authorized to undertake such tasks

An important aspect in the control of emergency data amendments is apparently the recording of the actual amendment process and the completion of suitable documentation to evidence that the procedures have been complied with. Fortunately the manual also contained templates for these forms and also advice on how to fill them in. It looks on the face of it to be fairly easy to get this project up and running, and I also seem to have a fighting chance of getting it sorted before my boss returned from a hard week lying on a beach somewhere. I will keep you posted.

Information Security News

1. 60% of Businesses Hit by CyberCrime
A recent US Department of Justice ( survey (NCSS) suggests that almost 60 percent of American businesses have suffered one or more cyberattacks. Almost 75 % of those stated that insiders were responsible for the crimes. 11 percent of the respondents reported actual losses.

2. 16,000 Infected Web Pages Discovered Daily
Sophos ( have revealed that “Over 16,000 new infected web pages are discovered every single day. That's one every five seconds -- three times faster than the rate during 2007.”

3. Less Phishing Success reported
Recent research by the Association of Payment Clearing Services (APACS) [] indicates that those who took no action on phishing emails rose from 75 percent in 2006 to 82 percent last year. The flip side of this apparent increase is that the same research indicates that one in three people have no anti-spyware software installed.

4. Personal Information Loss
Further investigation has revealed that a missing Bank of New York Mellon backup tape contained the social security numbers, addresses and birth dates, of far more people than originally estimated. The figure is now thought to be 12 million, rather than the 4.5 million initially reported. Meanwhile the personal information of thousands of criminals in England and Wales, held on a USM drive, have been lost by private firm PA Consulting.

5. Facebook and MySpace Attacked
Increased sophistication and processing functionality has resulted in a worm outbreak on both Facebook and Myspace. This has now been resolved, with both sites now working to prevent future attacks.

6. And Finally...
According to research by Credant Technologies, Over 55,000 mobile phones have been left in London taxis in the last six months. It also found that over six thousand other devices (eg; laptops) have been left. It would therefore appear that a taxi ride is high risk activity for potential data loss!

Information Security Within Your Business Continuity Process

ISO 27002 includes some useful advice and guidance on how to include information security controls within your business continuity process. Business continuity management is covered in more detail within the BS 25999 standard, but ISO 27002 nevertheless includes additional structural approaches that will certainly strengthen your overall business continuity management process.

Section 14.1.1 states that “A managed process should be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organization’s business continuity”.

This requirement, in essence, means that information security processes must form an integral part of the overall BCM process. The security standard goes on to provide further information on how to incorporate key areas of your information security management system. These are summarized as follows:
- identifying and analyzing the risks following a serious incident including probability and impact on critical business processes;
- understanding the impact of information security incidents in terms of interruptions to the business;
- considering risk mitigation options including insurance and risk transference;
- identifying other preventive and mitigating safeguards;
- ensuring availability of resources to address the identified information security shortfalls;
- ensuring the safety of personnel and the protection of facilities, assets and processes;
- inclusion within business continuity plans of information security requirements
- implanting regular testing and updating of the plans and processes;
- ensuring that responsibility for business continuity is incorporated in the organization’s processes and management structure;

The vulnerabilities of the organization to serious business process interruptions caused by information security shortfalls must be identified and addressed. Reviewing these vulnerabilities from an information security perspective should ensure that your business continuity plans are comprehensive and meet overall information security strategic objectives.

ISO 27001 / ISO 27002: Common Mistakes Part 3
David Watson was one of the first exponents of the standards, and is one of the most well known industry figures. In the third of this series of articles for the ISO 27000 Newsletter he outlines some of the most common errors and mistakes he has encountered over the years:

Physical & Environmental Security
- Supposedly secure buildings can easily have their physical security breached by a variety of means (e.g. social engineering, piggybacking, fire doors left open etc.);
- Power supplies are often unprotected against unauthorized access.
- Critical equipment is not always protected by UPS;
- Generators and UPS are often not regularly tested, or the test results are not available;
- Equipment maintenance is not always carried out in accordance with manufacturers instructions – possibly invalidating the manufacturers warranty;
- Off premises security of equipment is often overlooked by the organization;
- Secure disposal / removal of equipment is often not recorded or carried out securely, potentially leading to unauthorized disclosure of information;
- Clear desk / screen processes are often not carried out, especially in the IT Department. Usually, but not always, IT forces other users to have clear screens, but often there is no clear desk process in place and no lockable cabinets to store securely anything needed to be locked away due to its classification. This can be exacerbated if there is no information classification process in place and used across the organization or if there are no handling procedures based on the information classifications.

Asset Classification and Control
- There is often little or no concept of data or information ownership, or of asset classification;
- There is often little control over movement of equipment;
- Security (if implemented) is not based on this process (or associated risk management processes);
- There is sometimes little, if any, personal accountability by anyone, especially owners (whether they are aware of their role or not);
- Owners rarely review their information from a security viewpoint;
- Information (of any sort) is rarely classified consistently and handled according to the requirements of that classification

ISO 27000 Related Definitions and Terms

In this edition of the ISO 27000 Newsletter we look at further definitions and terms related to ISO 27001 and ISO 27002 that commence with the letter “I”.

Identity Hacking
Posting on the Internet or Bulletin Board(s) anonymously, pseudonymously, or giving a completely false name/address/telephone with intent to deceive. This is a controversial activity, generating much discussion amongst those who maintain the net sites. There are two cases in which problems can be caused for organizations:-
- a member of staff engages in such practices and is 'found out' by net users, thereby associating the organization name with the activity.
- a posting by an unrelated third party, pretending to be the organization, or a representative.
In either case, if such posts are abusive, or otherwise intended to stir up an argument, a possible result is a Flame Attack, or Mail Bombing.

Impact Analysis As part of an Information Security Risk Assessment, you should identify the threats to your Business Assets and the impact such threats could have, if the threat resulted in a genuine incident. Such analysis should quantify the value of the Business Assets being protected to help determine the appropriate level of safeguards.

Information Asset
An Information Asset is a definable piece of information, stored in any manner which is recognized as 'valuable' to the organization. The information which comprises an Information Asset, may be little more than a prospect name and address file; or it may be the plans for the release of the latest in a range of products to compete in the market. Irrespective of the nature of the information assets themselves, they all have one or more of the following characteristics:-
- They are recognized to be of value to the organization.
- They are not easily replaceable without cost, skill, time, resources or a combination.
- They form a part of the organization's corporate identity, without which, the organization may be threatened.
- Their Data Classification would normally be Proprietary, Highly Confidential or even Top Secret.
It is the purpose of Information Security to identify the threats against, the risks and the associated potential damage to, and the safeguarding of Information Assets.

Information Owner
The person who creates, or initiates the creation or storage of the information, is the initial owner. In an organization, possibly with divisions, departments and sections, the owner becomes the unit itself with the person responsible, being the designated 'head' of that unit. The Information owner is responsible for ensuring that :-
- A classification hierarchy is agreed and that this is appropriate for the types of information processed for that business / unit.
- All information is assigned into the agreed types and an inventory (listing) of each type is created.
- Ensuring that, for each classification type, the appropriate level of information security safeguards are available e.g. the logon controls and access permissions applied by the Information Custodian provide the required levels of confidentiality.
- Periodically, that checks are performed to ensure that information continues to be classified appropriately and that the safeguards remain valid and operative.

Information Security Incident
An Information Security incident is an event which appears to be a breach of the organization's Information Security safeguards. It is important to respond calmly and to follow a logical procedure, first to prevent the breach from continuing, if possible, and second, to inform the appropriate person(s) within the organization; this usually includes the appointed Security Officer. Where a member of staff fails to observe Information Security procedures; this is not, of itself, an Information Security incident. However, depending on the severity of the incident, disciplinary and/or improved procedures may be required.

Information Security Policy
Information Security Policy is an organizational document usually ratified by senior management and distributed throughout an organization to anyone with access rights to the organization's IT systems or information resources. The Information Security Policy aims to reduce the risk of, and minimize the effect (or cost) of, security incidents. It establishes the ground rules under which the organization should operate its information systems. The formation of the Information Security Policy will be driven by many factors, a key one of which is risk. How much risk is the organization willing and able to accept? The individual Information Security Policies should each be observed by personnel and contractors alike. Some policies will be observed only by persons with a specific job function, e.g. the System Administrator; other Policies are to be complied with by all members of staff. Compliance with the organization's Information Security Policy should be a incorporated with both the Terms and Conditions of Employment and also an employee’s Job Description.

Protecting Against Malicious Code Attacks

Malicious code attacks are intended to destroy the integrity of software and information. They constitute one of the highest risks in today’s business environment, and despite receiving ongoing attention within many organizations the risks are considered to be increasing rather than decreasing.

These attacks are normally categorized into two location based risk areas: external attacks that emanate from outside the organization, and internal attacks, originated from within the organization itself. Most of the emphasis for safeguards is currently directed against the external attacks through firewalls and virus checkers, for example. However, of increasing concern is the likelihood of attacks from internal sources.

ISO 27002 section 10.4.1 provides useful guidance for establishing controls and safeguards that can help to protect against malicious code attacks. This advice and guidance can be summarized as follows:
- implement controls preventing use of unauthorized software;
- implement policy to protect against risks of installing software or files from external sources;
- regularly check for existence of unapproved files or unauthorized amendments;
- install suitable malicious code detection and repair software;
- implement security procedures to deal with malicious code attacks;
- develop suitable business continuity plans for recovering from malicious code attacks;
- instigate procedures to regularly collect information about new malicious code;
- develop controls to verify information relating to malicious code.

Critical business processes are often extremely vulnerable to malicious code attacks. Disgruntled employees create a particularly difficult threat to counteract if access controls and information security controls are not up to the mark.

This is yet another area which should be regularly reviewed: how do YOU measure up?