Monthly Archives: September 2013

Changes to ISO/IEC 27001 Controls – Key Findings

iStock_000018385055SmallThe revised Information Security standard will be available tomorrow.

We will be publishing our Control Mapping document to help understand the changes to the standard from the 2005 version.

So check back here or go to our website www.advent-im.co.uk tomorrow…

Until then our key findings on the changes based upon the most recent draft are below.

  • PDCA as a main driver is now gone with greater importance being placed setting objectives and monitoring performance.
  • More importance placed on interested parties and their role within the organisations ISMS.
  • Document control, internal audit and CAPA requirements as we would recognise them have gone, at least in their requirement to be documented procedures although the requirement for them as an output still remains i.e. you don’t need written procedures but you still need records maintained of what you have done with regard to them.
  •  Documents and records are now as one (which makes sense as you always essentially treated them in the same way anyway).
  • The number of sections is increased from 11 to 14 however the number of controls has been reduced from 133 to 114.
  • CAPA – There are no preventative actions anymore replaced by ‘actions to address risks’ these are merged into the RA and RT areas.  There is also a distinction between corrections that are carried out in direct response to a non-conformity against corrective actions that are implemented to eliminate the cause of a non-conformity.
  • Risk assessment – The identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks. It is only required for the identification of C-I-A.   Not sure how this will and I assume that the current methodology will continue for some time.

For those who have already certified or are going through the process with ISO/IEC 27001:2005, we are currently investigating the official position but it would seem logical to continue with this version until further official notification otherwise as currently we understand there is no formal certification process for the new standard.

Don’t forget to come back to get the link to our full mapping document.

Advertisements

Hacking Pacemakers, Traffic Systems and Drones – Cyber and Physical Worlds Collide

The Telegraph today ran a piece on a subject close to our hearts here at Advent IM, namely the cyber threat to our physical world. You can read it here

Regular readers will know we have expressed concern before that language can create barriers or false realities that can leave vulnerabilities and the prevalence of the use of the word ‘cyber’ is a good example of this. Cyber to most people conjures up the ethereal world of the hacker – that strange and dangerous electronic hinterland that few really grasp. Of course, this is dangerously inaccurate as many systems that control our physical world are networked and can therefore be hacked.

The late Barnaby Jack showed the world how he could hack into an insulin delivery system in a patient to effectively overdose that patient, he also managed to hack into an ATM system which then dispensed cash like a waterfall. The two worlds are converging quicker than our security awareness is growing.

Bringing the threat to our critical national infrastructure to the attention of the public at large is in one way unnerving but also very necessary.

Please have a look at our presentation on the topic, you will need sound…

Advent IM, Cyber Threat to Built Estate

Presentation with voice over from Mike Gillespie

SME Information Risk: 48% suffered reputational damage already from lost data

Originally published in Outsource Magazine August 2012

According to a recent survey by Iron Mountain and PricewaterhouseCoopers LLP (PWC), in Europe, mid-sized businesses are placing themselves at unnecessary Information Security risk.  The average index score for Information Risk maturity in this group was only 40.6 (a score out of 100), which sharply highlights the gap between what business is currently doing and what it is supposed to be doing.

Are businesses listening to the warnings about Insider Threat?

Are we listening yet?

Shockingly, 64% of the mid-sized businesses surveyed had no information risk strategy in place, which was effectively monitored.  Given that almost half of the businesses surveyed said they had already suffered reputational damage as a result of lost or misplaced data, this lack of information security appears cavalier at best. It could be your personal data or your organisations data being handled, managed or stored by these businesses.

According the Norwich Union Business Continuity survey (of which information security and reputational damage would be important elements) only 8% of businesses without a plan, which had suffered a serious incident, survived 5+ years, 40% never re-open after a serious incident. If the failings within mid-sized businesses are as widespread as the PWC data suggests this is very bad news for many businesses and could be the one area we start to see them over index, sadly.

Hiding in plain sight

So what does a small or medium sized business do to protect itself, its own valuable data and potentially that of its customers and supply chain? Well, Information Security issues are not like the monster under the bed, despite what the popular press may have us believe.  They don’t frequently leap out to shock you and grab your ankle. More frequently they hang around, waiting to be noticed by someone until it’s just too late and the worst has happened. No amount of finger crossing can spare you from its teeth by then – or the ICO’s teeth in this case. It is normally a series of failings or an extended period of time when risks have been ignored or misunderstood.

Being an SME can make an organisation more ‘fleet of foot’ than many larger businesses. The advantages of being reactive and able to quickly change course or take advantage of a sudden opportunity is a great flexibility to have. Potentially though, the risk side of things can be pushed to one side or ignored and then a lack of due diligence can mean that the new undertaking or direction is being done effectively ‘on the hoof’ and without the anchor of proper governance.  This can also be reflected in the approach to procurement when the questions about the correct checks and balances for security are simply not being asked.  This is possibly because there may not be a dedicated FTE for each role and employees wear several hats. It may be a naiveté about accountability and responsibility either from a legislative or industry requirement basis.  If your organisation is lucky enough to have employed someone with and Information Security or Data Protection background, then this is less of an issue. That is assuming that the resource to have an FTE with these expert skills is available. Generally this is not the case and whilst many businesses are more than familiar with the old outsource service of security, they do not necessarily make the connection to Information and Data.

“Sometimes I feel like the conversation itself is encrypted”

That is how it feels to have a conversation with a security guru. Within minutes the language becomes dense and acronym laden and the eyes of the non-security person may start to glaze or dart about like a frightened rabbit in car headlights.

The concept of Information Security is understandably daunting. Many businesses are put off by the language and apparent complexity. Everyone is put off by things they don’t’ understand but that is what outsourcing is for. Part of the issue is that organisations and those within them responsible for security of information, do not want to feel daft, the language and complex terminology they are coming up against makes them feel inadequate and sounds potentially expensive.

Although security has a long relationship with outsourcing, this has been largely around physical security and areas such as manned guarding. For some reason, outsourcing an organisation’s Information Security, Data Protection or Business Continuity appears to have passed many organisations by as a possibility.

When you think about it though, it makes perfect sense. Areas that are complex and needs and expert help, that may not require and FTE or be too cost sensitive to resource on an FTE basis or maybe required to move an organisation through an accreditation to assist with perhaps getting onto a Government supply framework, or supplying the NHS for instance. Whilst every organisation needs to be security aware and educate their staff effectively, understanding the accountabilities, policies and processes are far more relevant to an SME than having an inside out knowledge of security terminology and the dazzling amount of acronyms. Outsourcing is the natural choice.

One of the 64%?

So the data security inertia may not solely come from a lack of interest or concern about what happens to client, customer or internal information. True some organisations have a genuinely laissez-faire attitude, but many don’t and some of the lack of appropriate action can have come from fear, confusion and misinformation.

Given the ICO’s power to fine up to £500k for serious incidents, this could potentially see a number of the unprepared 64% close for good. It makes much more sense to find an expert outsource partner to translate and guide. Security is a business enabler. Once the security is in hand and under control, an organisation can go on with the business of growing in a secure environment for both the organisation and its partners. It allows organisation to tender for business that they may not normally have been in a position to. It brings likeminded businesses together, allowing them to partner and support each other knowing that they are on the same page and that their respective information assets are properly managed.

Outsourcing Information Security may be a newer area of outsourcing but as with all good outsourcing it is there to provide the expertise it would appear is lacking in the SME arena. Ensuring the best quality, independent advice from an outsource partner could provide the competitive edge and reassurance an SME needs to realise its true potential.

Data sources: PWC Iron Mountain survey “Beyond cyber threats: Europe’s first information risk maturity index” and Norwich Union Business Continuity Survey

Technical Security Skill Shortfall Means Heightened Risk Levels For Business

First published in Outsource Magazine September 12 2013

A report commissioned by IBM concluded that Technical Information Security Skills are in short supply and that this is creating vulnerability and risk in business. The research, carried out by Forrester Research Inc., revealed that even mature organisations are facing increased risk exposure due to difficulty sourcing and retaining Information Security talent.

Overall, 80% of Chief Information Security Officers are finding it difficult or very difficult to recruit technical security staff that met all their needs, according to the research. A range of issues are feeding this difficulty and the resulting concerns about rising risk levels include some very disturbing elements, as unfilled roles create anxiety. Only 8% of respondents said that they didn’t have a problem with security staffing issues.

The remaining 92% identified some key areas for concern that any business should be considering, regardless of whether or not they think they have security talent issue. Whilst the solution for many businesses has been to recruit further down the experience ladder, you can see from the kind of pinch points identified here, that this is not a sustainable solution. Whilst it may ‘fill a security role’ it is not filling the right one.

  • external threats not understood or discovered (27%)
  • deadlines not met/projects taking longer to complete (27%)
  • a growing gap between threat and controls (24%)
  • technical control systems not fully effective (this is anti-malware and such like) (22%)
  • technical risks not identified (20%)
  • technical control systems not implemented (20%)
  • technical risks are unresolved (20%)
  • security road map is unclear (20%)
  • internal technical security audits are not undertaken (20%)
  • Process-based controls (e.g., segregation of duties, privilege review) are poorly defined, dated, or inefficient (18%)
  • concern that Security architecture is complied with (17%)
  • It has prevented adoption of new technology (e.g., cloud, BYOD) NB. Given some of the concerns we have seen in the list so far, this is probably a blessing. (16%)
  • External technical security audits are not undertaken (e.g., at service suppliers, supply chain)  (15%)
  • It has prevented business agility and/or growth (13%)
  • Security architecture is poorly defined (13%)

istock_000012299872medium.jpgThese result show us that not only that there is an increased risk to business from the skill shortage but that the kind of risk business is facing is not simply about architecture and cyber threat but also about the prevention of growth and agility. These are positive contributions that security can make and their inclusion as potential risks show a willingness to move security out of the cost column and into the investment column, but again this is being thwarted by the skill shortage. This may reveal itself in a lack of confidence in moving certain functions or activities to The Cloud or perhaps not instituting Bring Your Own Device (BYOD). Whilst it is better not to do these things if you do not know if they are within your organisation’s Risk Appetite, if you do not know what that Appetite is and there is no one sufficiently knowledgeable and skilled to be able to ascertain this and then mitigate the risk if appropriate, then an organisation may be disadvantaged. This might mean it becomes a less appealing choice for potential new and highly skilled employees for other parts of the organisation, who perhaps demand BYOD as standard along with the flexibility it brings.

Commercially, robust security and resilience is becoming a must have and increasingly organisations are being asked to demonstrate and prove themselves in these areas. Businesses that have worked with Her Majesty’s Government and the Public Sector will be familiar with their extensive security requirements for instance, but others are now finding that if they want to grow their business, the onus is on them to be able to prove their security credentials. This pressure is coming from larger organisations not just public bodies, as they realise how important it is for their supply chain to be resilient. Again this is a real stumbling block if you simply do not have the in-house skills to handle a project like ISO27001 certification or compliance. So the risks that are immediately apparent in terms of what might happen to a business without the appropriate level of security skill are actually more convoluted than they first appear.

A perception of security as a business enabler is one that many security professionals have tried to promote for a long time and the idea of growing a business within its Risk Appetite is common sense. For too long the perception of Security has been that Security will just say no to innovation, change and anything even vaguely risky-sounding. It is disappointing to think that just as the paradigm looks ripe to shift (in the right direction) that it is being stymied by a lack of high level skills. All of these challenges presuppose the organisation has the budget to be able to employ the skilled person they need.

Physical Security like manned guarding has been on the outsource list for many years, Information Security has not always been viewed the same way.  Depending on the level of challenge, size of organisation and actual (not perceived) threat and risk, there may be a viable alternative to a full time senior technical security person, through outsourcing. Perhaps if the challenge is to get through a particular project then the high level skillset may only be required at certain times, not constantly. If there is a tipping point at which the need for the skills is justified commercially this may come a lot sooner if there is an opportunity of filling the gap without actually having to finance an FTE with all of the cost that entails. Given the difficulty in sourcing the high level skills, the best talent is following the money, leaving many organisations in an uncertain security vacuum.  Outsourcing may be the solution on either a project or buy as you need type basis. It may provide a much more cost effective solution to a convoluted set of challenges that are not showing any sign of going away or simplifying. It may also mean a level of skill and experience far in excess of that which may have been within budget for an FTE.

Of course, making sure you are certain of your partner in any outsourcing endeavour is vital and due diligence on potential suppliers is vital. As a rough guide here are some questions you should be asking.

  • Does my partner understand my organisation and its business drivers and growth imperatives?
  • Can they provide qualifications, certifications, track record, references, case studies and a cultural fit?
  • Are they flexible enough for my needs? Are they able to flex up and down as required or am I going to be rigidly contracted to a number of days per month?
  • Do we have specialist or generalist needs?
  • Do we want access to an expert individual or a team of experts?
  • Do we want Strategy, Policy, Risk skills?
  • Do we want our partner to be capable of working successfully with C-level stakeholders or at the ‘coalface’ or both?

Size Really Doesn’t Matter in Cyberspace

iStock_000015672441MediumSomething we have all long since suspected, today confirmed by Allianz – the insurance giant. Size does not matter. At least not when it comes to being a target of a malicious cyber attack.

According to Allianz, attackers are targeting large corporations by attacking their supply chains – smaller companies and SME’s that potentially offer more easily accessible ‘routes in’. Of course it is not always going to be the case but an SME perception of not being a viable target may be just that, a perception. Understanding what the real threat and therefore risk of an attack is, is vital. If you don’t fully understand what risk is posed to you and you potentially pose then you may be open to an incursion, even if you are not the prime target. You may not even know your systems have been used in this malicious manner.

So the question is, how robust is your security? Well, many large corporations are starting to demand evidence of stringent security as a matter of course. They understand some of the very real risks posed by their suppliers. According to an article in City AM today-

“Companies employing fewer than 250 employees are now almost twice as likely to be the subject of a targeted computer attack compared to 2011. By contrast, large organisations employing over 2,500 people have seen no increase in attacks over the same period”

A thorough independent and comprehensive Risk Assessment would be strongly advised in these circumstances. Being able to evidence your security posture is a positive enabler for many organisations, as it can open greater commercial opportunities up to work with larger corporations and Public bodies, however as the risk of these “piggy-back” attacks grows, these corporations are more and more likely to require evidence of the supply chain partners’ security.