Tag Archives: risk assessment

Incident Management – an explanation and example

Advent IM Security Consultant, Del Brazil, offers some guidance on best practice in Incident Management.

Incident Management is defined by the Information Technology Infrastructure Library (ITIL) is ‘To restore normal service operation as quickly as possible and minimise the impact on business operations, thus ensuring that agreed levels of service are maintained.’  Although this definition is very much aligned to the service delivery element of IT, organisations should translate it to all areas of the organisation to form the basis of any incident management strategy.

Any Incident Management process should include:-

Incident detection and recording – Ensuring that sufficient and appropriate means of both detecting and reporting of incidents is critical, as failure to report incidents can have a serious impact upon an organisation.  There maybe a legal requirement for incidents to be reported such as incidents associated with the loss of personal data or security breaches related to protectively marked information, although not applicable to every organisation.  Ensuring that an incident is correctly reported will facilitate the correct actions are taken in line with the incident management plan and thus ensure the correct allocation of resources.

An example maybe that an individual receives an email from an untrusted source and without realising any inherent risk, opens an attachment, which in turn causes their terminal to become unresponsive.  The individual contacts the IT department in the first instance in order to initiate some form of containment measures, whilst also documenting down how the incident occurred.

Classification and initial support – There are various levels of severity associated with different types of incident and ensuring that they are correctly classified will mean that the appropriate resources or emergency services are tasked accordingly.  These levels of severity range from low impact/minor incident requiring a limited number and type of resources, through to a major incident, which has the potential to impact on the whole organisation and requires a substantial amount of resources to manage or recover from.  In the early stages of any incident the support provided by a designated incident response team is vital as their initial actions can have potentially massive implications on the organisations ability to resume normal operations.

Following on from the previous example the incident may be classified as a low priority at this stage as only one terminal/user has been affected.  The IT department may have tasked a limited number of resources in tracking down the suspicious email on the mail server and then taken the appropriate quarantining and/or deleting procedures.

Investigation and diagnosis – Further and ongoing investigations into the incident may identify trends or patterns that could further impact on the organisation, once normal operations have been resumed.

Keeping in mind the example previously discussed, should the initial findings of the IT department reveal that the email has been received by a large number of users, then further impact analysis should be undertaken to establish the impact or effect on services before any additional resources are dedicated to resolving the issue.  This further investigation requires an organisation-wide broadcast, highlighting the incident and what actions should be taken in the event that users received suspicious emails or attachments.

Resolution and recovery – Ensuring that the correct rectification method is deployed is paramount, as no two incidents are the same and as such any incident management plan should have a degree of flexibility to accommodate potential variations.

Using our example scenario, the correct rectification solution in this instance would be to purge the mail server of any copies of the suspicious email and then to execute the scanning of the mail server with an anti-virus and/or anti-spam product.  Consideration should be given as to whether to take the mail server off line to perform the relevant scans, however any potential down time may impact on the output of the organisation.  In the event that the mail server is taken off line, it is imperative that communication is maintained with all staff, contractors, customers and third party suppliers etc.

Incident closure – The closure of an incident should be clearly communicated to all parties involved in managing or effecting rectification processes as should a statement stating ‘Business has resumed to normal’ to clearly indicate to all concerned that normal operations can continue.

In our example , it’s essential that all persons involved or impacted by the incident are informed accordingly which formally closes the incident.  This also reassures any interested parties that normal service has been resumed thus preventing any additional business continuity plan being invoked.

Incident ownership, monitoring, tracking and communication – An Incident Manager/Controller should take clear ownership of any incident so that all relevant information is communicated in an effective way to facilitate informed decisions to be made along with the correct allocation of resources.

As always, good communication is vital not only with staff, emergency services and the press but also with key suppliers and customers, as these may have to invoke their own business continuity plans as a result of the incident.  Business continuity plans ensure critical outputs are maintained but the invoking of a plan comes at a cost, whether it be financial or an impact to operational outputs.  It is therefore imperative that once an incident has been deemed formally closed then key suppliers and customers should be informed accordingly, this will  enable them to also return to normal operations.  Post incident analysis or ‘Lessons learnt’ meetings should be held after any incident to highlight any weaknesses or failings so that rectification measures can be introduced accordingly.  Likewise, should there be any good practices or solutions highlighted during the incident, then these should also be captured as they may be used in other areas of the organisation.

Now our example has been correctly identified, treated and business has returned to normal it is imperative that an incident ‘wash up’ meeting takes place to clearly identify those areas for improvement and those that performed well.  The correct allocation of resources during the initial stages of the incident to address what was deemed to be initially a minor incident, resulted minimal impact to not only business outputs, but also to customers or third party suppliers.  The findings of the ‘wash up ‘ meeting should be correctly recorded and analysed for any trends or patterns that may indicate a weakness in security.  In this instance the mail server’s spam filters may have been incorrectly configured or not updated resulting in a vulnerability being exploited.

Any incident management plan should be suitably tested and its effectiveness evaluated with any updates/amendments implemented accordingly.  It would be prudent to exercise any incident management plan annually or when there is a change in the key functions of the organisation.  It is also additionally recommended that all users are reminded of how to report incidents during any annual security awareness education  or training.

As organisations become ever increasingly reliant on internet and IT services, it is imperative that an effective, appropriate and fully tested, Incident Management Procedure is embedded within the organisation.  Failure to ensure this may result in an organisation struggling to deal with or recover from any kind of security incident.

Advertisements

Are you still operating XP or Windows 2003? – A guest post from Julia McCarron, Advent IM Director

Whilst Microsoft’s utopia may be for us all to automatically upgrade every time there is a newAdvent IM Cyber Security Experts version of Windows, for many organisations this isn’t always an option. With some still coping with life after the recession the cost of upgrading to new platforms can be restrictive, especially if XP and Windows 2003 still works perfectly well and provides you with effective tools to operate business as usual. For others with large technical infrastructures, again the cost of upgrading can be a massive drain on time, resources and money and needs careful budgeting a planning over a period of time.

But with the withdrawal of support on Windows platforms and applications comes risk. Security patches no longer get issued, and as cyber security threats continue to be developed exponentially so these platforms become vulnerable to attacks.

Advent IM HMG accreditation concepts training

pics via digitalphotos.net

The obvious choice is upgrade as soon as possible. But if this is not an option you need to assess the risk of operating in a non-supported environment as part of your corporate risk strategy, and where required identify activities that can help you minimise risk. These could be more frequent external penetration tests, stricter acceptable usage policies, updates in security awareness programs or additional monitoring software. There are risk mediated options available but only if you go through the proper process of analysing the threats and impacts of not upgrading to your business.

But upgrade when you can …

Julia.

Advent IM: ISO/IEC 27001:2013 Version 3.0 of the mapping tool released today

We have today released version 3.0 of the popular and helpful ISO/IEC 27001:2013 mapping tool. This compares and maps controls, clauses and other areas from the 2005 version against the new 2013 version and vice versa.

The new version of the tool sees some additional information around documents and records.

It is available FREE from the Advent IM website either via our Latest News page or via the dedicated ISO27001 page

iStock_000018385055Small

ISO/IEC 27001 Guidance Document Now Available

quality standardWe have now issued the first draft of the guidance document mapping 2005 against 2013.

You can obtain a free copy from our website:

http://www.advent-im.co.uk/advent_im_news.aspx

or from our dedicated ISO27001 page

http://www.advent-im.co.uk/iso_27001.aspx

Technical Security Skill Shortfall Means Heightened Risk Levels For Business

First published in Outsource Magazine September 12 2013

A report commissioned by IBM concluded that Technical Information Security Skills are in short supply and that this is creating vulnerability and risk in business. The research, carried out by Forrester Research Inc., revealed that even mature organisations are facing increased risk exposure due to difficulty sourcing and retaining Information Security talent.

Overall, 80% of Chief Information Security Officers are finding it difficult or very difficult to recruit technical security staff that met all their needs, according to the research. A range of issues are feeding this difficulty and the resulting concerns about rising risk levels include some very disturbing elements, as unfilled roles create anxiety. Only 8% of respondents said that they didn’t have a problem with security staffing issues.

The remaining 92% identified some key areas for concern that any business should be considering, regardless of whether or not they think they have security talent issue. Whilst the solution for many businesses has been to recruit further down the experience ladder, you can see from the kind of pinch points identified here, that this is not a sustainable solution. Whilst it may ‘fill a security role’ it is not filling the right one.

  • external threats not understood or discovered (27%)
  • deadlines not met/projects taking longer to complete (27%)
  • a growing gap between threat and controls (24%)
  • technical control systems not fully effective (this is anti-malware and such like) (22%)
  • technical risks not identified (20%)
  • technical control systems not implemented (20%)
  • technical risks are unresolved (20%)
  • security road map is unclear (20%)
  • internal technical security audits are not undertaken (20%)
  • Process-based controls (e.g., segregation of duties, privilege review) are poorly defined, dated, or inefficient (18%)
  • concern that Security architecture is complied with (17%)
  • It has prevented adoption of new technology (e.g., cloud, BYOD) NB. Given some of the concerns we have seen in the list so far, this is probably a blessing. (16%)
  • External technical security audits are not undertaken (e.g., at service suppliers, supply chain)  (15%)
  • It has prevented business agility and/or growth (13%)
  • Security architecture is poorly defined (13%)

istock_000012299872medium.jpgThese result show us that not only that there is an increased risk to business from the skill shortage but that the kind of risk business is facing is not simply about architecture and cyber threat but also about the prevention of growth and agility. These are positive contributions that security can make and their inclusion as potential risks show a willingness to move security out of the cost column and into the investment column, but again this is being thwarted by the skill shortage. This may reveal itself in a lack of confidence in moving certain functions or activities to The Cloud or perhaps not instituting Bring Your Own Device (BYOD). Whilst it is better not to do these things if you do not know if they are within your organisation’s Risk Appetite, if you do not know what that Appetite is and there is no one sufficiently knowledgeable and skilled to be able to ascertain this and then mitigate the risk if appropriate, then an organisation may be disadvantaged. This might mean it becomes a less appealing choice for potential new and highly skilled employees for other parts of the organisation, who perhaps demand BYOD as standard along with the flexibility it brings.

Commercially, robust security and resilience is becoming a must have and increasingly organisations are being asked to demonstrate and prove themselves in these areas. Businesses that have worked with Her Majesty’s Government and the Public Sector will be familiar with their extensive security requirements for instance, but others are now finding that if they want to grow their business, the onus is on them to be able to prove their security credentials. This pressure is coming from larger organisations not just public bodies, as they realise how important it is for their supply chain to be resilient. Again this is a real stumbling block if you simply do not have the in-house skills to handle a project like ISO27001 certification or compliance. So the risks that are immediately apparent in terms of what might happen to a business without the appropriate level of security skill are actually more convoluted than they first appear.

A perception of security as a business enabler is one that many security professionals have tried to promote for a long time and the idea of growing a business within its Risk Appetite is common sense. For too long the perception of Security has been that Security will just say no to innovation, change and anything even vaguely risky-sounding. It is disappointing to think that just as the paradigm looks ripe to shift (in the right direction) that it is being stymied by a lack of high level skills. All of these challenges presuppose the organisation has the budget to be able to employ the skilled person they need.

Physical Security like manned guarding has been on the outsource list for many years, Information Security has not always been viewed the same way.  Depending on the level of challenge, size of organisation and actual (not perceived) threat and risk, there may be a viable alternative to a full time senior technical security person, through outsourcing. Perhaps if the challenge is to get through a particular project then the high level skillset may only be required at certain times, not constantly. If there is a tipping point at which the need for the skills is justified commercially this may come a lot sooner if there is an opportunity of filling the gap without actually having to finance an FTE with all of the cost that entails. Given the difficulty in sourcing the high level skills, the best talent is following the money, leaving many organisations in an uncertain security vacuum.  Outsourcing may be the solution on either a project or buy as you need type basis. It may provide a much more cost effective solution to a convoluted set of challenges that are not showing any sign of going away or simplifying. It may also mean a level of skill and experience far in excess of that which may have been within budget for an FTE.

Of course, making sure you are certain of your partner in any outsourcing endeavour is vital and due diligence on potential suppliers is vital. As a rough guide here are some questions you should be asking.

  • Does my partner understand my organisation and its business drivers and growth imperatives?
  • Can they provide qualifications, certifications, track record, references, case studies and a cultural fit?
  • Are they flexible enough for my needs? Are they able to flex up and down as required or am I going to be rigidly contracted to a number of days per month?
  • Do we have specialist or generalist needs?
  • Do we want access to an expert individual or a team of experts?
  • Do we want Strategy, Policy, Risk skills?
  • Do we want our partner to be capable of working successfully with C-level stakeholders or at the ‘coalface’ or both?

Advent IM Join G-Cloud

Advent IM Supplier to Government, G-Cloud

Advent IM – now available to procure directly via G-Cloud

Advent IM Ltd is pleased to announce its inclusion on the Government’s Cloud Store – G-Cloud. This is the newest Government Procurement Framework and gives the public sector access to highly discounted and exclusive Government framework pricing. This means confident procurement and avoids the need for expensive tendering, whilst offering reassurance that procurement rules and guidelines are being met.   It also offers the private sector an easier route to work with public bodies.

 Advent IM has a lengthy track record as a Security Consultancy for public bodies and Her Majesty’s Government.  The Advent IM Catalogue on G-cloud shows the full range of services available to both public and private sector organisations. G-Cloud is designed to make it easier and faster for those public bodies and departments to procure directly and that now includes expert Security Consultancy from the team of specialists at Advent IM. No longer having to face the convolutions and cost that the tender process can sometimes entail.

Advent IM consultants also work closely and very successfully with the private sector. This framework is a vehicle for the private sector to work with HMG more easily, especially small businesses for which the process of tendering may have been prohibitive.  The incentive for the private sector is clear; however there will be certain standards of security practice that will be expected of them and their systems, in order to be accepted onto the G-Cloud.  Advent IM can offer expert assistance and support to those private sector businesses seeking entry onto this framework, whether that be training, accreditation, Cyber Security and Information Assurance or a host of other areas that need to be considered for G-Cloud.

 “We are delighted to have been selected as a G-Cloud supplier. Although we have had an excellent relationship with the public sector over many years, this marks the start of a direct procurement communications path between Advent IM and potential new clients. It opens doors that were previously not available to us and we look forward to the framework fulfilling its promise of quicker and smoother purchasing processes for public bodies. We also relish the opportunity to help more organisations become G-Cloud suppliers themselves by sharpening their security practices and gaining access to public sector work they were previously unable to tender for.” – Julia McCarron, Advent IM Operations Director

www.advent-im.co.uk-G_Cloud.aspx 

If you are a public body and are interested in procuring security consultancy direct, you can search us here.

http://govstore.service.gov.uk/cloudstore/search/?q=advent+im

 

 

Effective Employee Monitoring or Snooping?

Advent IM, data protection act 1998 Advent IM consultants

CCTV? Phone monitoring? Email monitoring? Vehicle tracking? Personal Data that all falls within The Data Protection Act 1998

Originally published in HR Zone http://www.hrzone .co.uk April 2013

Monitoring employees for potential disciplinary reasons is a standard part of the HR role, however a lack of awareness of how to do this within ICO guidelines and Data Protection best practice could end up in a costly tribunal for employers.

Do you monitor your employees? At a recent Employment Law Seminar (1), I asked that question and hardly anyone showed hands. So I asked if anyone used CCTV, indoors or outdoors. I asked if their vehicles had trackers on them and if they did, were the vehicles allowed for personal use. I asked if they were allowed for personal use, did they switch the tracking off outside of business hours. I asked if internet use was monitored or restricted. Lastly I asked if they monitored phone or email use. I pointed out that even something installed for the safety and security of employees like CCTV is in fact monitoring them and the images could potentially form part of a disciplinary if required. Then I asked again if anyone monitored their employees and virtually everyone raised their hand.

iStock_000015534900XSmallOK so there were some areas of monitoring employers might not have realised they were doing as they had not actively instigated them for monitoring employees with a view to disciplining them. There are other areas of monitoring that are started for clear improvement or disciplinary reasons. It might be an employee using company email for more than the occasional personal purpose or an employee constantly online shopping or browsing porn in work hours on a work computer, or an accusation of physical intimidation of one employee by another. These are example scenarios that might require a business to start surveillance on its employees. However, before swinging into action a business needs to be absolutely certain how to proceed or there may be unintended consequences for the business. These unintended consequences could prove to be costly, not only financially but reputationally.
Certain things need to be in place before effective surveillance can take place. Robust policy is obviously the first place to start. For instance, if employees are allowed to use laptops for personal use and an employee uses it to view porn outside of work hours, have they contravened the policy? Was the policy absolutely crystal clear as to whether or not this would be a disciplinary offense? Do they understand it? The other part of the equation is the policy on monitoring. Are both employers and employees clear on the policy and procedures around monitoring? If you are going to monitor them, you have to be certain. You also cannot simply blanket monitor all employees. You cannot covertly monitor them, your intention or objectives must to be clear and consistent. You must be able to explain to employees:
• Why you are monitoring
• What the process is
• What you are monitoring – systems, applications, hardware etc
• When you will be monitoring
• Who will be responsible for monitoring
• Who will have access to the data generated by the monitoring
• How that resulting data will be held, managed and eventually destroyed
It is vital that the last four points are not overlooked. In our IT driven environment, it frequently falls to IT to roll out the software to carry out monitoring or surveillance. This may be the most practicable solution to initiating the monitoring process, but is it appropriate for IT to have access to the resulting data? Any resulting data from surveillance is sensitive and so employees have every right to expect it to be treated with the same care of duty that their other sensitive or personal information is treated. The data generated from monitoring will be covered by the Data Protection Act (1998) and so clear understanding of who can access it, when they can access it or when it should be destroyed, is vital. Remember, employees have every right to request the data (through a Subject Access Request and this would include CCTV images) that employers hold on them or demand that it be destroyed, if it is felt that retention is not appropriate and in accordance with the Act and local policy. This is because the Act states that the data and images are their property and not their employers. Interestingly a recent survey (3) on Insider Fraud indicated CCTV surveillance as a new monitoring means being enabled by businesses, specifically to combat fraud by employees and not, as has traditionally been, to ensure their safety and security.

Emails or browser histories are fairly obvious data generators, as is call-monitoring. It is worth noting that this kind of information is possibly best routed directly to HR, rather than monitored by IT. Serious misconduct such as viewing child pornography could be inadvertently compounded if it is handled by someone unaware of the law around such matters. In the case of something like child porn, then a well-meaning person accessing whatever images had been viewed or downloaded and saving or downloading them as proof would perhaps not realise that every time they are viewed or downloaded it is an offence…

So making sure that employees know, understand (and confirm they understand) relevant policies relating to their conduct is the start. Ensuring they know, understand (and confirm they understand) the employee monitoring policy is the next stage and presuming the policy is fit for purpose, monitoring can commence. Employers need to be absolutely certain they are conducting monitoring in accordance with the ICO guidelines and within the Data Protection Act (1998). A simple guide exists on the ICO website (2), which is a good place to start.

Clarity, openness and best practice – the cornerstones of good business are the bywords for effective employee monitoring and also help keep a business out of Employment Tribunals.

_________________________________________________________________________

1 Waldrons Solicitors Breakfast Seminar Employment Law – available on Slideshare http://www.slideshare.net/Advent_IM_Security
2 Quick Guide to Employment Practices Code http://www.ico.gov.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Practical_application/quick_guide_to_the_employment_practices_code.ashx
3 Ponemon Institute – The Risk of Insider Fraud – Second Annual Study.