Tag Archives: security management

Advent IM: ISO/IEC 27001:2013 Version 3.0 of the mapping tool released today

We have today released version 3.0 of the popular and helpful ISO/IEC 27001:2013 mapping tool. This compares and maps controls, clauses and other areas from the 2005 version against the new 2013 version and vice versa.

The new version of the tool sees some additional information around documents and records.

It is available FREE from the Advent IM website either via our Latest News page or via the dedicated ISO27001 page

iStock_000018385055Small

Advertisements

Hacking Pacemakers, Traffic Systems and Drones – Cyber and Physical Worlds Collide

The Telegraph today ran a piece on a subject close to our hearts here at Advent IM, namely the cyber threat to our physical world. You can read it here

Regular readers will know we have expressed concern before that language can create barriers or false realities that can leave vulnerabilities and the prevalence of the use of the word ‘cyber’ is a good example of this. Cyber to most people conjures up the ethereal world of the hacker – that strange and dangerous electronic hinterland that few really grasp. Of course, this is dangerously inaccurate as many systems that control our physical world are networked and can therefore be hacked.

The late Barnaby Jack showed the world how he could hack into an insulin delivery system in a patient to effectively overdose that patient, he also managed to hack into an ATM system which then dispensed cash like a waterfall. The two worlds are converging quicker than our security awareness is growing.

Bringing the threat to our critical national infrastructure to the attention of the public at large is in one way unnerving but also very necessary.

Please have a look at our presentation on the topic, you will need sound…

Advent IM, Cyber Threat to Built Estate

Presentation with voice over from Mike Gillespie

Advent IM Join G-Cloud

Advent IM Supplier to Government, G-Cloud

Advent IM – now available to procure directly via G-Cloud

Advent IM Ltd is pleased to announce its inclusion on the Government’s Cloud Store – G-Cloud. This is the newest Government Procurement Framework and gives the public sector access to highly discounted and exclusive Government framework pricing. This means confident procurement and avoids the need for expensive tendering, whilst offering reassurance that procurement rules and guidelines are being met.   It also offers the private sector an easier route to work with public bodies.

 Advent IM has a lengthy track record as a Security Consultancy for public bodies and Her Majesty’s Government.  The Advent IM Catalogue on G-cloud shows the full range of services available to both public and private sector organisations. G-Cloud is designed to make it easier and faster for those public bodies and departments to procure directly and that now includes expert Security Consultancy from the team of specialists at Advent IM. No longer having to face the convolutions and cost that the tender process can sometimes entail.

Advent IM consultants also work closely and very successfully with the private sector. This framework is a vehicle for the private sector to work with HMG more easily, especially small businesses for which the process of tendering may have been prohibitive.  The incentive for the private sector is clear; however there will be certain standards of security practice that will be expected of them and their systems, in order to be accepted onto the G-Cloud.  Advent IM can offer expert assistance and support to those private sector businesses seeking entry onto this framework, whether that be training, accreditation, Cyber Security and Information Assurance or a host of other areas that need to be considered for G-Cloud.

 “We are delighted to have been selected as a G-Cloud supplier. Although we have had an excellent relationship with the public sector over many years, this marks the start of a direct procurement communications path between Advent IM and potential new clients. It opens doors that were previously not available to us and we look forward to the framework fulfilling its promise of quicker and smoother purchasing processes for public bodies. We also relish the opportunity to help more organisations become G-Cloud suppliers themselves by sharpening their security practices and gaining access to public sector work they were previously unable to tender for.” – Julia McCarron, Advent IM Operations Director

www.advent-im.co.uk-G_Cloud.aspx 

If you are a public body and are interested in procuring security consultancy direct, you can search us here.

http://govstore.service.gov.uk/cloudstore/search/?q=advent+im

 

 

Aspirationally Paperless?

First published in Tomorrow’s FM February 2013 as part of the Water Cooler regular feature with FM experts: Lee Haury, Liz Kentish, Wendy Mason, Martin Pickard, Lucy Jeynes, Iain Murray and John Bowen. The discussion was inspired by Health Secretary Jeremy Hunt’s desire to see the NHS go paperless by 2018….

The Advent IM response to a paperless NHS.

Data Protections Advent IM

Yay! Paperless was easy!

Paperless as a concept, has been around for a long time. Look around the average office and you will see varying degrees of success in its implementation. For many it is still largely aspirational. Removing  paper records does have some security benefits, presuming they were securely disposed of, of course! By this I mean you are removing one potential source of data loss, but how many of us can commit  to never printing off information or emails for instance? One security eye would always have to be on the possibility of employees doing this and valuable assets being put at risk or marching out of the door. Information is an asset, however it is stored. The NHS (for it is they and Jeremy Hunt who have inspired this discussion) has had a fairly disastrous year with Information Security and received huge monetary penalties. These breaches were not generally the result of hacks or other cyber-criminal activities but the result of poor security awareness and  people doing daft things with both paper records and electronic devices.

Bottom line is, if you are going to use mobile devices and remove the need for paper records, then Security policies have to be watertight and thoroughly trained through all users, they need to know they are accountable. That means if someone decides to load a laptop with thousands of patient records, they should be challenged or potentially prevented, by policy, from doing so. For instance if the device were used merely for securely accessing patient records as and when they were required, it would remove  the need for either paper or local digital storage. Hopefully the NHS are thinking a little further than merely paperless and thinking about how the replacement digital information is going to be stored and accessed. Significant and ubiquitous awareness training is required to make a success of any such initiative and prevent patient data risk.

Top Down Security (or “How To Learn To Love Information Security And Get It Into The Boardroom”)

Originally published on the Darlingtons Solicitors Blog 23.11.12

You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe.  Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.

“Yeah, IT does Security”

According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System – image Ecology.com

As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.

An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.  Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

“Place your bets! Place your bets!”

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.

InfoSecurity – share the love

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.


All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.

Guest post from Darlingtons Solicitors: Holistic and practical approach to business risks is best

We would like to thank Darlingtons for this guest post on a business imperative.  Its always reassuring to have a legal perspective on Security.

“As a law firm offering specialist advice in areas including employment law and fraud, at Darlingtons Solicitors, we see on a day to day basis the impact of legal and security threats which turn into issues causing at best, significant damage, in financial and other terms to a business, and at worst, which can literally put a business out of business.

In our experience, all clients, big or small, do have a sense of threats to their businesses, internal and external, but many tend to somehow try and put these to the back of their mind, and this ties in with the general problem both legal and security professionals face – we are not selling something which clients see as a clear benefit to their business.

Benefit has a traditional sense of a positive outcome, generally financial, and in that sense, preventing damage does not fit with the traditional sense of the word. However, when thinking of bottom line figures, preventing or mitigating losses does have a real impact on any business.

Failing to advise is failing a client

Accepting as a starting point that pushing an argument, however correct, too hard on the lines of “failing to plan is planning to fail” will be unlikely to result in a client handing over a blank cheque to either lawyers or security consultants, what perhaps differentiates the better companies is an ability to understand proportionate threats, limited budgets and to provide advice to clients tailored for that client and based on experience.

Take data protection as an example. Most businesses know that there are laws about data protection, most also understand that their business data, client lists, product information, suppliers and other data are a critical part of their business, but a smaller business with a limited budget may not know which are the biggest threats and what options there are which they may be able to afford to limit the potential damage that could be caused by doing nothing.

It makes sense for professionals to work together when advising clients on risk prevention, something which lawyers should frankly embrace more than most have in the past.

For example, it is all very well advising a client that they need a data protection policy, a social media policy, a contract of employment with strong restrictive covenants and so on, but ultimately, these are pieces of paper. A determined, desperate or foolhardy employee intent on stealing business or vindictive damage on an employer may not even care whether they get sued later and are quite possibly not worth suing.

However, if lawyers work closely with security professionals, the legal paperwork can more easily dovetail with practical safeguards which may prevent loss, such as IT security controls.

In turn, security professionals need to take on board legal issues, such as, for example, where a business decides to monitor it’s employees online activities. In that situation, serious legal consequences would result if the business does not advise the employees it is monitoring them, which can be criminal as well as civil.

Solution ?

In our experience and view, the best approach to legal and security threats, particularly for small businesses is to consider seriously an annual security and legal audit. Progressive law firms and security companies are now offering these at low cost or in some cases even free. A composite report, identifying threats based on risk level and potential ramifications, both legal and practical, presenting the commercial and legal argument for taking action, based on priority and cost is reasoned, proportionate method and good business sense.

For further advice or assistance on legal risks, legal problems you currently have or to discuss a legal audit, we would be happy to assist, please get in touch.” –  Darlingtons Solicitors.

And if you need support, consultation or mentoring with Data Protection or Information Security including ISO27001, contact Advent IM bestpractice@advent-im.co.uk www.advent-im.co.uk

Security Skills Shortage – why?

ESG Research 83% of Enterprise (1,000 or more employees) organisations are are finding it ‘extremely difficult’ or ‘somewhat difficult’ to recruit security professionals currently.

It’s clear to see that security and Information Security are growing items on the Enterprise agenda. The realisation that Security staff are important for some key business enabling activities has been long-awaited by security professionals.

Security professionals can see the skill gap in what is currently available as in-house resource in many case vs. what is required to realise an organisation’s plans and enabling those plans to be carried through securely.

Click to see enlarged image

Having the budget or resource for an FTE devoted to Information Security for instance, which may be required in order to compete for certain kinds of tenders, may be beyond the capability of some organisations. Hence we see the growth in out-sourcing and buying in expertise in the visual above. Finding a way to compete in those tenders may be key to an organisations growth, but contract partners will only want ton contract with those they see as at least as security aware and prepared as they are. Given that the sharing of sensitive or confidential information may well be necessary, one can easily understand why this key business enabler is now a key focus for many organisations.

www.advent-im.co.uk/mysecuritymanager.aspx