Tag Archives: ISO 27001

safeguard your head office small business

How to secure your data when firing employees

 

What kind of risk are you creating when you fire the IT security officer?

When a company decides to fire a big piece of it’s work force – it’s to reduce costs in anticipation of reduced revenues. Risk management and IT governance runs a distant second and third when it’s a question of survival. The IT department is often in the line of fire, since they’re a service organization. The IT security staff may be the first to get cut since  companies view information security as a luxury, not as a must to run the business.

There is nothing in the information security policy of any organization that I have seen that talks about how to manage risk when 300 employees are being fired in a short period of time in a business unit.

What is your risk appetite?

A key part of formulating and establishing information security   policies for your organization is in deciding how much risk is   acceptable and how to minimize unacceptable risk.

This process initially involves undertaking a formal risk assessment which is a  critical part of any ISMS.  However – it’s a mistake to assume that risk assessment is a static process when the business is a dynamic process.  Risk assessment must be dynamic and continuous, moving at the front line of the business not as an after though or not at all.

The ISO 27000 standards provide some guidance on how this  risk assessment process is to be undertaken.  This guidance is   summarized and annotated below:

  • Use systematic approach to estimate magnitude of risks (risk  analysis)
  • Compare estimated risks against risk criteria to measure the  significance of the risk (risk evaluation)
  • Define the scope of the risk assessment process to improve  effectiveness (risk assessment)
  • Undertake risk assessments periodically to address changes in  assets, risk profiles, threats, safeguards, vulnerabilities and risk  appetite (risk management)
  • Risk measurement should be undertaken in a methodical manner to  produce verifiable results (risk measurement)

The stumbling block to doing continuous risk assessment is both world view (“hire a consultant once every 2 years to check us out”) and technical (“the cost of said consultant”).  We have a great  free ISO 27001 risk assessment software that can automate the process, save you money and help you respond fast to changes in the business. The software is based on the popular PTA (practical threat analysis) Professional risk assessment tool.

Tell your friends and colleagues about us. Thanks!
Share this

Business context for ISO 27001

ISO 27001 is increasingly popular because of compliance regulation and the growing need to reduce the operational risk of information security.

What ISO 27001 is missing though, is the business context – the ability for an SME to determine the cheapest and most effective security countermeasures and their order of implementation.  Since ISO 27001 certification requires compliance with the entire control set, it may be too daunting for an SME to consider.

Any business can perform an ISO 27001-based risk assessment on their operation  with their business assets and their typical business  threats  in just a few minutes using the Software Associates PTA library for ISO 27001.  You can download the free Practical Threat Analysis library for ISO 27001 and our free risk assessment software – and upgrade your security today using ISO 27001, the most important vendor-neutral standard for data security available.

Tell your friends and colleagues about us. Thanks!
Share this

Giving ISO 27001 business context

ISO 27001 is arguably the most comprehensive information security framework available today. Moreover, it is a vendor neutral standard. However – ISO 27001 doesn’t relate to assets or asset value and doesn’t address business context which requires prioritizing security controls and their costs.  This article discusses the benefits of performing an ISO 27001 based risk assessment exercise using techniques of threat modeling.  An organization that follows this methodology will reap the benefits of improved data security and achieving readiness for ISO 27001 certification.

Why is threat analysis beneficial for ISO 27001?

Quantitative threat analysis using the popular PTA (Practical Threat Analysis) modeling tool provides a number of meaningful benefits for ISO 27001 risk assessments:

  • Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
  • Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
  • Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
  • Effective: helps determine the most effective security countermeasures and their order of implementation, saving you money.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

How to assess risk – Part II: Use attack modeling to collect data

In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling to assess risk.

Read achieving HIPAA compliance using threat modeling for a step-by-step tutorial on how to use the popular PTA (Practical Threat Analysis) Professional software in order to perform  quantitative risk assessment for a data security  and compliance. Software Associates specializes in HIPAA data security and compliance. The concepts and techniques described here can be implemented for any regulatory area of compliance such as PCI DSS 2.0 or security certification such as ISO 27001. You can obtain a free download of the PTA Professional software from the PTA Technologies download page.

The first guideline I will lay down, is to estimate value of risk  in Dollar/Euro/Ruble values – whatever currency you like.

Attack modeling is based on the notion that any system or organization has assets of value worth protecting. These assets have certain vulnerabilities. It is a given that internal and external attacks exist, that may  exploit these vulnerabilities in order to cause damage to the assets. An additional given is that appropriate countermeasures exist that mitigate the damage caused by internal or external attackers.

With attack modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Attack modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures.

Here are 6 rules for effective attack modeling –

If you’re bought into the traditional approach of consultants looking at your watch and telling you what time it is, then don’t let me stop you, but if you don’t mind considering some new ideas for cracking the risk assessment problem, here are a few ideas inspired by Tom Peters “In pursuit of Luck”:

1. Do something new. Don’t bother with the same old trade shows, talking with the same old security salespeople about the same old stuff. The first time you do attack modeling, it may take several months – and take you into unfamiliar territory of having to valuate assets and anticipate the probability of threat occurrence.

2. Listen to everyone. Ask your senior managers what are your most valued assets – customer lists, product IP, ontime delivery. Ask the CFO how much those assets are worth in dollar terms. Ask your 22 year old customer service agents how they would attack your assets.

3. Try out options. Don’t stop with the annual IT security audit. With attack modeling you can test many mitigation plans, implement countermeasures and measure effectiveness on the fly.

4. Ready, Fire, Aim. (instead of ready, aim, fire). Experiment with new attack models. Test the ramifications of turning off personal anti-viru software or opening a field office with contract technicians. Attack modeling lets you test without threatening the operation.

An ERP systems integrator maintained their own corporate messaging systems. Although they felt that security required them to keep corporate mail inhouse; the costs of content security maintenance were skyrocketing. An attack model showed a reduced dollar level of risk to their digital assets at a lower ongoing security cost; they are now using Google Apps, freeing up valuable internal resources and management attention at the cost of swallowing their pride and admitting that Google can provide better message security then their own internal IT operations team.

5. Make odd friends. Strangers can best help you see new attack scenarios, providing fresh ideas unprejudiced by your corporate judgment. Find advisors through social and professional networks who can help you anticipate the unexpected.

6. Smash functional barriers. Many companies separate IT security, fraud and physical security functions. What difference does it make if a notebook with sensitive M&A data is stolen from an executive’s desk by a competitor posing as a FedEx messenger? Attack modeling is a holistic practice that can help mitigate risk in all areas of your business.

Tell your friends and colleagues about us. Thanks!
Share this

Compliance, security and Wikileaks

This is an essay I wrote in 2004.  There is nothing here that doesn’t still ring true, especially with the latest round of Wikileaks disclosures. I wrote then and I still hold that  compliance and and data security technology cannot protect an organization from a data breach. The best security countermeasures  for protecting a company’s digital assets and individuals’ private information are uncompromising ethics and honest management.

On security and compliance

It’s impossible to ignore the fact that compliance (like it or not) is a driver for companies to invest in improving their software and data security past running a firewalls and anti-virus. While compliance drives companies into taking action, do compliance activities actually result in implementing and sustaining strong data security  management and technology countermeasures?  We will see that the answer is generally no.

There is plethora of compliance regulations. There is regulation for  Privacy(HIPAA/HHS), for Children: (Children’s Online Privacy Protection Act (COPPA) for Credit Card holders: (FCRA), for merchants (PCI DSS), for Public entities (Sarbanes-Oxley), for Insurance (State laws) , for Securities trading (SEC), for Telecom (New York State Public Service Commission rulings) and many many more.

Looking at the wide variety of regulations and standards we can see that compliance really comes in only 3 flavors:

  1. Governance regulation such as HIPAA and SOX.  Government compliance regulation is focussed on customer protection and requires a top down risk analysis process.
  2. Industry compliance regulation such as PCI DSS that focuses on protecting the card association supply chain, doesn’t require risk analysis and mandates a fixed control set (if you think that best-practice security control sets are a good idea, then stop and consider the abysmal failure of the Maginot line in WWII and the Bar Lev line in the Yom Kippur war in 1973).
  3. Vendor-neutral standards such as ISO 27001 that focuses on data and system protection, doesn’t require risk analysis nor consider asset values although it does provide what is arguable the most comprehensive set of controls.

Well-meaning as the regulators may be, there are two fundamental flaws in the security-by-compliance model:

  1. You can comply without being secure and use compliance as a fig-leaf for lack of data security
  2. You can invest in software and data security without being compliant

…We don’t invest in data loss prevention technology because it’s a criminal offense when one of our employee breaches critical filings. We feel the legal deterrent is sufficient.
IT Manager – Securities and Exchange Commission in a Middle East country

Privacy regulation trends in the US and Europe

Government-regulated privacy-protection of information is a natural response rooted in the field of telecommunications, since countries either own the telecom business outright or tightly regulate their industry. This has largely led to a view of electronic privacy as an issue of citizen rights versus state legislation and monopoly.

In the information age, privacy has two dimensions – intrusion and data breach:

  • Protection against intrusion by unwanted information or criminals; similar to the constitutional protection to be secure in one’s home.
  • Protection against data breach by controlling information flows about an individual’s or a business’s activities; for example preventing identify theft or protecting a company’s trade secrets.

Regulation has moved in two major directions–centralized general protection and decentralized ad-hoc protection. The EEC (European Economic Community ) has pursued the former, and passed comprehensive data protection laws with coordination on information collection and data flows. The United States, in contrast, has dealt with issues on a case-by-case basis (health-care, credit cards, corporate governance etc…) resulting in a variety of ad hoc federal and state legislation.

A synthesis of the European and the American approaches is to formulate a set of broad rules for vertical industry. This was the direction taken by the New York Public Service Commission on the issue of telecommunications privacy. However, U.S. privacy legislation remains considerably less strict than European law in the regulation of private databases. Two Representatives in the House Select Committee on Homeland Security are calling for a Privacy Czar. The Privacy Czar would be responsible for privacy policies throughout the federal government as well as ensuring private technology does not erode public privacy.

“Right now, there’s no one at home at the White House when it comes to privacy. There’s no political official in the White House who has privacy in their title or as part of their job description. Congress should take the lead here because this administration has not,” says Peter Swire, an Ohio State University law professor and former chief privacy officer in the Clinton administration in an interview with Wired back in 2006 – and in the Obama administration has anything changed?
(http://www.wired.com/news/privacy/0,1848,63542,00.html )

Horizontal applications

Sarbanes Oxley: enforcing corporate governance

The Sarbanes-Oxley Act (SOX) has had a major impact on US corporate governance SOX was a response to the accounting scandals and senior management excesses at some public companies in recent years. It requires compliance with a comprehensive reform of accounting procedures for public corporations to promote and improve the quality and transparency of financial reporting by both internal and external independent auditors. SOX regulation is enforced by the Public Company Accounting Oversight Board (“the Board”).

SOX Section 404 – “Management Assessment Of Internal Controls ” is indirectly relevant to data breach. It requires an “internal control” report in the annual report which states management responsibility and assesses effectiveness of internal controls. Companies are also required to disclose whether they have adopted a code of ethics for senior financial officers and the contents of that code.

SOX Section 409 – “Real Time Disclosure” implies that a significant data breach event be disclosed on “a rapid and current basis”. SOX also increases the penalties for mail and wire fraud increased from 5 to 10 years and creates a crime for tampering with a record or otherwise impeding any official proceeding.

HSS/HIPAA: enforcing patient privacy

Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gave Congress 3 years to pass health privacy legislation. In May 2003 – the HHS (Dept of Health and Human services implemented federal protections for the privacy of individual health information under the Privacy Rule, pursuant to HIPAA. Because of limitations of HIPPA, the rule is far from seamless and will require a lot more work in the US Congress by both parties to ensure privacy of personal health information.

My conclusion on all of this is:

  • SOX has been a strong driver for sales of  IT  products and services, but it’s totally unclear that the billions spent by corporate America on compliance has actually done much to improve customer protection.

Vertical Industries

Securities: Did we leave the cat guarding the cream?

Annette L. Nazareth, market regulation director at the U.S. Securities and Exchange Commission, outlined proposals at a securities industry conference in New York on May 21 calling for stock exchanges, as the Associated Press put it, “to abide by most of the requirements they set for companies they list.”
(http://www.sec.gov./news/speech/spch052104aln.htm )

Wow.

Insurance Industry: Federal versus free market

October 2003, witnesses before the Senate Commerce committee testified regarding insurance industry regulations. The committee analyzed the current US system, which relies on state law, and examined proposals for improving industry regulation. One of the central issues was whether or not the federal government should play a larger role in insurance industry regulation. Also discussed was the need to provide protection for consumers without forcing unnecessary regulations on insurance companies. Some senators expressed concerns about high insurance rates.

Conclusion

If you’re a vendor of IT products and services, it has become increasingly difficult to sell security with rising complexity of attacks and countermeasures and decision makers who find it difficult to understand what works and what doesn’t.

What will happen to the B2C security industry is hard to say. Perhaps the Intel McAfee acquisition is a sign of things to come where security becomes a  B2B  industry  like safety manufacturers for the aerospace and automotive industries.

Until security becomes built-into the cloud, my best suggestion for a business is don’t leave your ethics at home and don’t wait for the government to tell you what you learned from your parents at age 5 – put your toys away and don’t steal from the other kids.

Tell your friends and colleagues about us. Thanks!
Share this