Posted: June 25th, 2006 | Author: admin | Filed under: Issues | No Comments »
ISO27000 Newsletter – Issue 13
Welcome to the latest issue of the ISO 27000 newsletter, designed to provide news and updates regarding the ISO information security standards.
Included in this edition are the following topics:
1) ISO 17799 Becomes ISO 27002
2) Logic Bomb Dangers Highlighted
3) The History of The Information Security Standards
4) Information Ownership Issues
5) More ISO 17799/27001 Frequently Asked Questions
6) Information Security News
7) ISO 27000 Related Definitions and Terms
ISO 17799 Becomes ISO 27002
Following the decision taken by ISO last year, ISO 17799 has finally been renamed to ISO 27002. The change of name is simply that: a change of name. The purpose is to align it more closely to ISO 27001 in terms of perception.
Of course, the name change could be misleading, as some people my erroneously believe that other changes have been applied. They haven’t. We therefore issue two clear recommendations:
1) If you already have a copy of ISO 17799:2005, you do not need to replace it with ISO 27002. The documents are identical except for references to the name.
2) On their website, ISO simply put up ISO 17799:2005, without even a new cover or any changes within. A single sheet accompanied it with the words “Replace ’17799′ with ’27002′”. However, the full replacement, with name changes applied to the document itself, can be obtained from Standards Direct (see left hand panel).
THE ISO 27000 TOOLKIT
To accommodate the change of name, the supporting ‘ISO 17799 Toolkit’ has also been renamed. It has also been updated, notably the policies, the roadmap and the presentation. It is documented on the toolkit website (see left hand panel).
Logic Bomb Dangers Highlighted
The recent case of a former US Government contractor pleading guilty to sabotaging Navy computers highlighted the need for constant vigilance with respect to so-called ‘logic bombs’.
Also known as ‘slag code’ and commonly associated with ‘disgruntled employee syndrome’, a logic bomb is a piece of program code buried within another program, designed to perform some malicious act. Such devices tend to be within the province of technical staff (non-technical staff rarely have the access rights and even more rarely the programming skills required) and operate in two ways:-
1. ‘Triggered Event’ – for example, the program will review the payroll records each day to ensure that the programmer responsible is still employed. If the programmer’s name is suddenly removed (by virtue of having been fired) the Logic Bomb will activate another piece of code to slag (destroy) vital files on the organization’s system. Smarter programmers will build in a suitable delay between these two events (say 2-3 months) so that investigators do not immediately recognize cause and effect.
2. ‘Still Here’ – in these cases the programmer buries coding similar to the Triggered Event type but in this instance the program will run unless it is deactivated by the programmer (effectively telling the program – “I am still here – do not run”) at regular intervals, typically once each quarter. If the programmer’s employment is terminated unexpectedly, the program will not be deactivated and will attack the system at the next due date. This type of Logic Bomb is much more dangerous, since it will run even if the programmer is only temporarily absent (eg through sickness, injury or other unforeseen circumstances) at the deactivation point. The fact that it wasn’t meant to happen just then is of little comfort to organization with a bombed system.
Logic bombs demonstrate clearly the critical need for audit trails of activity on the system, as well as strict segregation of duties and access rights between those staff who create systems (analysts, developers, programmers) and the operations staff who actually run the system on a day-to-day basis.
The History of The Information Security Standards
Examination of the past often illuminates the present. This is certainly the case in terms of untangling the different acronyms and numbers associated with the information security standards.
The embryo of the security standards was actually a document published by the UK Government’s DTI in 1992. The was the ‘Code of Practice’, for Information Security Management. This was subsequently upgraded by BSI (the British Standards Institute) who published ‘BS 7799-1 – Code of Practice for Information Security’ in 1995. BSI enhanced this document, and also published a second part: BS7799-2, which was a specification for security management, in the late nineties.
In 2000 ISO finally appeared on the scene, adopting BS 7799-1 and renaming it to ISO 17799:2000. However, it wasn’t until 2005 that they eventually adopted BS7799-2, which became ISO 27001:2005. ISO 17799 was re-published in the same year, and as explained above, was renamed to ISO 27002 in July 2007.
Also in 2005 BSI published BS7799-3. This is ‘Guidelines for information security risk management’. Again, the chances are that this will eventually evolve into an ISO standard (possibly ISO 27005).
So we thus have:
ISO 27002:2005 – Code of Practice
ISO 27001:2005 – Specification for an ISMS
BS7799-3 – Risk Management.
It is not actually quite this simple though… because ISO are attempting to ‘normalize’ their entire numbering system. They want all their information security standards to be similarly numbered. That is reasonable of course, but many would argue what is not reasonable is simply to rename documents at a random point in time, rather than on the next upgrade.
Information Ownership Issues
It is essential that the ownership of information systems, data and files is formally established within the organization. This formal assignment invariably brings with it a more serious approach, ‘top down’, to the whole issue of information security.
Historically, all electronic systems and data files were considered to be “owned” by the IT department, but over recent years ownership has correctly moved towards the areas or individuals who actually create the information, or who are ultimately responsible for the data and systems output.
Usually, the person who creates, or initiates the creation or storage of the information, is the designated owner. In an organization, possibly with divisions, departments and sections, the owner becomes the unit itself with the person responsible being the designated ‘head’ of that unit.
The Information owner is normally responsible for ensuring:-
• that an agreed classification hierarchy is put in place and that this is appropriate for the types of information processed for that business / unit;
• that all information is classified and stored into the agreed types, and that an inventory (listing) is created;
• that each document or file within each of the classification categories, has its agreed (confidentiality) classification appended to it;
• that for each classification type, the appropriate level of information security safeguards are available (e.g. the logon controls and access permissions applied by the Information Custodian provide the required levels of confidentiality);
• that periodically there is a check to ensure that information continues to be classified appropriately and that the safeguards remain valid and operative.
If a designated owner of information leaves the organization, it is important to ensure that a new owner or custodian is immediately appointed to protect the approved levels of confidentiality and approve or decline access requests.
Many organizations have seen a demonstrable improvement in the cultural approach to security as a result of ownership clarification. It is a move certainly long overdue for those whose IT departments are still seen as data owners.
More ISO 17799/27001 Frequently Asked Questions
1) Where Do I Start with an ISMS?
The start point most often recommended for the implementation of a formal Information Security Management System (ref: 27001) is a definition of scope. This is in fact pure logic. Unless you define your boundaries you are unlikely to get too far without encountering significant difficulties. The scoping exercise itself is often quite illuminating.
2) How many companies are now certified?
At the last count this was well in excess of 2,000.
3) What is ISO Guide 62?
This guide contains the requirements applicable to an Accreditation Body (which subsequently bestows authority to issue certificates).
Information Security News
1) Sophos reports that malware is increasingly being spread via web pages, rather than via email, with sites in China and Hong Kong accounting for more than half the total. Most affected sites are victims themselves, having been compromised by hackers. In a separate report, Pandalabs report that malware detections increased by over 170% last year. Trojans now represent more than half of such attacks, with Bots on 14 percent and backdoors on 13.
2) A recent survey by Network Box of 250 small businesses demonstrated an alarming indifference to security. 62 per cent had no system in place to protect against phishing, whilst a staggering 99% did not know how often their anti-virus software was updated.
3) The University of Missouri became the latest in a string of universities to suffer a serious security breach when hackers obtained more than 20,000 Social Security numbers (SSNs). Using IP addresses from China and Australia, the hackers made thousands of queries over a span of hours, obtaining one SSN at a time.
4) According to Symantec, Image Spam still accounts for more than 25% of all spam. This is essentially a technique which uses embedded images to bypass phishing filters. Whilst this is down from earlier in the year, the daily rates indicate a high level of variance. Spam itself accounts for 65 percent of all email at the SMTP layer.
5) A video clip was recently posted on YouTube showing union protestors examining trash awaiting collection outside Chase Bank in New York. The video shows loan application forms and other sensitive data being examined by the Service Employees International Union supporters. The clip again illustrates that low tech security issues remain a constant threat.
6) An audit has revealed that the IRS (The US Internal Revenue Service) lost almost 500 PCs in the 3 year period to the middle of 2006.It is believed that the personal information of at least 2,000 taxpayers could have been compromised as a result. The IRS have subsequently stated that they are “taking aggressive steps to further secure government equipment and protect sensitive data to mitigate the risk of potential identity theft or other fraudulent activity.”
ISO 27002 Related Definitions and Terms
In each ISO 27000 Newsletter we include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by IT and Information Security professionals. In this edition, we provide a further selection of terms that all start with the letter ‘F’.
Finagle’s Law
The ‘folk’ version of Murphy’s Law, fully named ‘Finagle’s Law of Dynamic Negatives’ and usually rendered ‘Anything that can go wrong, will.’. One variant favored among hackers is ‘The perversity of the Universe tends towards a maximum.’. The label ‘Finagle’s Law’ was popularized by SF author Larry Niven in several stories depicting a frontier culture of asteroid belt miners. This ‘Belter’ culture professed a religion and/or running joke involving the worship of the dreaded god Finagle and his mad prophet Murphy.
Fit for Purpose
Fit for Purpose is a general expression which can be useful to ensure that Information Security solutions are appropriate for your organization. Vendors will sometimes attempt to ‘fit’ their solution to your problem. Fit for Purpose is an expression which, when used within the solution negotiation context, places an onus of responsibility upon the vendor to ensure that its solution is (indeed) fit for the purpose which their client expects. Example : a well known systems company contracted for the sale of their system. Inclusive in the price was one of week training in the system. During implementation it became apparent that one week for training was totally inadequate. The customer successfully claimed (prior to legal action) that the supplier’s solution was inadequate and hence not fit for purpose. When considering Information Security solutions, it is good practice to remind any potential suppliers in your requirement that the solution must be fit for purpose.
Flag
A message indication, sometimes, but not always, a warning to a user, which appears when a certain event takes place. For example, an inventory monitoring program may well ‘flag’ certain products when stocks fall below a predetermined level, to alert the user to re-order. An alternative use is to warn of an event which will take place in the future, but has not yet occurred, for example, a financial institution aware of large check-based transaction on a customer’s account may ‘flag’ the account to avoid an unauthorized overdraft. Flags may be generated manually or automatically, depending on circumstances. In the case of the stock monitoring this would be automatic, while the check transaction example would be processed manually. Automatic flags serve a useful purpose in drawing users’ attention to situations which otherwise may be overlooked.
Flame
‘Flame’ is abusive communication by E-mail or posting to a newsgroup, which attacks an individual or organization for some real or imagined grievance. The real problem is broader than that of a few rude e-mails: flame represents the anarchistic side of the Internet. The flame may start with only one abusive message, but it is broadcast so widely that large numbers of unconnected browsers join in – often on both sides of the argument. This can lead to ‘Flame Wars’, where the traffic load becomes so high that communications network performance degrades, and E-mail boxes become blocked – as is the case with bottlenecking and mail bombing. Problems for companies may arise if a member of staff has used an organization’s e-mail address to start the flame – another reason to monitor staff activities. Flame has some redeeming features. Deeply unpleasant (or disturbed) individuals who posted lengthy racist (or sexist, or some other -ist) diatribes have found themselves flamed off the Net….
Freeware
Literally, software provided for free – no charge. This is not as uncommon as might be expected. Major software developers often give away old versions of their products to allow users to try them at no charge and, hopefully, succeed in tempting them to purchase the current release. Independent developers may give away small programs to establish a reputation for useful software, which then enables them to charge. Cover disks attached to a computer magazine often contain Freeware. As with Shareware, Freeware should be approached with caution, and staff dissuaded from trying out their new Freeware on organization equipment.
Posted: June 20th, 2006 | Author: admin | Filed under: Issues | No Comments »
ISO17799 and ISO27001 Newsletter – Issue 12
Welcome to the latest issue of the ISO 27001 / ISO 17799 newsletter, designed to provide news and updates regarding the ISO information security standards.
Included in this edition are the following topics:
1) Recruitment and Security Risks
2) BS25999 Published
3) User Acceptance Testing: The Basics
4) Information Security News
5) More Frequently Asked ISO17799/ISO27001 Questions
6) ISO 17799 Related Definitions
RECRUITMENT AND SECURITY RISKS
One obvious potential weak link in your information security profile are the new recruits to your organization. If you do not advise them about your information security requirements and critical information security procedures in a timely fashion, then they may collectively create a significant risk to your information assets.
ALL management and staff are responsible for Information Security, including those new to the organization. It is vital therefore that they are brought ‘up to speed’ as quickly as possible.
Issues to be considered when addressing this include the following:
- Confidential data may be lost, damaged or compromised by staff with insufficient training.
- Data may be lost in error or through negligence because staff do not fully understand the risks involved.
- Data may be lost because Information Security measures have been installed incorrectly and their alarms and messages are misinterpreted.
- Confidential information may be compromised if new staff are not made aware of the scope of the organisation’s Information Security policies.
To overcome this potential exposure, we recommend that you document the critical security issues and procedures in an easy-to-understand booklet and provide formal induction training immediately upon the new recruit’s arrival. The recruits should also be obliged to sign a formal statement confirming that they have read, and understand, this document.
BS 25999 PUBLISHED
The long awaited standard for business continuity planning, which supports ISO17799 and ISO27001, has now been published. As with many international standards, BS 25999 will comprise two distinct parts: a code of practice (as ISO17799) and a specification (as ISO27001).
The first of these was published by BSI in December 2006. The specification will appear later in 2007.
The standard is designed to align with the BCM section within ISO 17799. It covers topics as diverse as strategy and plan maintenance, and even how to embed business continuity management into the organizational culture.
BS 25999 will have a significant impact upon the whole business continuity and disaster recovery landscape. As the first credible standard developed to provide clear and objective metrics, it is not hard to see why predictions regarding positive insurance implications, and market leverage, as so common.
USER ACCEPTANCE TESTING (UAT)
User acceptance testing (UAT) is a critical phase of any systems project and requires significant participation by the ‘End Users’. To be of real benefit, an Acceptance Test Plan (ATP) should be developed in order to plan precisely, and in detail, the means by which ‘Acceptance’ will be achieved. The final part of the UAT can also include a parallel run to prove the system against the current system.
The user acceptance test plan will vary from system to system but in general the testing should be planned in order to provide a realistic exposure of the system to all reasonably expected events/threats. The testing can be based upon the User Requirements Specification to which the system should conform.
As in any system though, problems will arise, and it is important to have determined what should be the expected and required responses from the various parties concerned; including Users; Project Team; Vendors and possibly Consultants / Contractors.
In order to agree what such responses should be, the end users and the project team need to develop and agree a range of ‘severity levels’. These levels will range from (say) 1 to 5 and will represent the relative severity, in terms of business / commercial impact, of a problem with the system, found during testing. Here is an example which has been used successfully – ’1′ is the least severe; and ’5′ has the most impact :-
1. Cosmetic; [e.g. print colors; fonts; etc.]
2. Minor; [Both testing and live operations may progress. This problem should be corrected, but little or no changes to business processes are envisaged.]
3. Major Problem; [Testing can continue but live this feature will cause severe disruption to business processes]
4. Critical Problem; [Testing can continue but the change cannot go into live operation]
5. Show Stopper; [It is impossible to continue with the testing because of the severity of this error / bug.]
The users of the system, in consultation with the executive sponsor of the project, must then agree upon the responsibilities and required actions for each severity of problem.
Even where the severity levels and the responses to each have been agreed by all parties; the allocation of a problem into its appropriate severity level can be a subjective matter. To avoid the risk of protracted exchanges over the categorization of problems therefore; we strongly advised that a range of examples are agreed in advance to ensure that there are no fundamental areas of disagreement; or, if there are, that these will be known in advance and your organization is forewarned.
INFORMATION SECURITY NEWS
1) A number of Google related vulnerabilities have recently been highlighted, largely focused around Google’s cookies. These have exposed user documents, Gmail emails and search histories. All those so far identified have now been fixed, but this development does illustrate the increasing risks which are likely to occur as Google integrates more and more functionality into its product portfolio.
2) McAfee report that the nature of spam is again changing. Whereas text based spam used to be the norm, image spam is becoming increasingly common. According to their figures this now accounts for around 65% of all spam. Image spam uses images rather than text chracters to deliver the usual nonsense. This of course poses different challenges to the anti-virus agencies, but they are adapting quickly.
On a related note, the overall volume of spam continues to increase, with Postini reporting that it now comprises 94% of all email.
3) Two traffic engineers in Los Angeles, California, have been charged with hacking a computer system to: disable traffic lights! It is alleged that this was motivated by an ongoing labor dispute.
4) OpenDNS report that the top five most targetted phishing firms are: PayPal, Barclays, eBay, Fifth Third Bank and Bank of America. Unfortunately, phishing is yet another area of rapid increase in terms of volume, and increased sophistication of attack techniques.
5) The importance of protecting your online identity has been highlighted again by McAfee. They report that online identity theft has increased by 250% since January 2004. The cost of the to the United States economy alone is believe to be around $40 billion per year.
MORE FREQUENTLY ASKED ISO 17799 / 27001 QUESTIONS
1) What Is ISO 27000 All About?
This is ISO’s projected series of information security related standards. ISO 27001 already exists, and it is proposed that ISO 17799 may be renamed to ISO 27002 later this year.
2) Where Does COBIT Fit Into The Equation?
Issue 11 of this newsletter explained the mapping between ISO17799 and COBIT in detail.
3) Has BS7799 Now Been Replaced?
BS7799-1 evolved into ISO17799. with BS7799-2 evolving into ISO27001. However, BS7799-3 was published late last year. This offers guidelines for information security risk management (ISRM), and it is expected that it too will evolve to become an ISO standard.
4) What is IRCA?
IRCA is the ‘International Register of Certified Auditors’, which offers professional recognition of auditing ‘competence’. It is basically the body which certifies auditors to audit against the ISO security standards.
ISO 17799 / ISO 27001 Related Definitions
In each newsletter we include a selection of definitions to explain some of the jargon used by Information Security professionals. In this edition, we have provided a selection of terms that start with the letter ‘H’. Handshake
An electronic exchange of signals between items of equipment (fax machines, computers, etc.,) to establish that each has the necessary protocols installed to allow communication between them. An extension of the normal confirmation routine (handshake) is the ‘Challenge Handshake’ that is a demand for proof of identity and authorization.
Hose and Close
An off-putting practice of some Support/Help Desk staff. In response to a question from a distressed user, Support responds with a deluge of technobabble which the user doesn’t understand, issues a series of abstruse command instructions, which the user cannot follow, and then hangs up before the user can come back with a request for a simple explanation.
Housekeeping
Routine care of a computer system to ensure that it is kept running in the most efficient manner. Housekeeping will normally include: routines to delete items such as temporary files, remove duplicates of files, check the integrity of the disk records, and generally tidy up the filing system.
Hot Desking
A relatively new approach to working whereby staff do not have their own dedicated facilities, but share them with others. Two scenarios are common :- 1. Call centers and similar functions which run 24 x 7 on shifts. As one staff member logs off and leaves, another takes over, logging on with a new ID and password. 2. ‘Field’ staff such as sales representatives check in to base to complete paperwork, upload/download files, etc.. Such staff will use any desk/computer that happens to be free. In either case password control systems and audit trails are essential to monitor which user is doing what.
Hardware Inventory
Master Hardware Inventory: A detailed list of all hardware owned by the organization, showing, amongst other things:- type, make, model, cost, location, and asset reference number. Unit Hardware Inventory: A detailed list of hardware in order of user (individual or department). This sheet may be used for Audit checks to confirm that any given user still has the equipment detailed and no unauthorized additions, removals, or modifications have taken place.
Posted: June 20th, 2006 | Author: admin | Filed under: Issues | No Comments »
ISO17799 and ISO27001 Newsletter – Issue 11
Welcome to the Issue 11 of the ISO27001/ISO17799 newsletter, designed to provide news and information with respect to the ISO information security standards. The information contained within newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Included in this edition are the following topics:
1) BS7799 Emerges… Again
2) Information Security News
3) ISO 17799 and COBIT
4) ISO17799 Section 14: Terrorist Plot Reveals Continuity Weakness
5) More Frequently Asked ISO17799/ISO27001 Questions
6) Protecting Confidentiality Using An SLA
7) More ISO 17799 Related Terms and Definitions
It Couldn’t Happen Here…. Could It?
BS7799 EMERGES… AGAIN!
BS7799-1 became ISO 17799. Then, BS7799-2 emerged, to evolve into ISO 27001. Now: BS7799-3 has been born.
It is titled “Information security management systems – Part 3: Guidelines for information security risk management”, and is intended to provide guidance and support for the implementation of ISO27001. It is mooted that it too will eventually become an ISO standard: ISO 27005.
Risk management of course is part and parcel of information security, and also of the security standards. That BSI should introduce a standard embracing it is therefore no surprise. It can of course be obtained via BSI’s online outlet above.
INFORMATION SECURITY NEWS
1) The creators of the Zotob worm, which disrupted networks at a number of media outlets, have been jailed in Morocco for between one and two years. The worm is estimated to have caused $400 million in damages.
2) AT&T have admitted that the personal information of about 19,000 customers has been accessed by hackers via the company’s online store. The company is working with the law enforcement agencies to track down the perpetrators.
3) Telecom provider Verizon is also in the news, having admitted that an employee accidentally sent an email attachment containing information on about 5,000 customers to 1,800 of its customers.
4) A study of prosecutions by the US Dept of Justice has revealed that corporations attacked by cybercriminals over the last few years lost an average of $3 million per case.
5) A survey of 132 senior executives, conducted by ControlPath (http://www.controlpath.com), has revealed that 72% are not confident that they are complying with applicable regulations.
ISO 17799 AND COBIT
COBIT 4.0 complements the guidance within ISO/IEC 17799:2005, and is proving to be a significant Sarbaes-Oxley Act compliance aid.
Whereas the ISO/IEC 17799:2005 standard covers the wider spectrum of information security requirements, the COBIT guidelines provide in-depth control objectives and supportive management guidelines focusing specifically on information technology issues. The COBIT guidelines (Control Objectives for Information and related Technology) are issued by the Institute for IT Governance (http://www.itgi.org) and the Information Systems Audit and Control Association (http://www.isaca.org), and are fast becoming a key SOX compliance tool, following the recognition that IT controls represent important components in ensuring financial reporting accuracy and disclosure.
The ISO/IEC 17799:2005 standard comprises the following:
Introductory Sections
1 Scope
2 Terms and definitions
3 Structure of the standard
Information Security Guidance Sections
4 Risk assessment and treatment
5 Security policy
6 Organizing information security
7 Asset management
8 Human resource security
9 Physical and environmental security
10 Communications and operations management
11 Access control
12 Information systems acquisition, development and maintenance
13 Information security incident management
14 Business continuity management
15 Compliance
COBIT, however, is organized into 4 domains containing 34 sections as follows:
Domain PO – Plan & Organize
PO1 Define a strategic plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define the IT processes, organization and relationship
PO5 Manage the IT investment
PO6 Communicate management aims and relationships
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage Projects
Domain AI – Acquire and Implement
AI1 Identify automated solutions
AI2 Acquire and maintain application software
AI3 Acquire and maintain technology infrastructure
AI4 Enable operation and use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install and accredit solutions and changes
Domain DS – Deliver and Support
DS1 Define and manage service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and allocate costs
DS7 Educate and train users
DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
Domain ME – Monitor and Evaluate
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
ME3 Ensure regulatory compliance
ME4 Provide IT governance
COBIT 4.0 (the latest version) maps to ISO/IEC 17799:2005 in the following manner.
ISO 17799 Chapter No. 4 5 6 7 8 9 10 11 12 13 14 15
COBIT 4.0 DOMAINS
Plan and Organize (PO) L H L L H H H H L L M L
Acquire and implement (AI) H M M L M H L L L L L L
Deliver and support (DS) L H M H H L H M M M H M
Monitor and evaluate (ME) L M L M L L L L L L L L
Key to level of matching between COBIT 4.0 and ISO 17799:2005
H = Reasonably good match
M = Some matching
L = Low level or no matching
The above matrix will hopefully prove to be useful for those also embracing COBIT within their ISO 17799 / ISO 27001 remit.
ISO 17799 SECTION 14: CONTINUITY WEAKNESS EXPOSED BY TERRORIST PLOT
The recently foiled terrorist plot, that averted potential disaster on targeted US airlines flying out of UK airports, has focused attention on the lack of quality in the procedures and processes in place to maintain acceptable levels of airport baggage handling. The governments handling of the crisis is also being criticized with British Airways alone rumored to have lost over £50 million.
There was clearly a lack of preparation for this type of emergency at some UK airports. In particular it has been reported that Ryan Air are considering taking action over apparent BAA emergency staffing shortages, which Ryan Air considers exacerbated the problem and resulted in additional cancellations.
When preparing business continuity plans for emergencies that can potentially disrupt normal operations, the business continuity planning team will identify “what if” scenarios that examine the potential impact of a failure, or removal of one or more critical components within the business or operational processes. Perhaps it could be said that it was difficult to predict that permitted carry-on luggage could be suddenly be reduced to just travel documents, essential medicines and other emergency items, but this should have been a recognizable scenario identified during the planning process, no matter how low the perceived probability of it actually happening was.
Once the possibility that this disruptive event could occur has been accepted, the impact on the operations as a whole must be assessed and the level of ensuing crisis predicted. Although assessing probability is an important part of the process, and can provide a yardstick for the financial and other resources you make available to safeguard against this event, if the chances of such a scenario occurring is a real possibility then you must examine the impact of the event actually occurring, and not dismiss the scenario based on a low probability factor.
After the potentially disruptive scenario has been identified, probabilities assessed, and the business, financial and public impacts predicted, suitable strategies should be formulated for mitigating the impact. Emergency procedures will also be developed to ensure that the impact on the business and the customers is minimized. Responsible management must also consider how they are going to resource these emergency procedures during the crisis and ensure that these emergency resources are always available.
When developing your business continuity plan it is important to ensure that adequate time is allocated to identifying and examining all the potential scenarios that could disrupt your business.
ISO17799 – MORE FREQUENTLY ASKED QUESTIONS
1) What is ISO 27000?
This doesn’t really exist as such. It is essentially a generic name given to standards of the form ISO 27nnn. Currently there is only one: ISO 27001. However, it is envisaged that ultimately ISO 17799 may become ISO 27002, and other information security standards may be numbered similarly within the 27000 series.
2) Where can I find old copies of ISO 17799 / ISO 27001 News?
The archive site is now located here.
3) Can I re-publish articles from this newsletter internally, on our company intranet, or even on our external website?
Yes, subject to a link to the newsletters archive web site above.
4) How do I become an ISO 27001 Lead Auditor?
Certification bodies, such as BSI, conduct a five day workshop followed by an examination. Thereafter, different certification bodies have different requirements (eg: number of years security experience) and different procedures (eg: on the job observation).
5) What is an Accreditation Body?
An accreditation body is an organization which bestows the authority to ‘certify’ (issue certificates) upon another body. Examples include ANAB, UKAS and the SCC.
PROTECTING CONFIDENTIALITY USING AN SLA
The confidentiality of information, data and records can be a particularly critical issue with respect to formal agreements. Within these, the two parties are usually referred to either as the “Client” and the “Supplier” or the “disclosing party” and the “receiving party”.
In a Service Delivery relationship, both the supplier and the client are likely to become aware of proprietary or trade secret information about the other party which should be treated in a confidential manner.
To cover this scenario, within the SLA, a basic wording could be used as follows:
“Both parties agree to keep confidential all information concerning the other party’s business or its ideas, products, customers or services that could be considered to be “confidential information”. “Confidential information” is any information belonging to or in the possession or control of a party that is of a confidential, proprietary or trade secret nature that is furnished or disclosed to the other party. Confidential information will remain the property of the disclosing party and the receiving party will not acquire any rights to that confidential information.”
Should this wording not be suitable for either the supplier or the client, then the two parties should formally agree on an alternative wording.
Important Note: If you haven’t got a formal service level agreement in place for your critical services… you should have!
ISO 17799 RELATED TERMS AND DEFINITIONS
In each ISO 17799 and ISO 27001 Newsletter we will include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by Information Security professionals. In this edition, we have provided a selection of terms that all start with the letter ‘A’.
ACCESS
Two types of access – Physical and Logical.
Physical Access. The process of obtaining use of a computer system, – for example by sitting down at a keyboard, – or of being able to enter specific area(s) of the organisation where critical information or systems are located.
Logical Access. The process of being able to enter, modify, delete, or inspect, records and data held on a computer system by means of providing an ID and password (if required). The view that restricting physical access relieves the need for logical access restrictions is misleading. Any organisation with communications links to the outside world has a security risk of logical access. Hackers do not, generally, visit the sites they are hacking in person.- they do it from a distance!
ACCESS RIGHTS
The powers granted to users to create, change, delete, or simply view data and files within a system, according to a set of rules defined by IT and business management. It is not necessarily true that the more senior a person, the more power is granted. For example, most data capture – essentially creating new files or transactions, is performed at relatively junior level, and it is not uncommon for senior management to have access rights only to view data with no power to change it. There are very good Internal Control and Audit reasons for adopting this approach.
ADMISSIBLE EVIDENCE
Admissible Evidence is ‘evidence’ that is accepted as legitimate in a court of law. From an Information Security perspective, the types of ‘evidence’ will often involve the production of a system’s log files. The log file will usually identify the fact that a login took place; and certain functions were performed. The issue as to whether or not such a log file is legally admissible, is not clear cut. However, opinion appears to be that as long as a computer record is generated as a normal part of business processing, and the computer and software were working as designed and expected, then it may be admissible. Advice from a lawyer is always recommended.
AI ARTIFICIAL INTELLIGENCE
The holy grail of IT folk, the concept of a machine thinking for itself. Despite the success of the recent blockbuster film starring Jute Law – don’t hold your breath.
ALPHA GEEK The most knowledgeable, technically proficient, person in an office, work group, or other, usually non-IT, environment. Born ‘fiddlers’ and ‘tinkerers’, they tend to ignore the basic rule of ‘If it ain’t broke don’t fix it’ preferring to operate on the basis of ‘Fix it, until it is broke’. Such people can be a considerable security risk – like ordinary Geeks, Anoraks, and Tech-heads, – only more so.
ANORAKS
Whimsical term for computer enthusiasts – usually, but not exclusively, young and lacking in social skills. The term derives from the preferred item of apparel for attending computer exhibitions, it being equipped with numerous sizeable pockets ready to be stuffed with all manner of obscure electronic gizmos. Some anoraks tend more to the software side of IT and may graduate to being Hackers. Anoraks certainly have their uses but, in many ways, are a security risk. Such persons are inclined to do things with, and to, organization IT systems simply for the technical and intellectual challenge, rather than for any business benefit to the organization. Also known as Nerds, Geeks, and Tech-heads, the term is acquiring wider usage to describe any enthusiastic follower of obscure sports, hobbies, pastimes, etc.
ARCHIVE
An area of data storage set aside for non-current (old or historical) records in which the information can be retained under a restricted access regime until no longer required by law or organization record retention policies. This is a field in which computers have distinct advantages over older paper files, in that computer files can be ‘compressed’ when archived to take up far less space on the storage media. Paper records can only be compressed by using microfilm, microfiche, or, more recently, by scanning into a computer system. Whichever system is chosen, care must be exercised to ensure that the records retained meet legal requirements should it ever be necessary to produce these records in a court of law.
IT COULDN’T HAPPEN HERE….COULD IT?
Every edition of The ISO17799/ISO27001 Newsletter features at least one TRUE story of an information security breach and its consequences:
1) Testing Back-Up Systems: Properly!
A company in Houston regularly tested its back-up generator then discovered during an actual power failure that the motor required to start the generator was actually connected to the mains! The problem cost the business an estimated US$ 145,000.
The lesson: Make sure you test any back-up system thoroughly and under simulated conditions.
2) Lack of Emergency Procedures
A consultant checking on a New York organisation’s disaster recovery arrangements asked to see their back-up generator and related procedures. He was introduced to George who had all the answers on how the process worked but could not produce any written procedures. Two weeks later gales tore down power cables and the customers could not get the generators started – George was away on holiday! Fortunately the organisation survived and have now developed WRITTEN emergency procedures.
The lesson: Make sure your emergency procedures are up to date and staff properly trained in their execution..
3) Fire at Chemical Warehouse
Two trainee auditors who work for an accounting firm were involved in a year-end audit at a chemical warehouse in Sheffield UK. A fire broke out in the warehouse and toxic fumes quickly spread throughout the facility. The evacuation procedures were known to the permanent staff who immediately left on cue. The two auditors who were working alone in one of the basement offices where records where stored were not briefed on these procedures and their presence on-site was overlooked during the panic. They very nearly got trapped in an area that was gutted by the fire shortly afterwards, and were lucky to escape. They both spent a week off work due to inhaling toxic fumes but it could easily have been very much worse.
The lesson: Make sure you set up an effective buddy system to cater for such events and make sure you include any temporary staff or third parties who may be visiting or working on the premises.
4) Your Favorite “It Couldn’t Happen Here” Story
Our poll of stories from previous issues revealed the following results:
1. The ‘Perfect’ Business Continuity Plan (Issue 9) 31.1%
2. Answering Machines Have No Loyalty (Issue 7) 26.7%
3. Who Audits the Auditor (issue 10) 17.8%
4. The Disgruntled Employee Strikes Again (Issue 10) 7.8%
5. The Old Duplication Trick (Issue 5) 5.6%
6. When is Disposal is Not Disposal (Issue 3.3%
7. Intellectual Property Rights (Issue 10) 3.3%
8. A Simple One – But A common One (Issue 9) 2.2%
9. Confidential User-Ids (Issue 2.2%
Posted: June 7th, 2006 | Author: admin | Filed under: Uncategorized | Tags: demo, don, evaluation, pay, price, purchase, shop, toolkit, trial | 1 Comment »
a toolkit that don`t be a trial, demo, price or evaluation a mean without purchase, shop or pay
Best reply by aerospike:
ISO 17799 is not freely available to download. The IEC holds the copyrights and they do not publish it for free.
The policy by itself It costs $209 USD and can be purchased from standardsdirect.com. They have a toolkit for $1295USD.
Note that the BS ISO/IEC 17799 regulations are being improved by BS ISO/IEC 27001 (Information Security Management) You really must have both.
As far as answering your question, I have been doing ISO 17799 certifications for a few years and I have not found a free toolkit. There is however some piecemeal information on ISO 17799 at the SANS Reading Room, please check it out – located here:
http://www.sans.org/rr/
If you look under “Policies” there is some good information. ISO Certification doesn’t mean that you have to use their policies, it just means that you must have effective, repeatable, enforcable, and understandable policies.
Read the original question on Yahoo! site
where download a ISO-17799 download toolkit?