Issue 2

Welcome to the second edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to 17799 and related information security issues. The newsletter comprises a combination of inclusive articles and the identification of useful and topical sources on the web.

This edition covers::

• BSI Offer Discounted Standard
• Computer Security Begins at Home
• How the Standard Fits Together
• Majority of Cyber Crimes are Not Reported
• ISO17799 Resources
• Downloading Information from the Internet
• ISO17799 Positioning or Certification?
• Less than 1% Reject Cookies
• Disaster Recovery Focus Post Sept 11 (ISO17799 Section 11)
• The ISO17799 Newsletter

BSI OFFFER DISCOUNTED STANDARD

BSI have bundled both parts of the standard (see below) at a special discounted rate. The bundled Part 1 (which is now ISO17799) and Part 2 (BS7799-2:1999) can be obtained online from the BSI Electronic Shop
COMPUTER SECURITY BEGINS AT HOME

Whilst everyone is aware of the importance of good information security measures in the office, these are often overlooked when an employee works from home, whether on a permanent or occasional basis. Dangers range from inadequate virus protection on a laptop or home computer, to the risk of confidential data being exposed to unauthorized users, or even a breach of the company’s computer network if accessed remotely.

To counter these risks, there are a number of security measures which should be taken when working from home or off-site. For example:

- Treat company property and/or data as you would in the office, according to company information security procedures
- Do not allow a laptop issued for businesspurposes to be used by family or friends
- Ensure that laptops are kept secure at all times, and protect access with a strong authentication mechanism
- Do not use the same computer for both busines and personal use; or, where this is not possible, store company data on a separate disk with secure access and protection
- Valid licenses must be obtained for any software used at home to avoid a breach of Software Licensing laws
- Ensure that adequate virus protection software is installed on any computers used at home
- Specifically protect all sensitive business documents stored on laptops or home computers
- When connecting remotely to an office network, consider the use of a dial-back facility for added security, and always investigate the reason for failed access (your username may already be in use by an unauthorized person)

This guidance is brought to you courtesy of the RUSecure Interactive Security Manual
HOW THE STANDARD FITS TOGETHER

The standard effectively comprises of two parts:

a) Part 1: ISO/IEC 17799:2000 – this is the set of security controls… the measures and safeguards for potential implementation. It is the main body of the standard itself.

b) Part 2: BS7799-2:1999 – this a standard ‘specification’ for an Information Security Management System (an ISMS). It is the means managers use to measure, monitor and control their security from a top down perspective. It essentially explains how to apply ISO17799 and it is this part that can currently be certified against.

Part 2 defines a six part process, broadly as follows:

Define a security policy
Define the scope of the ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be implemented
Prepare a statement of applicability.

This perhaps indicates to a degree why web sites and this newsletter focus so heavily upon risk analysis and security policies – they are absolutely central to ISO17799.

SECURITY POLICIES: Policies are of course ‘the bottom line’ – the rules which define the baseline requirements for your organization. It is therefore critical that they are top quality (see www.information-security-policies-and-standards.com for more information on security policies).

RISK ANALYSIS: You do not have to implement every control covered by ISO17799 – only those that are applicable and appropriate.. the latter largely being determined via risk analysis.
MAJORITY OF CYBER CRIMES NOT REPORTED

A survey of the leading companies in 12 countries, undertaken by accounting firm KPMG, concluded that almost 10% had experienced a cyber-security breach during the past twelve months, but that the majority of these companies did not take any legal action against the offenders. A representative of KPMG was quoted as saying: “What we see in the cases that are reported to us is that companies are far more concerned in recovery of assets and keeping their names out of the newspapers than they would be about prosecutions. If they report their losses to regulators or law enforcers, then the focus of any investigation generally becomes the prosecution of offenders.” He also added: “The majority of frauds are committed by people inside the company. If someone has broad knowledge, they are more capable of bypassing any procedures they might have.” (From an article published onwww.zdnetasia.com)

An Information Security incident must be reported to outside authorities whenever this is a requirement for compliance with legal requirements or regulations. By not reporting such an incident where it is legally required that you do so, your organization may be unwittingly aiding or abetting an offence. If you believe a crime has been committed, the following actions are strongly recommended:

- Contact the relevant regulatory body and / or law enforcement agency, as appropriate
- You may wish to take legal advice about the severity of the offence
- Gather evidence to prove malicious intent, especially if the suspects are members of staff; but consider carefully the validity of such evidence before reporting it to a third party
- Consider how best to support the investigative process with the minimum breach to your Information Security. You may wish to use a specialist Information Security organization if you lack in-house expertise.
ISO17799 RESOURCES

The first edition of ISO17799 News prompted a number of questions related to resources to help achieve compliance or certification. The following have therefore been identified as leading players for the various topics:

SECURITY POLICIES (ISO17799 Section 3)
The quality of security policies is of fundamental importance, as is their scope and relationship with ISO17799. The RUsecure Information Security Policies are one of several sets of ‘off the shelf’ policies that can be obtained commercially.

However, they are distinctive not only because of their quality, but because they fully embrace ISO17799. In fact, they optionally cross reference the standard, creating assurance for anyone who seriously wishes to demonstrate compliance.

The policy set is shipped in MS-Word format, enabling full editing to meet individual corporate demands. More information on these policies can be obtained from: RUsecure Information Security Policies

RISK ANALYSIS (ISO17799 – throughout!)
There is little doubt about the most ISO17799 aligned, and indeed, the most well known risk analysis product – COBRA. COBRA provides a fully comprehensive risk analysis capability (“risk analysis made easy”) as well as providing a front line ISO17799 compliance management function.

Information on risk analysis itself, and COBRA in particular, can be obtained fromwww.riskworld.net

DISASTER RECOVERY PLANNING (ISO17799 Section 11)
Disaster recovery planning (or business continuity planning) is sometimes not fully embraced because it is seen as difficult or resource intensive. However, the recent trend is towards simplicity – to enable continuity planning to be grasped and implemented readily and easily.

The leading player in this trend is the BCP-Generator. This comprises of two components: a template for a plan and an interactive guide to help you populate it. Both are MS-Word driven, enabling full control and flexibility. If you already have a plan, and perhaps wish to audit it or audit your contingency arrangements, The Disaster Recovery Toolkit is of similar ilk.

Both these products are described at: The Disaster Recovery Shop
DOWNLOADING INFORMATION FROM THE INTERNET

There is a wealth of information available today on the Internet, and the powerful search engines at our disposal enable us to access numerous web sites extremely quickly. The fact that this information is so readily available in the familiar environment of home or office often lulls us into a false sense of security when it comes to downloading files or data. Before doing so, we should consider the risks involved, such as a potentially destructive virus or other malicious code infecting our system, or the risk of system overload and subsequent failure.

The following guidelines are recommended when downloading information from the Internet:

- Ensure that you are in compliance with your company’s Information Security Policy before downloading any information
- Always choose the option to “Save this program to disk”, saving it to a temporary folder away from your main network; then run an up-to-date virus and malicious code scan; if clean, re-file in the desired location on your system.
- Be particularly careful with shareware or freeware programs – these are particularly suited to introducing “Trojan horses” and other malicious code to your computer system.
- Do not introduce software via the “back door” of the Internet. Only acquire and install software according to an agreed company procedure.
- Be aware that information on the Internet may not be reliable, and may have even been released with intent to cause damage or to defraud; try to validate the source of any information you wish to use, and check its date – information on the Internet can be several years old and still claim to be “new”.
- Be aware of the risk of overloading your computer system and its subsequent failure by downloading too many large files… this is easier to do than is sometimes realised.
ISO17799 POSITIONING OR CERTIFICATION?

This is still the most agonized question for organizations approaching ISO17799. It is a very individual question for each – how far to go along the ISO17799 path. For some, nothing less than full certification will do, due to a variety of possible reasons. For many, however, a positioning brief is adequate…. reaching a position of compliance and then monitoring the market and industry carefully.

For most, the correct posture will be self evident. However, for those unsure of how far to proceed, the online presentation at: The ISO1 7799 Directory may be helpful. This presents ISO17799 in the context of past, present and possible future.

+—————————————————–+
SPONSORS:
If you are interested in sponsoring this newsletter
please contact us at the email address below.
Sponsor Today quick loans
+—————————————————–+

LESS THAN 1% OF WEB USERS REJECT COOKIES

The results of a recent survey of one billion pages from high-volume Web sites concluded that cookies were rejected only 0.68% of the time. Chief Privacy Officer at WebSideStory, the U.S. company which carried out the survey, said: “Although some Web surfers may not know how to disable cookies in their browsers, such a minute percentage indicates that cookies are simply not a big concern among most Internet users”. However, the use of cookies has also raised concerns over consumer privacy. For example, a recent lawsuit against the Internet advertising company DoubleClick accused the company of illegal “cookie-frenzy”. Also, Amazon has admitted to using cookies to determine product pricing, and may give first time visitors to their Web site (or those who disable their cookies) larger discounts than regular visitors. (From an article published on www.theregister.co.uk)

What is a Cookie?

For the unaware, a cookie is a small text file placed on a user’s computer by a Web site which can log information about the user and the number of visits they make to the site. Web site owners claim that cookies are beneficial to the user, allowing faster access and ‘personalization’ of the site for that user. However, the use of cookies also raises a number of security issues.

The following guidelines are appropriate:

- You should be aware that confidential data may be stored by means of a cookie saved on your PC and accessed by a Web site whilst you are browsing – most likely without your knowledge.
- To turn off automatic cookies, select the security function from your browser toolbar and set “receive cookies” to “off”.
- Alternatively, cookies may be monitored by the use of cookie management software.
- Ensure that you disable cookies from sites which might potentially share your details with third parties.
- Where possible, avoid entering confidential data on Web sites or other Internet resources.
MORE FOCUS ON BCP (ISO17799 Section 11) FOLLOWING SEPT 11

“To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters” – ISO17799 SECTION 11 OBJECTIVE “A business continuity management process should be implemented to reduce the disruption caused by disaster and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.” – ISO17799

The tragic events of the 11 September have resulted in a reappraisal of disaster recovery arrangements by many companies. Firms who supply products which assist with contingency planning and crisis management are reporting a significant increase in numbers seeking advice and guidance.

Terence Hewett, of Glendale Systems, developers of the BCP Generator product, comments, “Companies are recognizing that they need to give greater importance and urgency to preparing for unexpected events that can affect their ability to stay in business. If your disaster recovery plan is in place then you have a reasonable chance of staying afloat if disaster strikes your business. This is obviously in your shareholders’, your customers’ and your employees’ best interests.”

Issue 6

ISO17799 News – Issue 6

Welcome to this, the sixth edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to the ISO 17799 information security standard.

The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.

1) Obtaining ISO17799 Itself
2) Information Classification Criteria
3) ISO17799 – a World Wide Phenomena
4) Third Party Cyber Crime Attacks
5) ISO17799 and Software
6) Employee Internet Abuse
7) More Frequently Asked Questions
My Favorite Web Sites
9) Continuity Backup and Recovery Strategy (Section 11)
10) More on SLA’s (Section 4)
11) Employee Confidentiality Undertakings
12) BSI Certifications
13) It Couldn’t Happen Here…. Could It?

OBTAINING ISO 17799

The standard itself is available from:

http://www.iso17799-made-easy.com

This is the home page for the ISO17799 Toolkit. This package was put together to help those taking the first steps towards addressing ISO17799. It includes both parts of the standard, audit checklists, a roadmap, ISO17799 compliant security policies, and a range of other items..

http://www.iso17799.net

This is the ISO17799/BS7799 Electronic Shop. Essentially it is an online vending site for downloadable copies of the standard.
INFORMATION CLASSIFICATION CRITERIA

An important task for the Information Security Manager (or the person who is assigned these duties) is to establish a system to classify the organization’s information with respect to its level of confidentiality/importance.

It is advisable to restrict the number of classification levels in your organization to a manageable number, as having too many makes maintenance and compliance difficult. For those currently without a structure, we suggest a five point system:

- Top Secret: Highly sensitive internal documents. For example: impending mergers or acquisitions; investment strategies; plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.

- Highly Confidential: Information that is considered critical to the organization’s on-going operations and could seriously impede them if made public or shared internally. Such information includes business plans, accounting information, the sensitive information of customers of banks, solicitors, or accountants etc.; patients’ medical records, and similar very sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.

- Proprietary: Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for use by authorized personnel only. Security at this level is high.

- Internal Use Only: Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility. Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.

- Public Documents: Information in the public domain: annual reports, press statements etc. which have been approved for public use. Security at this level is minimal.

Care should always be applied regarding a user’s tendency to over classify their own work. It can sometimes be erroneously surmised that the classification level assigned to a user’s work can reflect directly on the individual’s own level of importance within the organization.
ISO17799 – A WORLD WIDE PHENOMINA

Our source list for purchases of ISO17799 has proved a popular talking point in previous editions of ISO17799 News, so here is the up to date version of the most recent:

Argentina 1
Argentina 2
Australia 7
Austria 7
Barbados 2
Belgium 9
Bermuda 1
Bosnia and Herzegovina 1
Brazil 6
Brunei 1
Canada 68
Cayman Islands 1
Chile 4
China 3
Colombia 6
Costa Rica 1
Croatia 1
Cyprus 1
Denmark 11
Egypt 4
France 6
Germany 31
Gibraltar 1
Greece 4
Guatemala 1
Hong Kong 9
Hungary 2
India 6
Indonesia 4
Ireland 14
Isle of Man 1
Israel 1
Italy 26
Japan 6
Malaysia 5
Mexico 12
Netherlands 18
New Zealand 3
Norway 12
Panama 1
Portugal 2
Russia 4
Saudi Arabia 2
Singapore 10
Slovak Republic 1
Slovenia 2
South Africa 6
Spain 17
Sultanate of Oman 1
Sweden 8
Switzerland 24
Taiwan 3
Thailand 2
Tunisia 1
Turkey 2
UAE 4
UK 298
USA 326
Venezuela 2

The same health warnings apply as did last time: these are online credit card sales. As a consequence, those cultures that are less familiar with this form of commerce will be under represented in the figures.
THIRD PARTY CYBER CRIME ATTACKS

This critical topic is covered in ISO/IEC 17799 under Section 9.4 “Network Access Controls”.

There is, of course, a high risk of external security breach where network security is inadequate. It is extremely important to have an effective policy statement covering this risk area… for the following reasons:

· Criminals may target your organization’s information systems, resulting in serious financial loss and damage to your business operations and reputation.
· Cyber crime is an ever-increasing area of concern, and suitable training must be given to those persons responsible for network security to minimize such risks.

A suitable high level policy statement covering this could be as follows:

“Security on the network is to be maintained at the highest level. Those responsible for the network and external communications are to receive proper training in risk assessment and how to build secure systems which minimize the threats from cyber crime.”

It is necessary to build adequate defences against such attacks. The following areas are among those that should be considered: · Verify that the primary safeguards of your network and those of your individual systems are in place.
· Identify the access points of your network layout, and verify that the current safeguards are operational.
· Consider the following network protection facilities, some of which offer multiple features:-
- Intrusion detection software that records attempted and successful access to your systems.
- Pattern (usage) analysis, which identifies changes in on-line activity that may indicate a criminal attack.
- Access control lists and facilities, which record certain activities for specific files, such as: read, write, execute, delete.
- System based accounting records.
- Network usage analysis, which identifies application access and reports on user authorization levels.
- Network packet sniffing software to detect attack origins.
- URL blockers, (e.g. your firewall) that can prevent connection from specific, untrustworthy web sites and / or other computers.
- Word pattern usage analysis that can help e-mail system administrators track down breaches in e-mail policies.

Further advice on this risk area and all others covered within ISO/IEC 17799 can be obtained from the RUSecure Security On-line System at: http://www.yourwindow.to/security-policies/
ISO17799 AND SOFTWARE

We are sometimes asked about the role of software/products with respect to ISO17799, particularly the two most well known offerings, COBRA and The ISO17799 Toolkit. Where do they fit in? Are they competitor products or do they compliment each other? How do they help?

The truth is that they fulfill completely different needs:

A) The ISO17799 Toolkit comprises the basic building blocks: the standard itself (both parts), 17799 cross referenced security policies, and so on. It is intended to ‘get you going’ on the right path straight away, by providing some basics, as well as guidance and explanations by way of a presentations, glossary, roadmap, etc. It can basically be seen as an introduction and starting pack for compliance with the standard.

B) COBRA on the other hand is designed to help you manage that compliance. It takes you through the standard and ultimately measures your compliance level, pointing out where you fall short. Quite apart from this it is one of the most widely used (possibly THE most widely used) risk analysis systems in the world… and bear in mind that risk analysis is integral to the requirements of the standard… references to ‘as determined by risk assessment’ are almost interwoven.

In essence therefore, one product gets you started, the other helps you manage.

SOURCES
For further information on the ISO17799 Toolkit, and to obtain a copy, see: http://www.iso17799-made-easy.com

For COBRA, see: http://www.security-risk-analysis.com
EMPLOYEE INTERNET ABUSE

Although employers are placing increased emphasis on setting up policies covering internet and email abuse, the message is not always getting across to the employees. According to Eric Jacksch, who is president of a leading Canadian IT security firm, employees are continuing to put their employers at risk and also wasting significant levels of corporate resources. These abuses include inappropriate email abuse, loss of productivity through slow web access, and downloading of music, games and pornography.

It is suggested that the first steps to address this are as follows:

- The first step is to ensure that your organization has a clear policy on the acceptable use of the organization’s information resources

- Secondly, ensure that this (and other information security policies) is delivered effectively to the employee either through the PC or workstation/desktop, or through the organization’s intranet. Also, ensure that the employee is made fully aware of the consequences of non-compliance.

- Thirdly, ensure that the employee is made aware of the organization’s right to monitor all email and internet traffic in and out of the organization.

These steps alone should reduce the scale of the problem, but equally importantly, they lay a solid foundation should further action be required. For more policies see the address above.
ISO17799 – MORE FREQUENTLY ASKED QUESTIONS

1) Where can I find back issues of the ISO17799 Newsletter?
All back issues are posted to: http://www.iso17799-web.com

2) Who published ISO 17799? BSI or ISO?
Both… sort of. ISO 17799 is an ISO standard of course. However, there is a Part 2 to cover security management systems. This is published by BSI as BS7799 Part 2.

3) Where can I find a consultant specifically for ISO 17799?
Email iso17799@7safe.com or see The ISO17799 Consultants Directory at: http://www.iso17799world.com

4) Can I discuss ISO17799 with people online?
A new forum has recently been created at: http://groups.yahoo.com/group/iso17799security/.

5) Can I re-publish parts or all of ISO17799 News on our company intranet or via internal communication?
Subject to reference to the source web site (see Question 1) permission is almost always granted.

6) What is the difference between accreditation and certification?
Essentially an accreditation body is an organization (usually national) that grants third parties the authority to issue certificates (to certify). It is the latter, therefore, that issues certificates (certifies) against standards/etc. The former confers the right to do this on the certification company.

7) What are the 10 sections of ISO17799?
- Security Policy
- Security Organization
- Asset Classification and Control
- Personnel Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Systems Development and Maintenance
- Business Continuity Management
- Compliance
MY FAVORITE WEB SITES

From time to time we will invite a well known information security figure to nominate their favorite IS related web sites. For this issue we present the favorites of Jenni Harrison of the ISO17799 Directory.

a) Your Window To…
This is a little known portal with a wealth of free to access resources. (www.yourwindow.to)

b) BBC…
Not just news, almost an encyclopedia of resources. (www.bbc.com)

c) CCCure…
A rich source of information for CISSP. (www.cccure.org)
SECTION 11: CONTINUITY BACK-UP / RECOVERY STRATEGY

One of the most important aspects of Business Continuity Planning for the majority of organizations is in choosing an appropriate strategy for the back-up and recovery of the IT based systems.

In this section of the planning process, the key business processes are normally matched against the IT systems and an appropriate speed of recovery strategy is chosen. This may require some in-depth research to determine the relevant costs of each strategy. It may also be necessary to prepare a detailed Request for Proposal for vendors to establish the viability and cost of the preferred strategic approach and related support.

Consideration should also be given to the impact of potential severe damage to both premises and communication systems which could have a significant impact on the organization’s IT services and systems.

There are a number of strategic options to be investigated when considering IT systems back up and recovery processes. The two most important factors to be considered are the criticality of the IT systems to the business process itself (the speed of recovery needed), and the amount of money available for IT back up and recovery strategies. The options, in order of cost, are as follows:

Fully mirrored recovery site
This strategy entails the maintenance of a fully mirrored duplicate site which would enable instantaneous switching between the live site and the back up site. This is normally the most expensive option.

Switchable hot site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain an identical site with communications to enable you to switch your IT operations to his site within an agreed time period, usually less than one to two hours.

Hot site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain a compatible site to enable you to switch your IT operations to his site within an agreed time period, usually less than six to twelve hours.

Cold site
This strategy involves the setting up of an emergency site once the crisis has occurred and has a standby arrangement with a vendor to deliver the minimum configuration urgently. This option usually enables the organization to be operational within two to three days.

Relocate and restore
This strategy involves the identification of a suitable location, hardware and peripherals and re-installing the systems and backed up software and data after an emergency has occurred. This strategy is often considered to be inadequate for the needs of today’s business.

No effective back-up strategy
This at first glance appears to be the cheapest strategy but it also carries the highest risk as it will often involve no effective off-site back up of systems or data. As you would expect, this strategic option usually ends up with the organization eventually going out of business as they are not prepared for any unexpected emergencies occurring. You would be surprised at the number of businesses that adopt this approach to Business Continuity and Disaster Recovery. It often ends up being the most expensive strategy of all.

Finally, if you do decide to outsource some or all of these IT disaster recovery back-up processes don’t forget to insist that your supplier also has adequate business continuity planning processes in place that are up-to-date and fully tested!

Additional advice and guidance on Business Continuity and Disaster Recovery Planning can be found at: http://www.disaster-recovery-guide.com
MORE ON SERVICE LEVEL AGREEMENTS

Service Level Agreements (SLAs) are covered in Section 4 of ISO/IEC 17799 and it is important that both the Supplier and the Purchaser/User of IT and other services fully understand the implications and responsibilities inherent in such agreements.

An SLA is effectively a proxy contract that the two parties have negotiated and signed, specifying the terms and conditions under which the service delivery is to be effected.

Both parties must clearly understand their respective roles and responsibilities in respect of the delivery of these services and this information is usually included the SLA. The Supplier and the Purchaser/User are identified together with a statement of expectations and abilities. The Purchaser/User should also fully understand the cost of receiving these services and the basis for the calculation of those costs. The Supplier is accountable for the quality and performance levels of the services and the service availability.

A comprehensive and interactive electronic guide to simplify the preparation and understanding of SLAs is now available. Further information can be found at: http://www.service-level-agreement.net
EMPLOYEE CONFIDENTIALITY UNDERTAKINGS

It is increasingly important that employees are required to sign confidentiality undertakings to their employers. The following guidance is given for consideration, although organizations are recommended to seek further expert opinion on the suitability of such statements to their own contracts of employment:

‘Confidential Information’ normally means any information which is not generally known in the relevant trade or industry, and belongs to the Organization, or is learned, discovered, developed, conceived, originated or prepared during, as a result of, or in connection with, the Employees work, or relates to the Organization’s customers of clients, including but not limited to :
- Information which is unique to the Organization
- Information relating to the existing or contemplated products, services, technology, designs, processes, formulae, computer systems, computer software, algorithms, research or development of the organization;
- Information relating to the business plans, sales or marketing methods, methods of doing business, customer lists, customer requirements or supplier information of the Organization;
- Information relating to proprietary products or services;
- Any proprietary information not generally known to the public;
- Any information which the Organization or their clients or customers may wish to protect by patent or copyright, or by keeping it secret or confidential; and
- Information which may affect the value of the shares in the Organization and (where relevant) any price sensitive information

The Employees should be asked to acknowledge that the Organization:
- Is (inter alia) in the business or providing
- Has and will invest significantly in terms of money and time in developing their business and products;
- Has and will expect to develop confidential proprietary information relating to their business; and
- Operates a highly competitive commercial arena.

The Employees should acknowledge that during their employment they may have access to, gain knowledge of, be entrusted with and be involved in the creation of Confidential Information, improper disclosure of which could :
- Result in the Organization losing its competitive edge;
- Cause the Organization to suffer financial loss; and
- Be otherwise detrimental to the Organization.

The Employees should undertake that both during employment or thereafter, they will:
- Not disclose, divulge or communicate to any person any Confidential Information, save to those officials of the Organization whose proper province it is to know such information or with the written consent of the Board;
- Do everything reasonably within his power to protect the confidentiality of all Confidential Information;
- Not use any Confidential Information for his/her own benefit or for the benefit of any third party or in a manner which could be detrimental to the Organization;
The Employees should also undertake that on leaving the company they will:
- Deliver up to the Organization all copies and originals of documents, computer disks, tapes, accounts, data, records, papers, designs, specifications, price lists, lists of customers and all other information, whether written or electronically stored, which belongs to the Organization or relates in any way to their business or affairs or the business or affairs of any of their suppliers, agents, distributors or customers, or contain any Confidential Information, and are in the Employees’ possession or under his control.
- Upon request supply the Organization with a signed statement confirming that the Employee has complied with this undertaking.
Again, further guidance on this and similar topics is included in the RUSecure Security On-line Support system (http://www.yourwindow.to/security-policies/).
BSI CERTIFICATIONS

We are pleased to add the following to the list produced in Issues 4 and 5, of those who have been certified by BSI with respect to BS7799 Part2 for at least one system in at least one location:

MetroMail Ltd, NTT Communications Corporation, Systems Software Solutions, Solution Business Division (Japan), Miles Smith, Global Security Experts Inc, Marine Systems Associates Co. Ltd (Japan), Broadfern, NEXOR, e-Solutions Create Corporation, IT Frontier Corporation.

A number of organizations are now re-registering their original certificates (which are valid for 3 years). Successful organizations include: Cadweb Limited, Camelot Group Plc and DBI Consulting.

Congratulations to all these organizations.

In the next issue, we will also produce some sample scopes of registration from existing certificates.
IT COULDN’T HAPPEN HERE….COULD IT?

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) The Long Goodbye
After a series of serious disagreements with his fellow directors, a director left the UK branch of an international network services company. As the service was used by a number of international banking groups, he decided to extract revenge.

Some time after his departure, he was still able to access the system… because the company’s termination/departure procedures did not immediately revoke access rights.

The banking groups found to their horror that extremely rude messages began to appear on their terminal links with other banks for no apparent reason. Transfers were delayed and some messages had parts missing.

It took some time to identify the cause. Although the cost was impossible to quantify, there was certainly serious damage in terms of the company’s goodwill and reputation.

2) Don’t Forget The Obvious
Dial-in or remote access can be a real Achilles heel if not properly controlled.

In a recent case, a young hacker gained access to a major corporation’s computer system by using the default password of a system engineer. It had never been changed from installation. This actually gave him considerable scope and powers of access.

To cover for himself, he changed a number of user passwords, semi-disabled the machine log, created several fictitious privileged users and tampered with the dial back system code. Getting more ambitious he established a communication link with another computer and ended up making it crash. All this took place over just two evenings.

Despite the fact that the hacker was not maliciously causing damage or attempting to make financial gain, his actions caused havoc. The installation ultimately had to closedown its prime computer and restore from the previous weeks back-up, at considerable cost.

Another resources: payday loan

Issue 15

ISO27000 Newsletter – Issue 15

Welcome to the latest issue of the ISO 27000 newsletter, designed to provide news and updates regarding the ISO information security standards.

Included in this edition are the following topics:
1) Cell Phone / Mobile Phone Security
2) Trials and Tribulations of an Information Security Officer
3) Using COBIT: The Acquisition Process
4) Information Security News
5) Business Continuity Management: Preparation and Risk
6) ISO 27001 / 2: Common Mistakes Part 1
Cell Phone / Mobile Phone Security
The wide scale use of cell / mobile phones for business purposes has brought with it a raft of new risks and potential exposures. These devices can not only store voice messages (information), but text messages, and often complex data, particularly with the advent of internet browsable smartphones.

It is hardly surprising therefore that there has been a gradual increase in the number of security breaches and consequential losses resulting from phone theft or unauthorized phone access.

These issues are covered in a number of sections within ISO 27002. These include Section 9.2.5 (Security of Equipment Off Premises) and 10.8.1 (Information Exchange Policies and Procedures). However, most focus is applied within section 11.7.1: Mobile Computing and Communication.

The general objective of this section states: “The protection required should be commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied.”

The section offers specific guidance with respect to the physical protection of the device itself, cryptography of the data held, backups of the data/information, and of course virus protection (particularly relevant to smart phones).

We would argue that awareness is also a major factor with respect to phone security. This type of device can very easily be taken for granted, and the security aspects overlooked. The following is perhaps a start point for a list to include in an awareness campaign for your employees:
- Do not openly display a phone: keep it out of sight in a pocket or handbag
- If possible, avoid using it in crowded areas
- Make a note of your phone’s IMEI number
- Properly mark your phone with your zipcode/postcode
- If the phone is lost, report it straight away (police, service provider, security officer)
- Be aware of your surroundings and the people near to you
- Do not leave it unattended: keep it with you at all times
- Always use your phone’s security lock code or pin number

Now is an excellent time to review this section (11.7.1) with respect to the Cell Phones / Mobile Phones within your own organization. Our crystal ball tells us that losses due to security exposure in this area are going to increase significantly over the coming months and years. Hopefully, our subscribers will be sufficiently prepared to avoid being one of the major victims.
Trials and Tribulations of a Part-Time Information Security Officer
Thursday was certainly a challenging day. As the newly appointed part-time Information Security Officer for Whithertech Associates I now have responsibility for trying to hold together the Information Security process. This is naturally in addition to all my normal duties.

On Friday I was a little late and was greeted in the corridor by my Director shouting that our network was down and our website had been hacked and defaced. He said I should get downstairs and help June to sort it out and, by the way, I should make more effort to get to work on time. I mumbled an apology and dashed off to see June, the acting network administrator and webmaster, to try to find out what was happening.

She was looking more than a little flustered when I arrived and said that all hell seemed to be breaking loose. She had only been doing the job for two weeks since our usual network administrator/webmaster Jack had gone off on long term sick leave, and although she understood most the technical aspects of the job, a lot of it was still new to her. Jack was good at controlling the network but never wrote anything down, so there were few procedures to follow.

We decided that the network was the priority so we put up a temporary holding page on the website and then got hold of the network logs and started to work through them. It was a lengthy process as Wednesday night included the month-end processing and there were literally thousands of entries. With few written procedures to explain the complexities of the coding it took over an hour to identify a couple of unusual log events affecting the network access. It also took some while to track down the cause, but with some additional technical support, and to cut a long story short, it was eventually identified that an IT operator who left the company last week had “allegedly” left some malicious code in the network control system, which had partially wiped out the network access directories. I went to advise my Director that the network should be back up running shortly while June called up the back-up access directories and restored them. I left my director fuming, having told me to make sure we collected good admissible evidence to support a possible legal case.

We then got on with sorting out the website problem. We had thought that the website was pretty secure but someone had managed to place some pretty heavy “Triple-X” links onto our “Welcome” page. The first task was to change the passwords and get the website up and running again, which we did from the back-ups that had now arrived from our off-site storage. We then looked at the logs for the FTP server and found that during the night the welcome page had been downloaded, the additional content added, and then re-uploaded to the server. Investigations into all this spurious activity are now ongoing involving some of our auditing staff, but I have my own suspicions that the same disgruntled IT operator may be involved.

Having lost most of Thursday on these incidents I needed to work pretty late that night to catch up on my main job. I was also left wondering if we could have managed the incidents better and got the systems up and running more quickly than we did.

The main lessons I learned that day –
1) In future we must change all our passwords immediately when staff with access permissions leave;
2) We must make sure we have MUCH better written procedures for critical processes;
3) We need to consider purchasing some scanning software to help detect malicious software and prevent it from causing future denial of service incidents;
4) I will have to spend more time learning about my new duties from my security manual; and finally,
5) I must go out and purchase a louder alarm clock before I end up losing my job!
Using COBIT: The Acquisition Process
ISO 27001/2 are of course the major international standards for information security. However, several wide spectrum governance frameworks exist which compliment these, the most well known being COBIT. This widely used framework provides comprehensive controls and guidance covering each key stage of the IT process.

The supporting ‘Control-IT COBIT Toolkit’ (http://citt.privacyresources.org) provides valuable implementation support for the framework and simplifies the implementation process. The following snapshot, which is based on the toolkit guidance, covers the IT SYSTEM ACQUISITION PROCESS.

HIGH LEVEL POLICY FOR IT SYSTEM ACQUISITION
Procurement procedures in respect of the purchase, lease or rental of all technology based products and services need to be developed. Internal control procedures covering these processes are to be developed and approved incorporating these requirements and providing the means to verify that these procurement control policies are being complied with on an ongoing basis.

The Key Performance Indicators are:
• Lower delays in meeting requests for new systems or IT equipment
• Higher percentage of procurement requests met on time
• Higher availability of comprehensive user and operations documentation

The Process Critical Success Factors are:
• Lower number of problems caused through poor acquisition procedures
• Lower cost of maintaining systems
• Lower cost of procuring systems

The IT Key Goal Indicator is:
• Higher level of business system owner satisfaction with systems and equipment

The compliance level measurement criteria are as follows:
• NIL – No procedures exist to manage IT systems acquisition. The only procedures available relate to general purchases or goods and services
• POOR – Although the management is aware that IT systems acquisition controls should be effectively controlled, there is no real implementation of these ideals. There is very little integration or liaison between business activities and systems acquisition
• INADEQUATE – There is recognition that IT systems acquisition controls should be in place and some efforts have been made to identify some basic level rules. The quality of the procedures remains fairly poor
• BASIC – There is a defined process for controlling IT system purchases but use of these procedures is inconsistent. Actual procedural content lacks conformity with agreed standards and these deficiencies are not addressed satisfactorily
• ACCEPTABLE – There is a reasonable degree of compliance with approved IT system acquisition procedures and a defined framework for review and approval. The approach covers all systems and applications. Strategic management of the purchasing processes is evolving and performance measurement and management is being integrated into these processes
• FULL – A formalized and comprehensive process for purchasing new systems and equipment is in place and is followed in all cases. The organization has a high level of technical awareness and can relate system acquisition requirements and system quality criteria to improving business performance levels

Overall, the above outlines a robust, consistent, and proven framework within which to operate a sound system acquisition process. It is a very good example of the COBIT approach, in that it illustrates the provision of measures and indicators, which are outside the scope of ISO 27001/2.
Information Security News
1) Lottery Scams Are Latest Spam Fad
According to Microsoft (http://www.microsoft.com), 50% of spam emails are currently lottery scams (usually inviting the victim to claim their “winnings” or similar). Surprisingly, their poll also revealed that 16% of recipients actually opened them, indicating an almost complete lack of security awareness.

2) University Fined For Security Breach
The University of California has agreed to pay the U.S. DoE a $2.8 million fine as a result of a security breach at its Los Alamos National Laboratory. The fine stems from an incident in which a subcontractor’s employee stole classified documents and stored others on a USB drive in 2006.

3) Anti-botnet Charges
The FBI has announced that it has charged eight men with using internet ‘botnets’ to perform fraud and to launch other malicious attacks. The men are alleged to have profited by lifting sensitive credentials off their victims’ computers, releasing DDoS attacks and leasing ‘zombie computers’ to other parties.

4) Vista Security Fixes
Microsoft has released a detailed list of more than 300 security patches within the upcoming initial service pack (SP1) for its Windows Vista operating system. The complete list of SP1 service pack items is posted on Microsoft’s website

5) Security Gap
Gap, the clothing retail outlet, have admitted that the unencrypted Social Security numbers of 800,000 job applicants was stolen from a third-party vendor. The vendor contacted law enforcement authorities about the breach.

6) Software Piracy Settlement
6 US based companies have recently settle claims with the Business Software Alliance (http://www.bsa.org) over use of unlicensed software following self audits. The total settlement was for almost $700k.
Business Continuity Management: Preparation and Risk
ISO27001 places a great deal of emphasis on the business continuity management regime (in fact it devotes a whole chapter to this topic). The BCM objectives as defined within the standard are “to counteract interruptions to business activities and to protect processes from the effects of major failures of information systems or disasters and to ensure timely resumption”.

Usually, the better prepared you are, the more likely you will be to meet this objective, and the more effective will be your recovery. Unfortunately, many organizations do not properly embrace risk assessment, and often start their business continuity project ill prepared.

PREPARATION
It is important at the outset to have the full commitment of the Board or Governing Body of the organization. Without this, problems downstream are inevitable. An awareness campaign should follow, to ensure that all staff are notified of that commitment.

The business continuity project can then be initiated (central to which is the delivery of a business continuity plan). It is essential, however, that this project is formal and structured.

Initial steps for the project itself will include defining scope, and obtaining copies of all appropriate documents and information. A formal risk assessment exercise must follow.

RISK ASSESSMENT
Initial emphasis on effective risk assessment will enable you to predict different types of incidents with more accuracy. It will help ensure that focus is applied to those areas to which it is most needed.

This aspect of BCM involves analyzing the business processes and identifying vulnerabilities through risk assessment and probability analysis. It includes the establishment of critical business timeframes including recovery time objectives (RTO) and maximum tolerable period of disruption (MTPD). The RTO will represent the time interval between the incident occurring and the time when a measurable negative impact will result on the business whereas the MTPD will represent the time interval between the incident occurring and the time when the impact from the incident will become extremely serious for the business.

Following a detailed risk analysis of the business and its processes, suitable levels of safeguards and controls should be implemented that will protect the business processes and product delivery

It is important to understand that none of the above tasks can be short cut. Proper planning and preparation may seem to be a burden, but the pay back could well be the survival of the organization itself.
ISO 27001 / ISO 27002: Common Mistakes Part 1
David Watson was one of the earliest exponents of the standards, and is one of the most well known industry figures. In this series of articles for the ISO 27000 Newsletter he outlines some of the most common errors and mistakes he has encountered over recent years:

COMMUNICATIONS AND OPERATIONS MANAGEMENT (Section 10)
There are often no standards and little or no documentation of the Corporate Systems;

Rarely is there an effective and properly implemented change management process. There are sometimes no formal change management processes or records of change meetings available. Change management meetings often have the wrong level staff attending, have whole business areas that do not/will not get involved, and no minutes for meetings to show changes successfully and unsuccessfully implemented;

There is often no management software for the network, or any form of planning for the IT systems or capacity;

Rarely are Service Level Agreements in place and if they are they are rarely monitored and used effectively. Sometimes the business has unrealistic ideas of IT Service availability and the IT Department cannot meet the requirements without serious investment, which the business may not be willing to provide. This can lead to a breakdown in relationships between business units and IT;

Often the Information Security Manager is not advised of new projects or is so stretched that he cannot make the time to provide assistance;

I often find a backup process that does not provide full backup integrity or recovery capability.

SECURITY POLICY (Section 5)
This can be an enormous can of worms, as policies are:
- Often missing (Some companies do not even have a set of policies!);
- Frequently out of date;
- Often unknown by staff especially third parties and most especially IT Contractors and Consultants;
- Not enforced;

There are often no ecords to show who has received the policy with supporting training, and there is rarely evidence of policy review.

Issue 14

ISO27000 Newsletter – Issue 14

Welcome to the latest issue of the ISO 27000 newsletter, designed to provide news and updates regarding the ISO information security standards.

Included in this edition are the following topics:
1) The Benefits of Adopting ISO 27001 and ISO 27002
2) Covering the Risks from Teleworking
3) Deciding how much Risk is Acceptable
4) More ISO 27001 / 27002 Frequently Asked Questions
5) Information Security News
6) ISO 27000 And BS 25999
7) ISO 27002 Related Definitions and Terms

The Benefits of Adopting ISO 27001/2
There are of course a wide range of benefits and advantages in taking on the standards. These will vary from organization to organization. The following is an extracted starter list of some of the most common advantages reported:

Improved Information Security
Adopting the standards undoubtedly drives the process to improve security, and reduce risk.

Management Assurance
Management and others can be more assured of the quality of a system or other entity if a recognized framework is followed.

Diligence
Compliance with (or certification for) an international standard can be used to demonstrate due diligence.

Benchmarking
The standard is often used as a measure of status within a peer community. Compliance with it can provide a bench mark for both the current position and future progress.

Marketing
Adherence toh the standard is often used as a beneficial differentiator in the commercial market place.

Inter-operability
Systems from diverse sources are more likely to work correctly together if they follow a common guideline or structure.

Security Awareness
Implementation of the standards normally results in greater security awareness within the organization.

Business Alignment
Because the implementation of ISO 27001 requires the involvement of both business and technical management, greater Information Technology and Business alignment often results.

Where to start?

The obvious starting point is to obtain the standards themselves, or the toolkit (see left panel). From there, review the contents of these and research externally (with respect to the standard), and internally (with respect to scoping).

With the requisite knowledge you should then be positioned to set out your objectives, define the scope, and create a project plan. The adventure thus begins…
Covering the Risks from Teleworking
In the aftermeth of several recent cases of security breach using teleworking exposures, it is worth reflecting that ISO 27002 provides related guidance/support (See Section 11.7.2).

Teleworking is the use of communications technology to enable remote working from an external location. These activities can represent a high risk area unless adequately protected with applicable controls and follow-up. Before allowing these activities, therefore, organizations should ensure that suitable policies and procedures have been implemented covering the information security aspects of teleworking operations.

In particular the following factors should be taken into consideration:

• Physical security of teleworking site/location
• Suitability of teleworking environment
• Protection of intellectual property rights (IPR)
• Security of communications
• Threat of unauthorized access to information and resources
• Protection of wireless systems
• Compliance with software licensing requirements
• Suitability of anti-virus and firewall arrangements

The bottom line is that teleworking should only be authorized where appropriate security arrangements and controls are demonstrably in place. These safeguards and controls should fully protect against equipment and information theft; unauthorized access to confidential data; unauthorized remote access to the organizations internal systems and networks.
Deciding how much Risk is Acceptable
A key part of formulating and establishing information security policies for your organization is in deciding how much risk is acceptable and how to minimize unacceptable risk. This process initially involves undertaking a formal risk assessment which is a critical part of any ISMS.

Fortunately, the ISO 27000 standards provide some guidance on how this risk assessment process is to be undertaken. This guidance is summarized and annotated below: • Use systematic approach to estimate magnitude of risks (risk analysis)
• Compare estimated risks against risk criteria to measure the significance of the risk (risk evaluation)
• Define the scope of the risk assessment process to improve effectiveness (risk assessment)
• Undertake risk assessments periodically to address changes in assets, risk profiles, threats, safeguards, vulnerabilities and risk appetite (risk management)
• Risk measurement should be undertaken in a methodical manner to produce verifiable results (risk measurement)

The risks identified through this process will then need to be “treated”. This will involve looking at existing controls and potential new control upgrades that will be employed to reduce the frequency of incidents and/or reduce the impact from such incidents. It will also be necessary to assess the effectiveness of these safeguards.

From this process the identification of residual risk will result. That is the remaining risks after the risks and vulnerabilities have been “treated”. These residual risks must be reviewed to ensure that the results are both accurate and realistic and also that they represent an acceptable level of risk for the organization. Realistically, this must be done by the Board in close co-operation with the executive management team. If the residual risk levels are considered to unacceptably high then further treatment will be necessary, involving additional investment in appropriate safeguards and controls.

Future editions of this newsletter will consider risk in much more detail, and will outline future likely developments with respect to international standardization in this field.
More ISO 27001 / 27002 Frequently Asked Questions

1) How does the ISO 27001 certification process work?
The process is much the same as for other ISO standards, such as ISO 9001. The clearest representation of this we have seen on the internet is in the ISO 27001 section of 27000.org

2) Is there actually a specific ISO 27000 standard?
No. Although one is proposed, ISO 27000 is currently just the generic name covering the standards within the series.

3) Are all the controls in ISO 27002 mandatory?
No. The concept is that they should be selected based upon risk assessment and the guidelines offered in ISO 27001.

4) Does BS 7799 still exist?
BS 7799 was the original standard upon which ISO 17799 (now ISO 27002) was based. When the latter was published a different BS 7799 standard was developed, known as BS 7799-2. This eventually evolved to become ISO 27001. Last year a third 7799 standard was produced: BS 7799-3. This is a standard covering risk analysis: “Guidelines for information security risk management”. This too may eventually evolve into an ISO standard.
Information Security News
1) This years annual survey by the Computer Security Institute (gocsi.com) shows that average annual loss for a US based business is now $350,424. This is more than double last years figure. It also showed that for the first time financial fraud losses were greater than losses caused by virus attacks.

2) The US DOJ has announced that a 23 year old man has pleaded guilty to stealing credit card, bank account and Social Security numbers via spam and phishing emails sent to AOL users. Working with other unidentified individuals, between 2002 to 2006 he used malicious software to collect AOL account names from chat rooms. He then sent electronic greeting cards purporting to be from Hallmark, which when opened downloaded a Trojan preventing account access unless personal information was entered.

3) The Chinese ‘Peoples Liberation Army’ have been accused of attacking both US and UK government computer systems. The Financial Times (London) reports that US government figures believe the Chinese military was behind a major Pentagon military computer network hack in June, which resulted in more than 1,500 computers going offline. The Guardian newspaper reports that the Foreign Office and other UK government departments also came under attack by Chinese hackers

4) 20% image spam emails captured last month contained a scam PDF document, according to research by messaging security vendor MessageLabs (messagelabs.com). A number of messaging security vendors are also reporting that Excel attachments are increasingly being used for spam.

In another report, Sophos (sophos.com) reveals that 80% of newly infected web pages are on legitimate websites which have been compromised by malware. 5) The UN’s website was hacked last month and defaced with anti-American slogans. A page intended to display statements from the UN Secretary General was attacked using an SQL injection, which is a common method for this type of hack. Having restored the page, the UN are investigating, and have stated that they will be implementing a number of changes to prevent a repetition.
ISO 27000 And BS 25999
Business continuity management (BCM) is a core aspect of information security, and thus, appropriately, has an entire section of ISO 27002 dedicated to it (see Section 14). This documents potential controls to identify and reduce risks, and “limit the consequences of damaging incidents, and ensure that information required for business processes is readily available”. It is one of the most important sections of the standard from a business perspective.

However, the overall scope of business continuity management exceeds this remit. It embraces the role of anybody who has responsibility for delivery of any operation (IT or non-IT), and thus the continuity of that operation.

For this reason BSI have published a specific standard for Business Continuity Management (BCM), known as BS 25999. This establishes the processes, principles and terminology for BCM, and provides a defined system based upon BCM good practice. It is intended for use for all levels of the organization, and for organizations of all shapes and sizes.

BS 25999 defines a lifecycle approach, documenting the following elements: Business continuity programme management; Strategy Determination; Understanding the organization; Developing a business continuity response; Exercise, maintenance and review; Embedding into the organizational culture. In due course a certification scheme for the standard will be introduced.

The standard of course was developed with the ISO 27001/2 in mind, and thus compliments these, with appropriate cross references. It is likely to emerge as one of the most important standards in the information security arena.
ISO 27002 Related Definitions and Terms
Vendor Support
Vendor support can be a major source of information security risk. Although a system may meet functional requirements, if the vendor does not have adequate support arrangements serious consequences may result in certain scenarios. Vendors will always play down this aspect, for they wish to make the sale. However, your system and information may be at risk if you are unable to obtain adequate support within a reasonable time frame.

Virtual Private Network (VPN)
A Virtual Private Network is a network which emulates a private network, although running over public network lines and infrastructure. Using specialist hardware/software, a VPN may also be established running over the Internet. The use of encryption and a ‘tunneling protocol’ maintains privacy.

Virus
A virus is a form of malicious code and as such it is potentially disruptive. It may also be transferred unknowingly from one computer to another. The term Virus includes all sort of variations on a theme, including the nastier variants of macro-viruses, Trojans, and Worms, but, for convenience, all such programs are classed simply as ‘viruses’. Viruses are a very real problem for both organization and individual computer users and are normally dealt with through the installation of firewalls and virus checkers.

Visitor
An individual who is not a regular user of the system and has no registered or recognized identifier or password.

Visitor Password
A visitor password is a generic password, with extremely limited access rights, to be used by visitors. Use of such passwords should be rigorously controlled.

Volume Testing
Volume Testing, as its name implies, is testing that purposely subjects a system (both hardware and software) to a series of tests where the volume of data being processed is the subject of the test. Such systems can be transactions processing systems capturing real time sales or could be database updates and or data retrieval. Volume testing will seek to verify the physical and logical limits to a system’s capacity and establish whether such limits are acceptable to meet the projected capacity of the organization’s business processing.

Issue 13

ISO27000 Newsletter – Issue 13

Welcome to the latest issue of the ISO 27000 newsletter, designed to provide news and updates regarding the ISO information security standards.

Included in this edition are the following topics:
1) ISO 17799 Becomes ISO 27002
2) Logic Bomb Dangers Highlighted
3) The History of The Information Security Standards
4) Information Ownership Issues
5) More ISO 17799/27001 Frequently Asked Questions
6) Information Security News
7) ISO 27000 Related Definitions and Terms

ISO 17799 Becomes ISO 27002
Following the decision taken by ISO last year, ISO 17799 has finally been renamed to ISO 27002. The change of name is simply that: a change of name. The purpose is to align it more closely to ISO 27001 in terms of perception.

Of course, the name change could be misleading, as some people my erroneously believe that other changes have been applied. They haven’t. We therefore issue two clear recommendations:

1) If you already have a copy of ISO 17799:2005, you do not need to replace it with ISO 27002. The documents are identical except for references to the name.

2) On their website, ISO simply put up ISO 17799:2005, without even a new cover or any changes within. A single sheet accompanied it with the words “Replace ’17799′ with ’27002′”. However, the full replacement, with name changes applied to the document itself, can be obtained from Standards Direct (see left hand panel).

THE ISO 27000 TOOLKIT
To accommodate the change of name, the supporting ‘ISO 17799 Toolkit’ has also been renamed. It has also been updated, notably the policies, the roadmap and the presentation. It is documented on the toolkit website (see left hand panel).
Logic Bomb Dangers Highlighted
The recent case of a former US Government contractor pleading guilty to sabotaging Navy computers highlighted the need for constant vigilance with respect to so-called ‘logic bombs’.

Also known as ‘slag code’ and commonly associated with ‘disgruntled employee syndrome’, a logic bomb is a piece of program code buried within another program, designed to perform some malicious act. Such devices tend to be within the province of technical staff (non-technical staff rarely have the access rights and even more rarely the programming skills required) and operate in two ways:-

1. ‘Triggered Event’ – for example, the program will review the payroll records each day to ensure that the programmer responsible is still employed. If the programmer’s name is suddenly removed (by virtue of having been fired) the Logic Bomb will activate another piece of code to slag (destroy) vital files on the organization’s system. Smarter programmers will build in a suitable delay between these two events (say 2-3 months) so that investigators do not immediately recognize cause and effect.

2. ‘Still Here’ – in these cases the programmer buries coding similar to the Triggered Event type but in this instance the program will run unless it is deactivated by the programmer (effectively telling the program – “I am still here – do not run”) at regular intervals, typically once each quarter. If the programmer’s employment is terminated unexpectedly, the program will not be deactivated and will attack the system at the next due date. This type of Logic Bomb is much more dangerous, since it will run even if the programmer is only temporarily absent (eg through sickness, injury or other unforeseen circumstances) at the deactivation point. The fact that it wasn’t meant to happen just then is of little comfort to organization with a bombed system.

Logic bombs demonstrate clearly the critical need for audit trails of activity on the system, as well as strict segregation of duties and access rights between those staff who create systems (analysts, developers, programmers) and the operations staff who actually run the system on a day-to-day basis.
The History of The Information Security Standards
Examination of the past often illuminates the present. This is certainly the case in terms of untangling the different acronyms and numbers associated with the information security standards.

The embryo of the security standards was actually a document published by the UK Government’s DTI in 1992. The was the ‘Code of Practice’, for Information Security Management. This was subsequently upgraded by BSI (the British Standards Institute) who published ‘BS 7799-1 – Code of Practice for Information Security’ in 1995. BSI enhanced this document, and also published a second part: BS7799-2, which was a specification for security management, in the late nineties.

In 2000 ISO finally appeared on the scene, adopting BS 7799-1 and renaming it to ISO 17799:2000. However, it wasn’t until 2005 that they eventually adopted BS7799-2, which became ISO 27001:2005. ISO 17799 was re-published in the same year, and as explained above, was renamed to ISO 27002 in July 2007.

Also in 2005 BSI published BS7799-3. This is ‘Guidelines for information security risk management’. Again, the chances are that this will eventually evolve into an ISO standard (possibly ISO 27005).

So we thus have:
ISO 27002:2005 – Code of Practice
ISO 27001:2005 – Specification for an ISMS
BS7799-3 – Risk Management.

It is not actually quite this simple though… because ISO are attempting to ‘normalize’ their entire numbering system. They want all their information security standards to be similarly numbered. That is reasonable of course, but many would argue what is not reasonable is simply to rename documents at a random point in time, rather than on the next upgrade.
Information Ownership Issues
It is essential that the ownership of information systems, data and files is formally established within the organization. This formal assignment invariably brings with it a more serious approach, ‘top down’, to the whole issue of information security.

Historically, all electronic systems and data files were considered to be “owned” by the IT department, but over recent years ownership has correctly moved towards the areas or individuals who actually create the information, or who are ultimately responsible for the data and systems output.

Usually, the person who creates, or initiates the creation or storage of the information, is the designated owner. In an organization, possibly with divisions, departments and sections, the owner becomes the unit itself with the person responsible being the designated ‘head’ of that unit.

The Information owner is normally responsible for ensuring:-

• that an agreed classification hierarchy is put in place and that this is appropriate for the types of information processed for that business / unit;
• that all information is classified and stored into the agreed types, and that an inventory (listing) is created;
• that each document or file within each of the classification categories, has its agreed (confidentiality) classification appended to it;
• that for each classification type, the appropriate level of information security safeguards are available (e.g. the logon controls and access permissions applied by the Information Custodian provide the required levels of confidentiality);
• that periodically there is a check to ensure that information continues to be classified appropriately and that the safeguards remain valid and operative.

If a designated owner of information leaves the organization, it is important to ensure that a new owner or custodian is immediately appointed to protect the approved levels of confidentiality and approve or decline access requests.

Many organizations have seen a demonstrable improvement in the cultural approach to security as a result of ownership clarification. It is a move certainly long overdue for those whose IT departments are still seen as data owners.
More ISO 17799/27001 Frequently Asked Questions

1) Where Do I Start with an ISMS?
The start point most often recommended for the implementation of a formal Information Security Management System (ref: 27001) is a definition of scope. This is in fact pure logic. Unless you define your boundaries you are unlikely to get too far without encountering significant difficulties. The scoping exercise itself is often quite illuminating.

2) How many companies are now certified?
At the last count this was well in excess of 2,000.

3) What is ISO Guide 62?
This guide contains the requirements applicable to an Accreditation Body (which subsequently bestows authority to issue certificates).
Information Security News
1) Sophos reports that malware is increasingly being spread via web pages, rather than via email, with sites in China and Hong Kong accounting for more than half the total. Most affected sites are victims themselves, having been compromised by hackers. In a separate report, Pandalabs report that malware detections increased by over 170% last year. Trojans now represent more than half of such attacks, with Bots on 14 percent and backdoors on 13.

2) A recent survey by Network Box of 250 small businesses demonstrated an alarming indifference to security. 62 per cent had no system in place to protect against phishing, whilst a staggering 99% did not know how often their anti-virus software was updated.

3) The University of Missouri became the latest in a string of universities to suffer a serious security breach when hackers obtained more than 20,000 Social Security numbers (SSNs). Using IP addresses from China and Australia, the hackers made thousands of queries over a span of hours, obtaining one SSN at a time.

4) According to Symantec, Image Spam still accounts for more than 25% of all spam. This is essentially a technique which uses embedded images to bypass phishing filters. Whilst this is down from earlier in the year, the daily rates indicate a high level of variance. Spam itself accounts for 65 percent of all email at the SMTP layer.

5) A video clip was recently posted on YouTube showing union protestors examining trash awaiting collection outside Chase Bank in New York. The video shows loan application forms and other sensitive data being examined by the Service Employees International Union supporters. The clip again illustrates that low tech security issues remain a constant threat.

6) An audit has revealed that the IRS (The US Internal Revenue Service) lost almost 500 PCs in the 3 year period to the middle of 2006.It is believed that the personal information of at least 2,000 taxpayers could have been compromised as a result. The IRS have subsequently stated that they are “taking aggressive steps to further secure government equipment and protect sensitive data to mitigate the risk of potential identity theft or other fraudulent activity.”
ISO 27002 Related Definitions and Terms

In each ISO 27000 Newsletter we include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by IT and Information Security professionals. In this edition, we provide a further selection of terms that all start with the letter ‘F’.

Finagle’s Law
The ‘folk’ version of Murphy’s Law, fully named ‘Finagle’s Law of Dynamic Negatives’ and usually rendered ‘Anything that can go wrong, will.’. One variant favored among hackers is ‘The perversity of the Universe tends towards a maximum.’. The label ‘Finagle’s Law’ was popularized by SF author Larry Niven in several stories depicting a frontier culture of asteroid belt miners. This ‘Belter’ culture professed a religion and/or running joke involving the worship of the dreaded god Finagle and his mad prophet Murphy.

Fit for Purpose
Fit for Purpose is a general expression which can be useful to ensure that Information Security solutions are appropriate for your organization. Vendors will sometimes attempt to ‘fit’ their solution to your problem. Fit for Purpose is an expression which, when used within the solution negotiation context, places an onus of responsibility upon the vendor to ensure that its solution is (indeed) fit for the purpose which their client expects. Example : a well known systems company contracted for the sale of their system. Inclusive in the price was one of week training in the system. During implementation it became apparent that one week for training was totally inadequate. The customer successfully claimed (prior to legal action) that the supplier’s solution was inadequate and hence not fit for purpose. When considering Information Security solutions, it is good practice to remind any potential suppliers in your requirement that the solution must be fit for purpose.

Flag
A message indication, sometimes, but not always, a warning to a user, which appears when a certain event takes place. For example, an inventory monitoring program may well ‘flag’ certain products when stocks fall below a predetermined level, to alert the user to re-order. An alternative use is to warn of an event which will take place in the future, but has not yet occurred, for example, a financial institution aware of large check-based transaction on a customer’s account may ‘flag’ the account to avoid an unauthorized overdraft. Flags may be generated manually or automatically, depending on circumstances. In the case of the stock monitoring this would be automatic, while the check transaction example would be processed manually. Automatic flags serve a useful purpose in drawing users’ attention to situations which otherwise may be overlooked.

Flame
‘Flame’ is abusive communication by E-mail or posting to a newsgroup, which attacks an individual or organization for some real or imagined grievance. The real problem is broader than that of a few rude e-mails: flame represents the anarchistic side of the Internet. The flame may start with only one abusive message, but it is broadcast so widely that large numbers of unconnected browsers join in – often on both sides of the argument. This can lead to ‘Flame Wars’, where the traffic load becomes so high that communications network performance degrades, and E-mail boxes become blocked – as is the case with bottlenecking and mail bombing. Problems for companies may arise if a member of staff has used an organization’s e-mail address to start the flame – another reason to monitor staff activities. Flame has some redeeming features. Deeply unpleasant (or disturbed) individuals who posted lengthy racist (or sexist, or some other -ist) diatribes have found themselves flamed off the Net….

Freeware
Literally, software provided for free – no charge. This is not as uncommon as might be expected. Major software developers often give away old versions of their products to allow users to try them at no charge and, hopefully, succeed in tempting them to purchase the current release. Independent developers may give away small programs to establish a reputation for useful software, which then enables them to charge. Cover disks attached to a computer magazine often contain Freeware. As with Shareware, Freeware should be approached with caution, and staff dissuaded from trying out their new Freeware on organization equipment.

Issue 12

ISO17799 and ISO27001 Newsletter – Issue 12

Welcome to the latest issue of the ISO 27001 / ISO 17799 newsletter, designed to provide news and updates regarding the ISO information security standards.

Included in this edition are the following topics:
1) Recruitment and Security Risks
2) BS25999 Published
3) User Acceptance Testing: The Basics
4) Information Security News
5) More Frequently Asked ISO17799/ISO27001 Questions
6) ISO 17799 Related Definitions

RECRUITMENT AND SECURITY RISKS
One obvious potential weak link in your information security profile are the new recruits to your organization. If you do not advise them about your information security requirements and critical information security procedures in a timely fashion, then they may collectively create a significant risk to your information assets.

ALL management and staff are responsible for Information Security, including those new to the organization. It is vital therefore that they are brought ‘up to speed’ as quickly as possible.

Issues to be considered when addressing this include the following:
- Confidential data may be lost, damaged or compromised by staff with insufficient training.
- Data may be lost in error or through negligence because staff do not fully understand the risks involved.
- Data may be lost because Information Security measures have been installed incorrectly and their alarms and messages are misinterpreted.
- Confidential information may be compromised if new staff are not made aware of the scope of the organisation’s Information Security policies.

To overcome this potential exposure, we recommend that you document the critical security issues and procedures in an easy-to-understand booklet and provide formal induction training immediately upon the new recruit’s arrival. The recruits should also be obliged to sign a formal statement confirming that they have read, and understand, this document.

BS 25999 PUBLISHED
The long awaited standard for business continuity planning, which supports ISO17799 and ISO27001, has now been published. As with many international standards, BS 25999 will comprise two distinct parts: a code of practice (as ISO17799) and a specification (as ISO27001).

The first of these was published by BSI in December 2006. The specification will appear later in 2007.

The standard is designed to align with the BCM section within ISO 17799. It covers topics as diverse as strategy and plan maintenance, and even how to embed business continuity management into the organizational culture.

BS 25999 will have a significant impact upon the whole business continuity and disaster recovery landscape. As the first credible standard developed to provide clear and objective metrics, it is not hard to see why predictions regarding positive insurance implications, and market leverage, as so common.

USER ACCEPTANCE TESTING (UAT)
User acceptance testing (UAT) is a critical phase of any systems project and requires significant participation by the ‘End Users’. To be of real benefit, an Acceptance Test Plan (ATP) should be developed in order to plan precisely, and in detail, the means by which ‘Acceptance’ will be achieved. The final part of the UAT can also include a parallel run to prove the system against the current system.

The user acceptance test plan will vary from system to system but in general the testing should be planned in order to provide a realistic exposure of the system to all reasonably expected events/threats. The testing can be based upon the User Requirements Specification to which the system should conform.

As in any system though, problems will arise, and it is important to have determined what should be the expected and required responses from the various parties concerned; including Users; Project Team; Vendors and possibly Consultants / Contractors.

In order to agree what such responses should be, the end users and the project team need to develop and agree a range of ‘severity levels’. These levels will range from (say) 1 to 5 and will represent the relative severity, in terms of business / commercial impact, of a problem with the system, found during testing. Here is an example which has been used successfully – ’1′ is the least severe; and ’5′ has the most impact :-
1. Cosmetic; [e.g. print colors; fonts; etc.]
2. Minor; [Both testing and live operations may progress. This problem should be corrected, but little or no changes to business processes are envisaged.]
3. Major Problem; [Testing can continue but live this feature will cause severe disruption to business processes]
4. Critical Problem; [Testing can continue but the change cannot go into live operation]
5. Show Stopper; [It is impossible to continue with the testing because of the severity of this error / bug.]

The users of the system, in consultation with the executive sponsor of the project, must then agree upon the responsibilities and required actions for each severity of problem.

Even where the severity levels and the responses to each have been agreed by all parties; the allocation of a problem into its appropriate severity level can be a subjective matter. To avoid the risk of protracted exchanges over the categorization of problems therefore; we strongly advised that a range of examples are agreed in advance to ensure that there are no fundamental areas of disagreement; or, if there are, that these will be known in advance and your organization is forewarned.

INFORMATION SECURITY NEWS
1) A number of Google related vulnerabilities have recently been highlighted, largely focused around Google’s cookies. These have exposed user documents, Gmail emails and search histories. All those so far identified have now been fixed, but this development does illustrate the increasing risks which are likely to occur as Google integrates more and more functionality into its product portfolio.

2) McAfee report that the nature of spam is again changing. Whereas text based spam used to be the norm, image spam is becoming increasingly common. According to their figures this now accounts for around 65% of all spam. Image spam uses images rather than text chracters to deliver the usual nonsense. This of course poses different challenges to the anti-virus agencies, but they are adapting quickly.

On a related note, the overall volume of spam continues to increase, with Postini reporting that it now comprises 94% of all email.

3) Two traffic engineers in Los Angeles, California, have been charged with hacking a computer system to: disable traffic lights! It is alleged that this was motivated by an ongoing labor dispute.

4) OpenDNS report that the top five most targetted phishing firms are: PayPal, Barclays, eBay, Fifth Third Bank and Bank of America. Unfortunately, phishing is yet another area of rapid increase in terms of volume, and increased sophistication of attack techniques.

5) The importance of protecting your online identity has been highlighted again by McAfee. They report that online identity theft has increased by 250% since January 2004. The cost of the to the United States economy alone is believe to be around $40 billion per year.

MORE FREQUENTLY ASKED ISO 17799 / 27001 QUESTIONS
1) What Is ISO 27000 All About?
This is ISO’s projected series of information security related standards. ISO 27001 already exists, and it is proposed that ISO 17799 may be renamed to ISO 27002 later this year.

2) Where Does COBIT Fit Into The Equation?
Issue 11 of this newsletter explained the mapping between ISO17799 and COBIT in detail.

3) Has BS7799 Now Been Replaced?
BS7799-1 evolved into ISO17799. with BS7799-2 evolving into ISO27001. However, BS7799-3 was published late last year. This offers guidelines for information security risk management (ISRM), and it is expected that it too will evolve to become an ISO standard.

4) What is IRCA?
IRCA is the ‘International Register of Certified Auditors’, which offers professional recognition of auditing ‘competence’. It is basically the body which certifies auditors to audit against the ISO security standards.

ISO 17799 / ISO 27001 Related Definitions
In each newsletter we include a selection of definitions to explain some of the jargon used by Information Security professionals. In this edition, we have provided a selection of terms that start with the letter ‘H’. Handshake
An electronic exchange of signals between items of equipment (fax machines, computers, etc.,) to establish that each has the necessary protocols installed to allow communication between them. An extension of the normal confirmation routine (handshake) is the ‘Challenge Handshake’ that is a demand for proof of identity and authorization.

Hose and Close
An off-putting practice of some Support/Help Desk staff. In response to a question from a distressed user, Support responds with a deluge of technobabble which the user doesn’t understand, issues a series of abstruse command instructions, which the user cannot follow, and then hangs up before the user can come back with a request for a simple explanation.

Housekeeping
Routine care of a computer system to ensure that it is kept running in the most efficient manner. Housekeeping will normally include: routines to delete items such as temporary files, remove duplicates of files, check the integrity of the disk records, and generally tidy up the filing system.

Hot Desking
A relatively new approach to working whereby staff do not have their own dedicated facilities, but share them with others. Two scenarios are common :- 1. Call centers and similar functions which run 24 x 7 on shifts. As one staff member logs off and leaves, another takes over, logging on with a new ID and password. 2. ‘Field’ staff such as sales representatives check in to base to complete paperwork, upload/download files, etc.. Such staff will use any desk/computer that happens to be free. In either case password control systems and audit trails are essential to monitor which user is doing what.

Hardware Inventory
Master Hardware Inventory: A detailed list of all hardware owned by the organization, showing, amongst other things:- type, make, model, cost, location, and asset reference number. Unit Hardware Inventory: A detailed list of hardware in order of user (individual or department). This sheet may be used for Audit checks to confirm that any given user still has the equipment detailed and no unauthorized additions, removals, or modifications have taken place.

Issue 11

ISO17799 and ISO27001 Newsletter – Issue 11

Welcome to the Issue 11 of the ISO27001/ISO17799 newsletter, designed to provide news and information with respect to the ISO information security standards. The information contained within newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.

Included in this edition are the following topics:
1) BS7799 Emerges… Again
2) Information Security News
3) ISO 17799 and COBIT
4) ISO17799 Section 14: Terrorist Plot Reveals Continuity Weakness
5) More Frequently Asked ISO17799/ISO27001 Questions
6) Protecting Confidentiality Using An SLA
7) More ISO 17799 Related Terms and Definitions
It Couldn’t Happen Here…. Could It?

BS7799 EMERGES… AGAIN!
BS7799-1 became ISO 17799. Then, BS7799-2 emerged, to evolve into ISO 27001. Now: BS7799-3 has been born.

It is titled “Information security management systems – Part 3: Guidelines for information security risk management”, and is intended to provide guidance and support for the implementation of ISO27001. It is mooted that it too will eventually become an ISO standard: ISO 27005.

Risk management of course is part and parcel of information security, and also of the security standards. That BSI should introduce a standard embracing it is therefore no surprise. It can of course be obtained via BSI’s online outlet above.

INFORMATION SECURITY NEWS
1) The creators of the Zotob worm, which disrupted networks at a number of media outlets, have been jailed in Morocco for between one and two years. The worm is estimated to have caused $400 million in damages.

2) AT&T have admitted that the personal information of about 19,000 customers has been accessed by hackers via the company’s online store. The company is working with the law enforcement agencies to track down the perpetrators.

3) Telecom provider Verizon is also in the news, having admitted that an employee accidentally sent an email attachment containing information on about 5,000 customers to 1,800 of its customers.

4) A study of prosecutions by the US Dept of Justice has revealed that corporations attacked by cybercriminals over the last few years lost an average of $3 million per case.

5) A survey of 132 senior executives, conducted by ControlPath (http://www.controlpath.com), has revealed that 72% are not confident that they are complying with applicable regulations.

ISO 17799 AND COBIT
COBIT 4.0 complements the guidance within ISO/IEC 17799:2005, and is proving to be a significant Sarbaes-Oxley Act compliance aid.

Whereas the ISO/IEC 17799:2005 standard covers the wider spectrum of information security requirements, the COBIT guidelines provide in-depth control objectives and supportive management guidelines focusing specifically on information technology issues. The COBIT guidelines (Control Objectives for Information and related Technology) are issued by the Institute for IT Governance (http://www.itgi.org) and the Information Systems Audit and Control Association (http://www.isaca.org), and are fast becoming a key SOX compliance tool, following the recognition that IT controls represent important components in ensuring financial reporting accuracy and disclosure.

The ISO/IEC 17799:2005 standard comprises the following:

Introductory Sections
1 Scope
2 Terms and definitions
3 Structure of the standard

Information Security Guidance Sections
4 Risk assessment and treatment
5 Security policy
6 Organizing information security
7 Asset management
8 Human resource security
9 Physical and environmental security
10 Communications and operations management
11 Access control
12 Information systems acquisition, development and maintenance
13 Information security incident management
14 Business continuity management
15 Compliance

COBIT, however, is organized into 4 domains containing 34 sections as follows:

Domain PO – Plan & Organize
PO1 Define a strategic plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define the IT processes, organization and relationship
PO5 Manage the IT investment
PO6 Communicate management aims and relationships
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage Projects

Domain AI – Acquire and Implement
AI1 Identify automated solutions
AI2 Acquire and maintain application software
AI3 Acquire and maintain technology infrastructure
AI4 Enable operation and use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install and accredit solutions and changes

Domain DS – Deliver and Support
DS1 Define and manage service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and allocate costs
DS7 Educate and train users
DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations

Domain ME – Monitor and Evaluate
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
ME3 Ensure regulatory compliance
ME4 Provide IT governance

COBIT 4.0 (the latest version) maps to ISO/IEC 17799:2005 in the following manner.

ISO 17799 Chapter No. 4 5 6 7 8 9 10 11 12 13 14 15
COBIT 4.0 DOMAINS
Plan and Organize (PO) L H L L H H H H L L M L
Acquire and implement (AI) H M M L M H L L L L L L
Deliver and support (DS) L H M H H L H M M M H M
Monitor and evaluate (ME) L M L M L L L L L L L L

Key to level of matching between COBIT 4.0 and ISO 17799:2005
H = Reasonably good match
M = Some matching
L = Low level or no matching

The above matrix will hopefully prove to be useful for those also embracing COBIT within their ISO 17799 / ISO 27001 remit.

ISO 17799 SECTION 14: CONTINUITY WEAKNESS EXPOSED BY TERRORIST PLOT
The recently foiled terrorist plot, that averted potential disaster on targeted US airlines flying out of UK airports, has focused attention on the lack of quality in the procedures and processes in place to maintain acceptable levels of airport baggage handling. The governments handling of the crisis is also being criticized with British Airways alone rumored to have lost over £50 million.

There was clearly a lack of preparation for this type of emergency at some UK airports. In particular it has been reported that Ryan Air are considering taking action over apparent BAA emergency staffing shortages, which Ryan Air considers exacerbated the problem and resulted in additional cancellations.

When preparing business continuity plans for emergencies that can potentially disrupt normal operations, the business continuity planning team will identify “what if” scenarios that examine the potential impact of a failure, or removal of one or more critical components within the business or operational processes. Perhaps it could be said that it was difficult to predict that permitted carry-on luggage could be suddenly be reduced to just travel documents, essential medicines and other emergency items, but this should have been a recognizable scenario identified during the planning process, no matter how low the perceived probability of it actually happening was.

Once the possibility that this disruptive event could occur has been accepted, the impact on the operations as a whole must be assessed and the level of ensuing crisis predicted. Although assessing probability is an important part of the process, and can provide a yardstick for the financial and other resources you make available to safeguard against this event, if the chances of such a scenario occurring is a real possibility then you must examine the impact of the event actually occurring, and not dismiss the scenario based on a low probability factor.

After the potentially disruptive scenario has been identified, probabilities assessed, and the business, financial and public impacts predicted, suitable strategies should be formulated for mitigating the impact. Emergency procedures will also be developed to ensure that the impact on the business and the customers is minimized. Responsible management must also consider how they are going to resource these emergency procedures during the crisis and ensure that these emergency resources are always available.

When developing your business continuity plan it is important to ensure that adequate time is allocated to identifying and examining all the potential scenarios that could disrupt your business.

ISO17799 – MORE FREQUENTLY ASKED QUESTIONS
1) What is ISO 27000?
This doesn’t really exist as such. It is essentially a generic name given to standards of the form ISO 27nnn. Currently there is only one: ISO 27001. However, it is envisaged that ultimately ISO 17799 may become ISO 27002, and other information security standards may be numbered similarly within the 27000 series.

2) Where can I find old copies of ISO 17799 / ISO 27001 News?
The archive site is now located here.

3) Can I re-publish articles from this newsletter internally, on our company intranet, or even on our external website?
Yes, subject to a link to the newsletters archive web site above.

4) How do I become an ISO 27001 Lead Auditor?
Certification bodies, such as BSI, conduct a five day workshop followed by an examination. Thereafter, different certification bodies have different requirements (eg: number of years security experience) and different procedures (eg: on the job observation).

5) What is an Accreditation Body?
An accreditation body is an organization which bestows the authority to ‘certify’ (issue certificates) upon another body. Examples include ANAB, UKAS and the SCC.

PROTECTING CONFIDENTIALITY USING AN SLA
The confidentiality of information, data and records can be a particularly critical issue with respect to formal agreements. Within these, the two parties are usually referred to either as the “Client” and the “Supplier” or the “disclosing party” and the “receiving party”.

In a Service Delivery relationship, both the supplier and the client are likely to become aware of proprietary or trade secret information about the other party which should be treated in a confidential manner.

To cover this scenario, within the SLA, a basic wording could be used as follows:

“Both parties agree to keep confidential all information concerning the other party’s business or its ideas, products, customers or services that could be considered to be “confidential information”. “Confidential information” is any information belonging to or in the possession or control of a party that is of a confidential, proprietary or trade secret nature that is furnished or disclosed to the other party. Confidential information will remain the property of the disclosing party and the receiving party will not acquire any rights to that confidential information.”

Should this wording not be suitable for either the supplier or the client, then the two parties should formally agree on an alternative wording.

Important Note: If you haven’t got a formal service level agreement in place for your critical services… you should have!

ISO 17799 RELATED TERMS AND DEFINITIONS
In each ISO 17799 and ISO 27001 Newsletter we will include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by Information Security professionals. In this edition, we have provided a selection of terms that all start with the letter ‘A’.

ACCESS
Two types of access – Physical and Logical.

Physical Access. The process of obtaining use of a computer system, – for example by sitting down at a keyboard, – or of being able to enter specific area(s) of the organisation where critical information or systems are located.

Logical Access. The process of being able to enter, modify, delete, or inspect, records and data held on a computer system by means of providing an ID and password (if required). The view that restricting physical access relieves the need for logical access restrictions is misleading. Any organisation with communications links to the outside world has a security risk of logical access. Hackers do not, generally, visit the sites they are hacking in person.- they do it from a distance!

ACCESS RIGHTS
The powers granted to users to create, change, delete, or simply view data and files within a system, according to a set of rules defined by IT and business management. It is not necessarily true that the more senior a person, the more power is granted. For example, most data capture – essentially creating new files or transactions, is performed at relatively junior level, and it is not uncommon for senior management to have access rights only to view data with no power to change it. There are very good Internal Control and Audit reasons for adopting this approach.

ADMISSIBLE EVIDENCE
Admissible Evidence is ‘evidence’ that is accepted as legitimate in a court of law. From an Information Security perspective, the types of ‘evidence’ will often involve the production of a system’s log files. The log file will usually identify the fact that a login took place; and certain functions were performed. The issue as to whether or not such a log file is legally admissible, is not clear cut. However, opinion appears to be that as long as a computer record is generated as a normal part of business processing, and the computer and software were working as designed and expected, then it may be admissible. Advice from a lawyer is always recommended.

AI ARTIFICIAL INTELLIGENCE
The holy grail of IT folk, the concept of a machine thinking for itself. Despite the success of the recent blockbuster film starring Jute Law – don’t hold your breath.

ALPHA GEEK The most knowledgeable, technically proficient, person in an office, work group, or other, usually non-IT, environment. Born ‘fiddlers’ and ‘tinkerers’, they tend to ignore the basic rule of ‘If it ain’t broke don’t fix it’ preferring to operate on the basis of ‘Fix it, until it is broke’. Such people can be a considerable security risk – like ordinary Geeks, Anoraks, and Tech-heads, – only more so.

ANORAKS
Whimsical term for computer enthusiasts – usually, but not exclusively, young and lacking in social skills. The term derives from the preferred item of apparel for attending computer exhibitions, it being equipped with numerous sizeable pockets ready to be stuffed with all manner of obscure electronic gizmos. Some anoraks tend more to the software side of IT and may graduate to being Hackers. Anoraks certainly have their uses but, in many ways, are a security risk. Such persons are inclined to do things with, and to, organization IT systems simply for the technical and intellectual challenge, rather than for any business benefit to the organization. Also known as Nerds, Geeks, and Tech-heads, the term is acquiring wider usage to describe any enthusiastic follower of obscure sports, hobbies, pastimes, etc.

ARCHIVE
An area of data storage set aside for non-current (old or historical) records in which the information can be retained under a restricted access regime until no longer required by law or organization record retention policies. This is a field in which computers have distinct advantages over older paper files, in that computer files can be ‘compressed’ when archived to take up far less space on the storage media. Paper records can only be compressed by using microfilm, microfiche, or, more recently, by scanning into a computer system. Whichever system is chosen, care must be exercised to ensure that the records retained meet legal requirements should it ever be necessary to produce these records in a court of law.

IT COULDN’T HAPPEN HERE….COULD IT?
Every edition of The ISO17799/ISO27001 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) Testing Back-Up Systems: Properly!
A company in Houston regularly tested its back-up generator then discovered during an actual power failure that the motor required to start the generator was actually connected to the mains! The problem cost the business an estimated US$ 145,000.

The lesson: Make sure you test any back-up system thoroughly and under simulated conditions.

2) Lack of Emergency Procedures
A consultant checking on a New York organisation’s disaster recovery arrangements asked to see their back-up generator and related procedures. He was introduced to George who had all the answers on how the process worked but could not produce any written procedures. Two weeks later gales tore down power cables and the customers could not get the generators started – George was away on holiday! Fortunately the organisation survived and have now developed WRITTEN emergency procedures.

The lesson: Make sure your emergency procedures are up to date and staff properly trained in their execution..

3) Fire at Chemical Warehouse
Two trainee auditors who work for an accounting firm were involved in a year-end audit at a chemical warehouse in Sheffield UK. A fire broke out in the warehouse and toxic fumes quickly spread throughout the facility. The evacuation procedures were known to the permanent staff who immediately left on cue. The two auditors who were working alone in one of the basement offices where records where stored were not briefed on these procedures and their presence on-site was overlooked during the panic. They very nearly got trapped in an area that was gutted by the fire shortly afterwards, and were lucky to escape. They both spent a week off work due to inhaling toxic fumes but it could easily have been very much worse.

The lesson: Make sure you set up an effective buddy system to cater for such events and make sure you include any temporary staff or third parties who may be visiting or working on the premises.

4) Your Favorite “It Couldn’t Happen Here” Story
Our poll of stories from previous issues revealed the following results:
1. The ‘Perfect’ Business Continuity Plan (Issue 9) 31.1%
2. Answering Machines Have No Loyalty (Issue 7) 26.7%
3. Who Audits the Auditor (issue 10) 17.8%
4. The Disgruntled Employee Strikes Again (Issue 10) 7.8%
5. The Old Duplication Trick (Issue 5) 5.6%
6. When is Disposal is Not Disposal (Issue 3.3%
7. Intellectual Property Rights (Issue 10) 3.3%
8. A Simple One – But A common One (Issue 9) 2.2%
9. Confidential User-Ids (Issue 2.2%

Issue 10

ISO 17799 News – Issue Ten

Welcome to the tenth issue of ISO17799 News, designed to keep you abreast of developments and news with respect to ISO 17799 and information security. The information within the newsletter is totally free to subscribers and provides guidance on various practical issues, as well as commentary on recent Information Security incidents.

Included in this edition are the following topics:

1) Implementing ISO17799 in Your Organization
2) Security Awareness: ISO17799 Section 4
3) Recent Certifications
4) Introducing an Effective Email Security Policy
5) Hacked Websites
6) ISO17799: a World Wide Phenomenon
7) Introducing a Disaster Recovery Team Into Your Organization
A short history of ISO 17799
9) Security Update
10) The FAQ: More Frequently Asked ISO17799 Questions
11) Preparing for an Information Security Audit
12) ISO17799 Section 12: The Sarbanes-Oxley Act 2002
13) It Couldn’t Happen Here…. Could It?
IMPLEMENTING THE STANDARD IN YOUR ORGANIZATION

It is becoming increasingly critical that information security is given the attention and level of importance it deserves. Most organizations are now absolutelyy dependent upon their information and business systems, so much so that serious disruption can mean disaster or critical loss.

ISO17799 is the only internationally accepted worldwide standard/code dealing comprehensively with these issues. Purchasing this standard is a good first step, but as the standard is by necessity a comprehensive and therefore a reasonable complex document, guidance is often necessary to help organizations decide where to start and what priorities should be applied to the implementation process.

The ISO 17799 Toolkit was of course introduced to solve many of these issues in one step. As well as containing both parts of the standard, it also includes a full set of compliant policies ready for implementation, a road map for potential certification of the organization, an audit kit for network based systems, a business impact analysis questionnaire together with many other supportive items (eg: a disaster recovery kit, a management presentation and an IS glossary). This toolkit represents extremely good value as it can enable organizations to commence work with the introduction of vital security aids without reference to expensive external consulting resources.

However, even armed with a support kit such as this, it is important to understand that the key to the standard is PROCESS… the creation and maintenance of a robust ISMS. This is occasionally overlooked, as some organizations simply adopt a tick list from the first part of the standard (ISO17799). This is certainly a good stride forward, but is by no means the end of the journey.

When first considering the standard, therefore, it should be understood that the path forward will certainly include enhancement and improvement of security, but it will largely be driven via the creation and maintenance of information security management systems and supporting procedures.

SECURITY AWARENESS: SECTION 4

Most security breaches occur at ground floor level, through employees making errors or inadvertently revealing information. It is ironic therefore that so many organizations do not have a comprehensive awareness program in place… perhaps missing the obvious and focusing upon the rather more stimulating high-tech threat instead.

Security should ideally be part and parcel of the organization’s culture. To meet this objective however requires support from the top, determination, and a properly planned and comprehensive awareness plan and program.

This program should include a range of different aspects. To assist, we list some of the most common below:

- A Security Newsletter. This is an important vehicle and can include both news and information in a topical context. Please feel free to extract from this newsletter for inclusion.
- A ‘Roadshow’. Security personnel regularly give presentations to senior management and staff on current threats and issues.
- Hijacking Training. If your organization produces internal courses for staff on other topics, make sure that the security angle is covered.
- Video/DVD. If you have the budget, produce and distribute.
- The Screen Saver. Why not use it for security related messages?
- Posters. Use them and replace them often.
- Cheap gifts. Pens, key fobs, and coffee mugs bearing a security message may seem tacky, but they work.
- Competitions. Security crosswords, puzzles and problems, with a suitable prize for the winner.

Some of these may well be seen as mundane. But in the final analysis, threats are usually far more likely to materialize through lack of awareness than through complex cyber crime.
CERTIFICATIONS

Congratulations to all the following who we have recently added to our list of firms which have been certified with respect to BS7799 Part2 for at least one system in at least one location: Symantec Security Services, Banco Matone (Brazil), Communisis Security Products, Federal Reserve Bank of New York, Royal Bank of Scotland, SWA Ltd, Yorkshire Water Information Technology, Télefoníca Data Argentina, Eastern Petrochemical Company (Saudi Arabia), GTECH Ireland Corporation, Supermask Co Ltd, Progeon Ltd (India), Consul Risk Management, Kingdom Fine Metal Ltd (China), IM Systems Group Inc.

More certifications will be listed in future issues.

Note: A new ‘Register of Certifications’ for the standard has been created at www.certificationregister.org. The backlog is apparently being added on a daily basis.
INTRODUCING AN EFFECTIVE EMAIL SECURITY POLICY

Email security breach is becoming an increasingly significant threat to organizations around the world. To counter this, most organizations will already have a firewall and anti-virus software in place. Hopefully, as new viruses are found daily, they have made sure that their virus protection is also updated on a daily basis.

Viruses, of course, can sometimes penetrate the firewall by hiding within emails. Once opened, the virus can spread and cause significant damage to internal systems. The virus may not always be serious enough to cause permanent damage but, even with moribund viruses, the disruption may well take time and money to rectify.

Despite these risks, there is no escaping the fact that e-mail is rapidly becoming the principal means of business communication. Draconian restrictions on use are therefore not tenable. However, rigid application of stringent security policy certainly is.

The following high level best practice statements should be adhered to as a basic minimum (extracted from http://www.information-security-policies.com):

- Personnel should understand the rights granted to them by the organization in respect of privacy in personal e-mail transmitted across the organization’s systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

- Personnel should not open emails or attached files without ensuring that the content appears to be genuine. If you are not expecting to receive the message or are not absolutely certain about its source, do not open it.

- Confidential and sensitive information should not be transmitted by e-mail – unless it is secured through encryption or other secure means.

- Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

From these, it is recommended that more specific corporate requirements are produced and implemented.
HACKED AND DEFACED WEBSITES

Fact: Every day of every week dozens of corporate websites are hacked and defaced. This statement may surprise some people, but it does illustrate that this problem is extremely large scale and the threat is very significant. Even on the very day this item is being written, well known sites owned by Lycos and the European Union have been defaced.

A future edition of this newsletter will therefore investigate this issue in some depth. We will explore some of the more high profile attacks, and offer advice on what to do to minimize risks… and recover should you become a victim.

In the meantime, if you ever wondered what drives these guys, Zone-H (www.zone-h.org) reports the following (from a substantial sample):

Heh…just for fun! 35%
No reason specified 19.2%
I just want to be the best defacer 12.5%
As a challenge 11.7%
Patriotism 10.5%
Political reasons 9.2%
Revenge against that website 1.9%

They also report that over half of successful hacks exploit either configuration errors, or unpatched systems: which are very basic security issues!
ISO17799: THE WORLD WIDE PHENOMINON

The source list for the most recent purchases of the ISO17799 is always popular:

Argentina 3
Australia 18
Austria 9
Barbados 2
Bahrain 1
Belgium 14
Bermuda 3
Bosnia and Herzegovina 1
Brazil 11
Brunei 1
Canada 101
Cayman Islands 1
Chile 7
China 5
Colombia 6
Costa Rica 1
Croatia 2
Cyprus 3
Denmark 16
Egypt 5
Estonia 1
Faroe Isle 1
France 19
Germany 55
Gibraltar 1
Greece 5
Guatemala 1
Hong Kong 12
Hungary 4
Iceland 1
India 12
Indonesia 5
Ireland 27
Israel 2
Italy 36
Jamaica 2
Japan 10
Jordan 2
Korea 1
Lebanon 2
Luxembourg 2
Malaysia 8
Malta 1
México 22
Netherlands 39
New Zealand 5
Norway 19
Panama 1
Peru 1
Philippines 2
Poland 3
Portugal 6
R.O.C. 3
ROMANIA 2
Russia 4
Saudi Arabia 9
Singapore 15
Slovak Republic 1
Slovenia 3
South Africa 11
Spain 23
Sultanate of Oman 1
Sweden 11
Switzerland 48
Taiwan 5
Thailand 2
Tunisia 1
Turkey 3
United Arab Emirates 5
UK 379
USA 588
Venezuela 2
The same warnings apply as normal: these are online credit card sales only from one source.Those cultures that are less familiar with this form of commerce will be under represented.
INTRODUCING A DISASTER RECOVERY TEAM

Even for small enterprises, it is often necessary to establish a Disaster Recovery Team to handle the initial stages of an emergency situation. Certainly, it is vital for larger corporations.

The DRT should be made up of a group of specialists who have previously been nominated as being able to assist in dealing with the initial emergency situation. These will not necessarily be the same persons who are members of the Business Recovery Team (BRT). Although the configuration of the DRT will depend upon the type and severity of the emergency, and the nature of the organization itself, the following personnel may need to be involved according to circumstance:

• Key members of Senior Management • Premises Maintenance Staff • IT technicians • Communication technicians • Security staff • Personnel Manager • Premises of Facilities Manager • Fire and Safety Officer • Information Security Officer

The DRT is responsible for working with the emergency services to clear the initial emergency crisis situation, in order that the Business Recovery Team is able to start their activities. The DRT itself will only be able to start their own recovery activities once the emergency services have given permission for these duties to commence. During the initial emergency, the DRT will normally make themselves available to provide assistance to the emergency services, as appropriate.

Nominated members from the DRT should actually be on-standby or available at all times, and should ensure that their contact details are known. All members of the DRT should maintain an up-to-date copy of the BCP in a secure location off-site, and each member should also be issued with special equipment such as torches, hard hats, gloves, overalls, hand held dictaphones and mobile phones to use in such emergencies.

These initial preparations can make all the difference to the outcome of the disaster situation, and at the very least, will create a sound platform for the Business Recovery Team.
AN ABRIDGED HISTORY OF ISO 17799

Where did it come from? When? Who produced it? Why? Perhaps most of these questions can be answered via an abridged history of the standard:

ISO 17799 actually began life as the DTI Code of Practice (CoP) for Information Security, the ‘DTI’ being the UK Government’s Department of Trade and Industry. This was published in the early nineties. Even in these early years, however, BSI was involved, and indeed, the CoP was re-badged and re-published as BS7799-1 in 1995.

This certainly had its supporters, but it was not widely embraced, for a variety of reasons. This situation was to change in the late nineties.

In 1999 a major revision of the standard was published. This significantly strengthened the standard in many respects. Accreditation and certification schemes were also launched, and these helped increase the momentum.

Within a year or so, the standard had been fast-tracked through ISO, and it became ISO 17799 in December 2000. This stimulated worldwide interest further. In 2002 BSI published BS7799-2, a second part, which covered ISMS and helped bridge the gap with ISO 9000. The ISO17799 Toolkit was released around the same time.

Since then, the standard has gone from strength to strength, and as the sales data in this newsletter illustrates, it is now very much a worldwide phenomenon.

FIRSTS:
- First certified organization: Business Link City Partners.
- First ISO 17799 domain name: www.iso17799.com (owned not surprisingly by BSI)
- First qualified certified BS7799 c:cure Auditor: David Lilburn Watson
- First populated dedicated ISO17799 website: http://www.iso17799software.com
- First certification bodies: LRQA and BSI
- First ISO17799 related product: COBRA
- First regular dedicated publication: This one!
This list was compiled following are own research. If you know of any organization/website/etc that existed prior to these, please let us know!

An interview with David Watson will appear in a future edition of ISO 17799 News.
SECURITY UPDATE

- Security Focus (www.securityfocus.net) reports that charges have been filed against a Florida man known as ‘The-Rev’, for his alleged role in the high profile ‘Deceptive Duo’ hacking team. The ‘Deceptive Duo’ are responsible for defacing a significant number of government and corporate websites.

- At time of publication a security alert has been issued regarding a new fast spreading worm, the ‘Sasser’ worm. This already has several variants and threatens to achieve similar notoriety to previous attacks last year (eg: Blaster). Now seems a pretty good time to update those anti-virus definition files. More information: www.symantec.com

- Currently, of course, we have ISO 17799 and BS7799-2. However, efforts are currently on-going to convert BS7799-2 to an ISO document as well ISO17799-2). We hope to provide an update on this in the next issue.
ISO17799 FAQ: YET MORE FREQUENTLY ASKED QUESTIONS

1) Are there any forums or message boards on which I can discuss ISO 17799 topics or issues with other people? Yes. The two biggest are:
- The ISO 17799 Community: www.17799.com – The Yahoo ISO 17799 Group: http://groups.yahoo.com/group/iso17799security/

2) How should security REQUIREMENTS be established? ISO 17799 identifies three main sources:
- “The first source is derived from assessing risks to the organization. Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated”
- “The second source is the legal, statutory
, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy” – “The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations”.
3) What is the PDCA Model?
This is the “Plan-Do-Check-Act” model and is used in BS 7799-2. It is intended to be used as the basis for creating, implementing, monitoring and maintaining an information security management system. This is more fully documented at ‘Induction to BS7799′ (www.induction.to/bs7799/).

4) Where can I find a consultant to help?
A directory of ISO17799 and BS7799 Consultants can be found at: www.iso17799world.com

5) What is accreditation and certification?
An accreditation body is an organization (usually a national one) which grants third parties the authority to issue ‘certificates’ (to certify) against standards. This third party is the certification company, which actually certifies against the standard. Examples include: BSI, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH.
PREPARING FOR AN INFORMATION SECURITY AUDIT

For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization’s Information Security Policies and associated procedures.

At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.

Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.

As an example, if the audit chosen is regarding the Portable Computing Facilities, the documents to be considered for review are: Insurance documents, Network Profile, Issue form, General terms of use, Hardware register, Software register, User Profile, Removal of equipment authorization.

The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited: A sample of the user population who use portable computers, The issuers of portable computers, Ancillary staff.

As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is a temptation to short-cut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit itself.

Note: This information extracted from the Interactive Security Manual and used with permission: www.security-manual.com
SECTION 12: THE SARBANES-OXLEY ACT

The Sarbanes-Oxley Act was signed into law on 30th July 2002, on the back of the Enron scandal, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws”.

These legislative changes in the US are also of particular interest to users of ISO 17799 generally, as they deal with the requirement to monitor internal controls, including information security procedures. In addition, of course, ISO17799 itself embraces legislative compliance within Section 12.

For these reasons, each issue of the ISO17799 Newsletter covers a different aspect of this legislation. The topic covered in this issue is “Corporate Responsibility for Financial Reports”

Periodic statutory financial reports issued by public companies must include certifications that:
- The signing officers have reviewed the report
- The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
- A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
- The report does not contain any material untrue statements or material omission or be considered misleading
- The financial statements and related information fairly present the financial condition and the results in all material respects
- Any significant changes in internal controls or related factors that could have a negative impact on the internal controls

Importantly, it is also specified that organizations may not attempt to avoid these requirements by reincorporating their activities or transferring their activities outside of the United States

With compliance deadlines for the Sarbanes-Oxley Act fast approaching, focus on the legislation, and indeed its security implications, is increasing. For more information on this legislation, the Sarbanes-Oxley Community (http://www.sarbanes-oxley-forum.com) provides a public forum and FAQ.
ISO 17799 / BS7799 RELATED DEFINITIONS AND TERMS

In each newsletter we include a selection of definitions and terms to explain some of the jargon and language used by information security and IT professionals. In this issue, the selected terms all start with the letter D:

DATASCOPE
An electronic device that is capable of detecting and reading the bit-patterns of data passing down a communications line and interpreting/translating these patterns into readable alphanumeric characters. Some devices are capable of detecting/reading the electromagnetic radiation emitted directly by computers without the need to ‘tap’ a communications line.

DUAL CONTROL
Dual Control is one of the foundations of Information Security as it is based upon the premise that, for a breach to be committed, then both parties would need to be in collusion and, because one should always alternate the pairs of people, it would require a much greater level of corruption in order to breach dual control procedures; especially is such procedures require nested dual control access, such that (say) 2 pairs of people are required to enable access.

DES
The Data Encryption Standard (DES) is a data encryption standard for the scrambling of data to protect its confidentiality. It was developed by IBM in co-operation with the American National Security Agency and published in 1974. It has become extremely popular and, because it used to be so difficult to break, with 72,000,000,000,000,000 possible key variations, was banned from export from the United States. However, restrictions by the US Government on the export of encryption technology were lifted in 2000 to the countries of the EU and a number of other countries.

DONGLE
A mechanical device used by software developers to prevent unlicensed use of their product. Typically, a Dongle is a small connector plug, supplied with the original software package, which fits into a socket on a PC – usually a parallel port, also known generally as the LPT1 Printer port. Without the Dongle present, the software will not run. Some older Dongles act as a terminator, effectively blocking the port for any other use, but later versions have a pass-through function, allowing a printer to be connected at the same time. Even though the PC can still communicate with the printer, there have been problems with more recent printers which use active two-way communications with the PC to notify printing status, ink levels, etc.

DIGITAL WATERMARK
A unique identifier that becomes part of a digital document and cannot be removed. The watermark is invisible to the human eye but a computer can analyze the document and extract the hidden data. Digital watermarks are being used for Classified/Top Secret documents – usually Military/Governmental – and highly confidential commercial material. The primary use of such marks is to allow different marks to be used when the document is copied to different persons and thereby establish an Audit Trail should there be any leakage of information.
IT COULDN’T HAPPEN HERE….COULD IT?

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) The Disgruntled Employee Strikes Back

An organization in the US fired an employee who had been known to be less than happy in his work and had been causing problems for management through a variety of activities. Unbeknown to the organization, this employee had made a copy of the main client database for himself and therefore had access to sensitive information.

Shortly after the employee was dismissed, major customers started receiving offensive material purportedly being sent by the organization itself. The ex-employee used a simple open SMTP server to simulate the organization’s email addresses. Customers immediately started to move away from the organization and even when they were informed that this material had been maliciously sent to them by a previous employee, they remained unimpressed with a company that had so little security in place.

The organization quickly went out of business, paying a heavy price for not having sufficient control over employee access to sensitive information.

2) But Who Audits the Auditor?

A large financial company thought they had security in the bag. Their security department was active, and involved in most activities of the Group. It had a reputation for being on top of new technology, and had an aggressive audit schedule, with all sensitive applications and projects being regularly audited.

What a pity they got a fundamental principle so badly wrong! As the Group’s security area they had full access to security settings, and administered access control for key applications. As auditors they audited the same. That was the crunch.

The same individuals who set security levels and granted access to information resources, also audited them. A classic case of insufficient segregation of duties.

In one sense they were lucky. The incident which brought this to light was petty. The individual in question could not resist the temptation to adjust his overtime figures on the payment database. He inflated the figures by several hundred dollars, each month, for several months. He was caught because someone else on his team spotted his payslip (which he had left inside his briefcase, which he left open!) and knew instinctively that he had not been working long hours in recent weeks and therefore that the salary figure was far too high.

It could, however, just as easily been an accounting database he adjusted, or a number of financial databases, and the company could have been facing a substantial and embarrassing loss.

The golden rule of course is that auditors usually need only read access to audit, and not update.

3) Intellectual Property Rights (IPR)

A company in London developed a range of new products mainly by utilizing the services of one of its employees who was particularly skilled at these activities. Once these products had been developed, they were successfully marketed by the firm and a good revenue stream emanated from this new business area.

Unfortunately, the firm had not considered protecting the intellectual property rights of work undertaken during the employee’s time with them and it was subsequently successfully sued by the employee who had authored the products, and who then claimed ownership over the intellectual property rights contained within them.

The lesson to be learned here is that employees’ contracts should clearly state the ownership of any work developed for the company during his/her employment. This agreement should be signed by the employee to signify acceptance of these terms and conditions prior to undertaking this type of work.

Issue 9

ISO17799 News – Issue Nine

Welcome to the ninth issue of ISO 17799 News, designed to keep you abreast of developments and news with respect to ISO17799 and information security.

The newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.

Included in this edition are the following topics:

1) Creating Information Classification Criteria
2) What is Information Security?
3) Standard Certifications
4) Disposal of Old and Obsolete Equipment
5) Section 11 – Getting Ready for BCP
6) ISO17799: a World Wide Phenomenon
7) ISO17799 Section 12: The Sarbanes-Oxley Act 2002
BCP Top Down
9) The FAQ: More Frequently Asked ISO17799 Questions
10) Controlling Changes to the Service Level Agreement
11) More ISO 17799 and Security Related Terms and Definitions
12) It Couldn’t Happen Here…. Or Could It?
ESTABLISHING INFORMATION CLASSIFICATION CRITERIA

It is essential to classify information according to its actual value and level of sensitivity in order to deploy the appropriate level of security. A system of classification should ideally be:
- simple to understand and to administer
- effective in order to determine the level of protection the information is given.
- applied uniformly throughout the whole organization (note: when in any doubt, the higher, more secure classification should be employed).

With the exception of information that is already in the public domain, information should not be divulged to anyone who is not authorized to access it or is not specifically authorized by the information owner. Violations of the Information Classification Policy should result in disciplinary proceedings against the individual.

It is also sensible to restrict the number of information classification levels in your organization to a manageable number as having too many makes maintenance and compliance difficult. The following five levels of classification cover most eventualities:

Top Secret:
Highly sensitive internal documents and data. For example, impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution indeed, and must be protected at all times. Security at this level is the highest possible.

Highly Confidential:
Information which is considered critical to the organization’s ongoing operations and could seriously impede or disrupt them if made shared internally or made public. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients’ medical records, and similar highly sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.

Proprietary:
Procedures, project plans, operational work routines, designs and specifications that define the way in which the organization operates. Such information is usually for proprietary use by authorized personnel only. Security at this level is high.

Internal Use Only:
Information not approved for general circulation outside the organization, where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility/reputation. Examples include: internal memos, internal project reports, minutes of meetings. Security at this level is controlled but normal.

Public Documents:
Information in the public domain: press statements, annual reports, etc. which have been approved for public use or distribution. Security at this level is minimal.

Care should always be applied regarding a user’s possible tendency to over classify their own work. It can sometimes be erroneously surmised that the classification level can reflect directly on the individual’s own level of importance.

Asset classification is covered by Section 5 of the ISO17799 standard

WHAT IS INFORMATION SECURITY?

We are sometimes asked the most basic of information security question of all: “What is information security?”. This can actually be surprisingly difficult to define. However, the introduction to the standard itself characterizes information security as the preservation of what is often known as CIA:

Confidentiality
Ensuring that information is accessible only to those authorized to have access

Integrity
Safeguarding the accuracy and completeness of information and processing methods

Availability
Ensuring that authorized users have access to information and associated assets when required.

It further explains that “information security is achieved by implementing a suitable set of controls”, and that these need to be “established to ensure that the specific security objectives of the organization are met”.
CERTIFICATIONS

Congratulations to all the following who we have recently added to our list of firms which have been certified with respect to BS7799 Part2 for at least one system in at least one location: A3 Security Consulting; Atos Origin; Baltimore Technologies (Ireland); Mashreq Bank (UAE); Cable & Wireless; Hitachi; HMGCC; HM Land Registry; Misys Inernational Banking; Mitsue (Japan); Modulo Security (Brazil); Samsung; Fujitsu; Swiss Post; Total Network Solutions; Wipro Technologies (India)

More certifications will be listed in future issues.
DISPOSAL OF OLD OR OBSOLETE EQUIPMENT

“Equipment owned and/or used by the organization should only be disposed of in accordance with approved procedures including independent verification that the relevant security risks have been mitigated”.

This is a policy that addresses with issues that should be considered when disposing of old computer hardware, either for re-cycle/scrap or use by others. An example of a security risk involved is that the hard disk inside a unit has not been completely or properly wiped out. A practical example of this is old EPOS equipment: old credit card information is saved onto the hard disk and if not erased properly prior to being disposed of could easily be accessed. In this scenario, a retailer with an EPOS system has a legal and ethical duty to its consumers to protect their data from fraudulent use.

When implementing a policy on the disposal of old computer equipment, a wide variety of issues and scenarios need to be considered, such as
- Legacy data from old systems can still remain accessible and thus compromise the confidentiality of information.
- Inadequate planning for the disposal and upgrade of entire systems can threaten business continuity and result in severe loss.
- Equipment used periodically but infrequently may be disposed of accidentally.
- The disposal of old equipment can prevent the restoration of its associated data files on which you may be relying.
- Breaches of health and safety requirements threaten the well-being of your staff and render you liable to prosecution.
- During the legitimate disposal of unwanted equipment other items can be ‘lost’ or stolen.

If any of these issues sound far fetched, think again. Our incident archive is packed with examples of serious problems resulting from uncontrolled disposal.

This topic is dealt with in various sections of ISO17799, including 7 and 8.
ISO17799 SECTION 11: PREPARING FOR THE BUSINESS CONTINUITY PROCESS

For a business continuity plan to be successful, it is important that all members of staff have been trained properly and understand the business recovery process. In order for people to understand what will be required of them, it is important that the training itself is planned and delivered to the people on a structured basis. It is less likely that people will misunderstand their roles and responsibilities if they are able to digest the information given to them in advance.

Certainly, for larger organizations a formal training plan should exist. This plan should outline the scope, objectives and activities and should be assessed to make sure it is relevant for the procedures involved.

An example of a training objective could be “To train all staff in the particular procedures to be followed during the business recovery process”. An example of the scope for the training might be “The training must be carried out in a comprehensive and exhaustive manner so that staff becomes familiar with all aspects of the recovery process. The training will cover all aspects of the Business Recovery activities section of the BCP including IT systems recovery”.

Not too sure where to start? A template approach such as that used by The BCP Generator (http://www.bcpgenerator.com) can actually help you to generate your company’s business continuity plan from start to finish.
ISO 17799: THE WORLD WIDE PHENOMINON

The source list for the most recent purchases of the ISO17799 is always popular:

Argentina 2
Australia 14
Austria 8
Bahrain 1
Barbados 2
Belgium 11
Bermuda 2
Bosnia and Herzegovina 1
Brazil 7
Brunei 1
Canada 92
Cayman Islands 1
Chile 6
China 3
Colombia 6
Costa Rica 1
Croatia 2
Cyprus 2
Denmark 13
Egypt 4
Estonia 1
Faroe Islands 1
France 11
Germany 44
Gibraltar 1
Greece 4
Guatemala 1
Hong Kong 9
Hungary 4
Iceland 1
India 8
Indonesia 5
Ireland 20
Isle of Man 1
Israel 2
Italy 30
Jamaica 2
Japan 8
Jordan 2
Korea 1
Lebanon 2
Luxembourg 1
Malaysia 6
Malta 1
México 16
Netherlands 27
New Zealand 5
Norway 15
Panama 1
Peru 1
Philippines 1
Poland 3
Portugal 5
R.O.C. 3
ROMANIA 2
Russia 4
Saudi Arabia 6
Singapore 12
Slovak Republic 1
Slovenia 3
South Africa 7
Spain 19
Sultanate of Oman 1
Sweden 9
Switzerland 40
Taiwan 5
Thailand 2
Tunisia 1
Turkey 3
UK 327
United Arab Emirates 5
USA 481
Venezuela 2

The same warnings apply as normal: these are online credit card sales only from one source.Those cultures that are less familiar with this form of commerce will be under represented.
ISO17799 SECTION 12: SARBANES-OXLEY ACT

The Sarbanes-Oxley Act was signed into law in the United States on July 30th 2002, and introduced highly significant regulatory changes to financial practice and corporate governance. It introduced stringent new rules with the stated objective: “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws”.

Because this act internationally significant as well, each future edition of ISO 17799 News will feature an area of the Sarbanes Oxley Act that focuses on a particular topic of interest. This issue covers Investigations and Disciplinary Proceedings.

The Executive Management and Board of Directors are required to establish procedures for the investigations and disciplining of registered public accounting firms, or any person associated with that firm, where they may be considered to have been in violation of the Act. The Board may:
- Request sight of all relevant audit work papers and associated documentation
- Request a written explanation from the registered firm on the matters being investigated
- Request written testimony from any clients of the registered firm that may have been involved in matters being under investigation, including issuing of subpoenas

In the event of non-cooperation with the inspection, the Board may carry out sanctions, including suspension or revocation of registration.

The Board is required to notify the Commission of impending investigations in order that the Commissions division of enforcement may be involved as appropriate.

The Board is to take care that all relevant information and documents are kept appropriately confidential in case such evidence is required in a state or federal court as part of criminal or civil legal due process. Such information may be made available to various government agencies provided these bodies maintain such information as confidential and privileged.

Employees of the Board involved in investigations are immune from any civil liability to the same extent as federal government employees.

This section also contains detailed information on the disciplinary process and the civil penalties that may be imposed, including suspension of a public accounting firm and barring association during this suspension with organizations regulated by the SEC. The Board is required to inform the Commission and any appropriate regulatory bodies and the public (after any stay has been lifted) on the application of sanctions.

More information on the SOA can be found at: http://www.sarbanes-oxley-forum.com
BCP/DRP IS NOT JUST AN ACADEMIC EXERCISE

The recent disastrous events in the United Kingdom and the United States, when the electricity supply was interrupted without warning, has emphasized the urgency of the need for all organizations to prepare a Disaster Recovery Plan. Disaster Recovery Planning (DRP) is essential for the continuation of key business services, in the event of an unexpected occurrence that seriously disrupts the business process.

One information security issue when initiating the plan is that there may well be a lack of commitment from the Board or top management to formalize the BCP/DRP in terms of development, and if this is the case, it is likely to result in an inadequate process. For the DRP project to be effective, it is advised that a structured process is followed when initiating the plan and that the Board or Governing Body itself actually approves the project initiation formally and ensures that their will be adequate resources available to manage the project.

The importance of this level of commitment from the very top cannot be over emphasized.

A risk assessment should then be carried out to analyze the DRP security threat and analyses the nature of such unexpected occurrences, the potential impact it may cause, and the likelihood of these occurrences becoming serious incidents.
ISO17799 FAQ: MORE FREQUENTLY ASKED QUESTIONS

1) What controls are considered by the standard to be essential to an organization from a legal viewpoint?
Many sections embrace and cover legislative issues, but the following 3 areas are specifically highlighted: data protection and privacy of personal information; intellectual property rights; safeguarding or organizational records

2) And what about from a common best practice viewpoint?
The following areas are highlighted: security policy document; assignment of security responsibilities; business continuity management; security education and training; reporting of security incidents

3) Who actually wrote the security standard?
Originally a BSI/DISC committee, which included representatives from a wide section of commerce and industry. It was subsequently reviewed by an International Standards Organization committee and emerged through the ISO publication process.

4) Can I republish articles from the ISO17799 Newsletter internally, or even on our external internet site?
Yes, subject to a link to this website.

5) Where can I discuss ISO 17799 with other people online (eg: a message board)?
ISO17799 Forums exists at: http://www.17799.com and http://groups.yahoo.com/group/iso17799security/
CONTROLLING CHANGES TO THE SERVICE LEVEL AGREEMENT

From time to time, it may be necessary for either the Supplier or the Client to require changes to the services being delivered or other aspects of the servive level agreement. These changes need to be carefully controlled and should be covered by an approved and detailed procedure. It is recommended that change requests are formalized and agreed between the parties. If the changes to the services are reasonably simple then only minor changes to service listings need to be agreed. If, however, the changes to the Services are fundamental or complex, they may also require changes to be made to broader aspects of the agreement itself.

Changes to the Agreement should be handled under agreed change control procedures. It is normally recommended, however, that the Client organization establishes some form of specific Steering Committee which will be responsible for controlling and monitoring the SLA and changes to the Services, service measurement criteria or the Agreement itself. The following process is fairly common:
- The nominated Client Representative should submit a Services Change Request (SCR) on behalf of the user department to the Supplier for consideration, review and costing.
- The Supplier should review the feasibility of the Services Change Request and provide an estimate of the time and work effort
- The Client Representative and the Supplier should jointly present the Services Change Request to the SLA Steering Committee
- The Steering Committee should consider the impact on contracts and agreements between the two parties and the budgetary issues
- Steering Committee is to approve or reject the Services Change Request.
- The Service Change Request, if approved, is then incorporated into the Service Level Agreement.

For a service level agreement template and pre-defined process covering SLAs see: http://www.service-level-agreement.net

NOTE: If you haven’t got a formal service level agreement in place for your critical services… you should have!
ISO 17799 / BS7799 RELATED DEFINITIONS AND TERMS

In each newsletter we include a selection of definitions and terms to explain some of the jargon and language used by information security and IT professionals. In this issue, we have provided a selection of terms that all start with the letter ‘P’:

Pickling
Archiving a working model of obsolete computer technology so that a machine will be available to read old archive records which were created and stored using that machines’ system. Reportedly, Apple Computers have pickled a shrink-wrapped Apple II machine so that it can read Apple II software (if necessary) in the future.

Polymorphic
Term used to describe a virus which changes itself each time it replicates in an attempt to hide from Anti-virus software.

Polling
Checking the status of an input line, sensor, or memory location to see if a particular external event has been registered. Typically used on fax machines to retrieve information from a remote source – the user will dial from one fax machine to another, then press the polling button to get information from the remote fax machine.

Proto-hacker
Individual who has risen above the tinkering Anorak level with aspirations to be a Hacker – but does not yet have the necessary skills to crack a major system. Can cause much damage by clumsy entry Hacking and blundering around the system corrupting files – albeit unintentionally. Proto-hackers may have marginally more technical skills than Anoraks but still display immaturity by leaving calling cards, messages, graphics, etc. As a result most of them are identified and caught before they graduate to being full Hackers

Protocol
A set of formal rules describing how to transmit data, especially across a network. Low level protocols define the electrical and physical standards to be observed, bit- and byte-ordering and the transmission and error detection and correction of the bit stream. High level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages etc. Some examples of protocols are: TCP/IP, the protocol used on the internet to send and receive information (HTTP is a subset of TCP/IP).
IT COULDN’T HAPPEN HERE….COULD IT?

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) The ‘Perfect’ Business Continuity Plan

Yes, we have published this one previously – but it is our favorite true story!

A major financial institution took pride in its business continuity planning, and had in place what it considered to be a comprehensive plan of the highest quality. Indeed, the plan itself had been fully tested only days prior to the fateful incident.

On a quiet Sunday afternoon, the tranquility was disturbed by a large explosion in their main office block in the center of a large city. It was not a bomb or terrorist incident, but a serious gas explosion.

The company confidently swung the BSP into full effect, almost as quickly as the media hit town, to immediately discover something that the plan, as good as it was, had overlooked! The streets were full of paper from the office containing a wide variety of confidential customer information. Sensitive data was lying around for any passer by or observer to simply pick up and read.

For all the planning and testing, a single security lapse had cost them dear, as this aspect of the incident was reported again and again.

The moral of the story is of course that the office clean desk policy, and secure filing of confidential data policy, can actually prove to be extremely important!

2) A Simple One – But A common One

This one worked for years. The problem is that it still does!

A mainframe programmer in a large organixation thought it would be a hoot to collect the passwords of his colleagues and explore what they actually had filed under their own userids.

To achieve this, he wrote a very simple script to emulate the exact look of thestandard welcome screen for logon. The script didn’t logon of course, instead it provided a duplicate of the user-id/password screen, and then filed the input provided by the user to a common area. Instead of then logging the user onto the system, it presented the ‘System is not available’ message. The user invariably got up and walked away at this point, enabling him to quickly retrieve the gathered authentication details.

Unfortunately, armed with a growing number of access details, he just could resist going further than just being nosey. He began to actively seek more information, first on himself, then on others. Realizing that he could do so apparantly anonymously, he was soon changing information. Quickly, he was out of control and was accessing and changing files almost every day.

He was only caught when someone spotted that the ‘last logon’ date for their account was clearly incorrect (they had only just returned holiday). Their report was taken seriously, and observation and investigation initiated.

Hardly surprisingly, his excuse that he was “only having fun” was not enough to save him.

Issue 8

ISO17799 News – Issue 8

Welcome to the eighth issue of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to ISO17799 and information security.

The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. In view of recent events, this issue focuses particularly upon business continuity and disaster recovery.

Included in this issue are the following topics:

1) Obtaining ISO17799

2) Recent Internet Attacks

3) ISO17799 CSFs (Critical Success Factors)

4) Main Control Types

5) ISO17799 Section 11 – The North American Blackout

6) ISO17799: a World Wide Phenomenon

7) Potential Emergency Types for BCP

Back-Up and Recovery Strategy

9) More Frequently Asked ISO17799 Questions

10) Service Availability and the SLA

11) ISO 17799 Related Definitions

12) It Couldn’t Happen Here…. Could It?

Read the rest of this entry »