September 27th, 2006, 01:00 PM
ISO 17799 and ISO 27001
Just a heads up that the latest edition of the 17799/27001 newsletter is out today. It is produced in full below (permission for reproduction granted):
THE ISO 27001 and ISO 17799 NEWSLETTER - EDITION 12
Welcome to the Issue 12 of the ISO27001/ISO17799 newsletter, designed to provide news and information with respect to the ISO information security standards. The information contained within newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Covered in this edition are the following topics:
1) Obtaining the Standards
2) BS7799 Emerges... Again
3) Information Security News
4) ISO 17799 and COBIT
5) A World Wide Phenomenon
6) ISO17799 Section 14: Terrorist Plot Reveals Continuity Weakness
7) More Frequently Asked ISO17799/ISO27001 Questions
8) Protecting Confidentiality Using An SLA
9) More ISO 17799 Related Terms and Definitions
10) It Couldn't Happen Here.... Could It?
OBTAINING ISO 17799 AND ISO 27001
The first question we often field is "Where can I obtain a copy of the standard?" The standard itself is available from:
This is the web site for the ISO 17799 and ISO 27001 Toolkit. This downloadable package was created to help those taking the first steps towards addressing the standards. It includes both parts of the standard, audit checklists, a roadmap, a set of ISO compliant security policies, and a range of other items and materials.
This is the BSI Online Shop, a vending site for downloadable copies of the standards.
BS7799 EMERGES... AGAIN!
BS7799-1 became ISO 17799. Then, BS7799-2 emerged, to evolve into ISO 27001. Now: BS7799-3 has been born.
It is titled "Information security management systems - Part 3: Guidelines for information security risk management", and is intended to provide guidance and support for the implementation of ISO27001. It is mooted that it too will eventually become an ISO standard: ISO 27005.
Risk management of course is part and parcel of information security, and also of the security standards. That BSI should introduce a standard embracing it is therefore no surprise. It can of course be obtained via BSI's online outlet, Standards Direct: http://17799.standardsdirect.org/bs7799.htm
INFORMATION SECURITY NEWS
1) The creators of the Zotob worm, which disrupted networks at a number of media outlets, have been jailed in Morocco for between one and two years. The worm is estimated to have caused $400 million in damages.
2) AT&T have admitted that the personal information of about 19,000 customers has been accessed by hackers via the company's online store. The company is working with the law enforcement agencies to track down the perpetrators.
3) Telecom provider Verizon is also in the news, having admitted that an employee accidentally sent an email attachment containing information on about 5,000 customers to 1,800 of its customers.
4) A study of prosecutions by the US Dept of Justice has revealed that corporations attacked by cybercriminals over the last few years lost an average of $3 million per case.
5) A survey of 132 senior executives, conducted by ControlPath (http://www.controlpath.com), has revealed that 72% are not confident that they are complying with applicable regulations.
ISO 17799 AND COBIT
COBIT 4.0 complements the guidance within ISO/IEC 17799:2005, and is proving to be a significant Sarbanes-Oxley Act compliance aid.
Whereas the ISO/IEC 17799:2005 standard covers the wider spectrum of information security requirements, the COBIT guidelines provide in-depth control objectives and supportive management guidelines focusing specifically on information technology issues. The COBIT guidelines (Control Objectives for Information and related Technology) are issued by the Institute for IT Governance (http://www.itgi.org) and the Information Systems Audit and Control Association (http://www.isaca.org), and are fast becoming a key SOX compliance tool, following the recognition that IT controls represent important components in ensuring financial reporting accuracy and disclosure.
The ISO/IEC 17799:2005 standard comprises the following:
2 Terms and definitions
3 Structure of the standard
Information Security Guidance Sections
4 Risk assessment and treatment
5 Security policy
6 Organizing information security
7 Asset management
8 Human resource security
9 Physical and environmental security
10 Communications and operations management
11 Access control
12 Information systems acquisition, development and maintenance
13 Information security incident management
14 Business continuity management
COBIT, however, is organized into 4 domains containing 34 sections as follows:
Domain PO - Plan & Organize
PO1 Define a strategic plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define the IT processes, organization and relationship
PO5 Manage the IT investment
PO6 Communicate management aims and relationships
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage Projects
Domain AI – Acquire and Implement
AI1 Identify automated solutions
AI2 Acquire and maintain application software
AI3 Acquire and maintain technology infrastructure
AI4 Enable operation and use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install and accredit solutions and changes
Domain DS – Deliver and Support
DS1 Define and manage service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and allocate costs
DS7 Educate and train users
DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
Domain ME – Monitor and Evaluate
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
ME3 Ensure regulatory compliance
ME4 Provide IT governance
COBIT 4.0 (the latest version) maps to ISO/IEC 17799:2005 in the following manner.
ISO 17799 Chapter No. 4 5 6 7 8 9 10 11 12 13 14 15
COBIT 4.0 DOMAINS
Plan and Organize (PO) L H L L H H H H L L M L
Acquire and implement (AI) H M M L M H L L L L L L
Deliver and support (DS) L H M H H L H M M M H M
Monitor and evaluate (ME) L M L M L L L L L L L L
Key to level of matching between COBIT 4.0 and ISO 17799:2005
H = Reasonably good match
M = Some matching
L = Low level or no matching
The above matrix will hopefully prove to be useful for those also embracing COBIT within their ISO 17799 / ISO 27001 remit. Reference: http://www.controlit.org (The COBIT User Group).
ISO17799: THE WORLD WIDE PHENOMENON
Our source list for recent purchases of the standard always proves to be a popular talking point. The most recent thousand or so is as follows:
Bosnia and Herzegovina 2
Cayman Islands 1
Costa Rica 1
Hong Kong 11
New Zealand 7
Saudi Arabia 7
Slovak Republic 1
South Africa 11
Sultanate of Oman 1
United Arab Emirates 7
The same health warnings as usual apply: these are online credit card sales. Consequently, those cultures that are less familiar with this form of ecommerce will be under represented.
ISO 17799 SECTION 14: CONTINUITY WEAKNESS EXPOSED BY TERRORIST PLOT
The recently foiled terrorist plot, that averted potential disaster on targeted US airlines flying out of UK airports, has focused attention on the lack of quality in the procedures and processes in place to maintain acceptable levels of airport baggage handling. The governments handling of the crisis is also being criticized with British Airways alone rumored to have lost over £50 million.
There was clearly a lack of preparation for this type of emergency at some UK airports. In particular it has been reported that Ryan Air are considering taking action over apparent BAA emergency staffing shortages, which Ryan Air considers exacerbated the problem and resulted in additional cancellations.
When preparing business continuity plans for emergencies that can potentially disrupt normal operations, the business continuity planning team will identify “what if” scenarios that examine the potential impact of a failure, or removal of one or more critical components within the business or operational processes. Perhaps it could be said that it was difficult to predict that permitted carry-on luggage could be suddenly be reduced to just travel documents, essential medicines and other emergency items, but this should have been a recognizable scenario identified during the planning process, no matter how low the perceived probability of it actually happening was.
Once the possibility that this disruptive event could occur has been accepted, the impact on the operations as a whole must be assessed and the level of ensuing crisis predicted. Although assessing probability is an important part of the process, and can provide a yardstick for the financial and other resources you make available to safeguard against this event, if the chances of such a scenario occurring is a real possibility then you must examine the impact of the event actually occurring, and not dismiss the scenario based on a low probability factor.
After the potentially disruptive scenario has been identified, probabilities assessed, and the business, financial and public impacts predicted, suitable strategies should be formulated for mitigating the impact. Emergency procedures will also be developed to ensure that the impact on the business and the customers is minimized. Responsible management must also consider how they are going to resource these emergency procedures during the crisis and ensure that these emergency resources are always available.
When developing your business continuity plan it is important to ensure that adequate time is allocated to identifying and examining all the potential scenarios that could disrupt your business. More information is available from: http://www.disasterrecoveryforum.com and http://www.baa.co.uk
ISO17799 - MORE FREQUENTLY ASKED QUESTIONS
1) What is ISO 27000?
This doesn't really exist as such. It is essentially a generic name given to standards of the form ISO 27nnn. Currently there is only one: ISO 27001. However, it is envisaged that ultimately ISO 17799 may become ISO 27002, and other information security standards may be numbered similarly within the 27000 series. More information: http://www.27000.org
2) Where can I find old copies of ISO 17799 / ISO 27001 News?
The archive site is now located at: http://www.molemag.net
3) Can I re-publish articles from this newsletter internally, on our company intranet, or even on our external website?
Yes, subject to a link to the newsletters archive web site above.
4) What is the ISO 17799 Wiki?
This is an 'open access' website, dedicated to ISO 17799 and ISO 27001. The idea is that members of the public can freely contribute, to build a substantial resource documenting both standards. It is located here: http://iso-17799.safemode.org
5) How do I become an ISO 27001 Lead Auditor?
Certification bodies, such as BSI, conduct a five day workshop followed by an examination. Thereafter, different certification bodies have different requirements (eg: number of years security experience) and different procedures (eg: on the job observation).
6) What is an Accreditation Body?
An accreditation body is an organization which bestows the authority to 'certify' (issue certificates) upon another body. Examples include ANAB (http://www.anab.org), UKAS (http://www.ukas.com) and the SCC (http://www.scc.ca).
PROTECTING CONFIDENTIALITY USING AN SLA
The confidentiality of information, data and records can be a particularly critical issue with respect to formal agreements. Within these, the two parties are usually referred to either as the “Client” and the “Supplier” or the “disclosing party” and the “receiving party”.
In a Service Delivery relationship, both the supplier and the client are likely to become aware of proprietary or trade secret information about the other party which should be treated in a confidential manner.
To cover this scenario, within the SLA, a basic wording could be used as follows:
“Both parties agree to keep confidential all information concerning the other party’s business or its ideas, products, customers or services that could be considered to be “confidential information”. “Confidential information” is any information belonging to or in the possession or control of a party that is of a confidential, proprietary or trade secret nature that is furnished or disclosed to the other party. Confidential information will remain the property of the disclosing party and the receiving party will not acquire any rights to that confidential information.”
Should this wording not be suitable for either the supplier or the client, then the two parties should formally agree on an alternative wording. Source: The SLA Toolkit (http://www.service-level-agreement.net).
Important Note: If you haven't got a formal service level agreement in place for your critical services... you should have!
ISO 17799 RELATED TERMS AND DEFINITIONS
In each ISO 17799 and ISO 27001 Newsletter we will include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by Information Security professionals. In this edition, we have provided a selection of terms that all start with the letter ‘A’.
Two types of access – Physical and Logical.
Physical Access. The process of obtaining use of a computer system, - for example by sitting down at a keyboard, - or of being able to enter specific area(s) of the organization where critical information or systems are located.
Logical Access. The process of being able to enter, modify, delete, or inspect, records and data held on a computer system by means of providing an ID and password (if required). The view that restricting physical access relieves the need for logical access restrictions is misleading. Any organization with communications links to the outside world has a security risk of logical access. Hackers do not, generally, visit the sites they are hacking in person.- they do it from a distance!
The powers granted to users to create, change, delete, or simply view data and files within a system, according to a set of rules defined by IT and business management. It is not necessarily true that the more senior a person, the more power is granted. For example, most data capture - essentially creating new files or transactions, is performed at relatively junior level, and it is not uncommon for senior management to have access rights only to view data with no power to change it. There are very good Internal Control and Audit reasons for adopting this approach.
Admissible Evidence is ‘evidence’ that is accepted as legitimate in a court of law. From an Information Security perspective, the types of ‘evidence’ will often involve the production of a system’s log files. The log file will usually identify the fact that a login took place; and certain functions were performed. The issue as to whether or not such a log file is legally admissible, is not clear cut. However, opinion appears to be that as long as a computer record is generated as a normal part of business processing, and the computer and software were working as designed and expected, then it may be admissible. Advice from a lawyer is always recommended.
AI ARTIFICIAL INTELLIGENCE
The holy grail of IT folk, the concept of a machine thinking for itself. Despite the success of the recent blockbuster film starring Jute Law - don’t hold your breath.
The most knowledgeable, technically proficient, person in an office, work group, or other, usually non-IT, environment. Born ‘fiddlers’ and ‘tinkerers’, they tend to ignore the basic rule of ‘If it ain’t broke don’t fix it’ preferring to operate on the basis of ‘Fix it, until it is broke’. Such people can be a considerable security risk - like ordinary Geeks, Anoraks, and Tech-heads, - only more so.
Whimsical term for computer enthusiasts - usually, but not exclusively, young and lacking in social skills. The term derives from the preferred item of apparel for attending computer exhibitions, it being equipped with numerous sizeable pockets ready to be stuffed with all manner of obscure electronic gizmos.
Some anoraks tend more to the software side of IT and may graduate to being Hackers. Anoraks certainly have their uses but, in many ways, are a security risk. Such persons are inclined to do things with, and to, organization IT systems simply for the technical and intellectual challenge, rather than for any business benefit to the organization. Also known as Nerds, Geeks, and Tech-heads, the term is acquiring wider usage to describe any enthusiastic follower of obscure sports, hobbies, pastimes, etc.
An area of data storage set aside for non-current (old or historical) records in which the information can be retained under a restricted access regime until no longer required by law or organization record retention policies. This is a field in which computers have distinct advantages over older paper files, in that computer files can be ‘compressed’ when archived to take up far less space on the storage media. Paper records can only be compressed by using microfilm, microfiche, or, more recently, by scanning into a computer system. Whichever system is chosen, care must be exercised to ensure that the records retained meet legal requirements should it ever be necessary to produce these records in a court of law.
IT COULDN'T HAPPEN HERE....COULD IT?
Every edition of The ISO17799/ISO27001 Newsletter features at least one TRUE story of an information security breach and its consequences:
1) Testing Back-Up Systems: Properly!
A company in Houston regularly tested its back-up generator then discovered during an actual power failure that the motor required to start the generator was actually connected to the mains! The problem cost the business an estimated US$ 145,000.
The lesson: Make sure you test any back-up system thoroughly and under simulated conditions.
2) Lack of Emergency Procedures
A consultant checking on a New York organization's disaster recovery arrangements asked to see their back-up generator and related procedures. He was introduced to George who had all the answers on how the process worked but could not produce any written procedures. Two weeks later gales tore down power cables and the customers could not get the generators started – George was away on holiday! Fortunately the organization survived and have now developed WRITTEN emergency procedures.
The lesson: Make sure your emergency procedures are up to date and staff properly trained in their execution..
3) Fire at Chemical Warehouse
Two trainee auditors who work for an accounting firm were involved in a year-end audit at a chemical warehouse in Sheffield UK. A fire broke out in the warehouse and toxic fumes quickly spread throughout the facility. The evacuation procedures were known to the permanent staff who immediately left on cue. The two auditors who were working alone in one of the basement offices where records where stored were not briefed on these procedures and their presence on-site was overlooked during the panic. They very nearly got trapped in an area that was gutted by the fire shortly afterwards, and were lucky to escape. They both spent a week off work due to inhaling toxic fumes but it could easily have been very much worse.
The lesson: Make sure you set up an effective buddy system to cater for such events and make sure you include any temporary staff or third parties who may be visiting or working on the premises.
4) Your Favorite "It Couldn't Happen Here" Story
Our poll of stories from previous issues revealed the following results:
1. The 'Perfect' Business Continuity Plan (Issue 9) 31.1%
2. Answering Machines Have No Loyalty (Issue 7) 26.7%
3. Who Audits the Auditor (issue 10) 17.8%
4. The Disgruntled Employee Strikes Again (Issue 10) 7.8%
5. The Old Duplication Trick (Issue 5) 5.6%
6. When is Disposal is Not Disposal (Issue 8) 3.3%
7. Intellectual Property Rights (Issue 10) 3.3%
8. A Simple One - But A common One (Issue 9) 2.2%
9. Confidential User-Ids (Issue 8) 2.2%
Copyright Molemag.Net 2006