ISO 17799 and ISO 27001 Newsletter

The David L Watson Interview

The following questions were presented:


What are the most common mistakes you have encountered?

There are a number of commonly repeated failures or mistakes that I find over and over again. Sometimes I think that the organisation must be secretly hoping for a blind, deaf and dumb Auditor that won’t pick these up, but almost all CB auditors I have met have been switched on, knew what they were looking for, knew when they had found it and knew what to do with it when they had found it.

For ease of reference I have put the failings under the familiar clauses that we know from BS 7799:

ISMS

l        Document control – often missing, not up to date or inconsistent. It always amazes me how many people do not understand how to use templates and styles in word processing packages;

l        Securing the boundaries of the scope and performing the risk assessment on the assets defined in the scope. Organisations often fail to look at the risks at the boundary of the scope if they have offered a reduced scope (i.e. not the whole organisation or stopping the scope at a boundary where a partner may share a resource etc);

l        Traceability of the controls in the SoA to the Risk Assessment and Treatment Process and back to the SoA;

l        Risk Assessments often just look at technical risks and forget that  the organisation is a business and is run as a business with business risks;

l        Rarely do I see any formal acceptance of residual risk;

l        Defining SoA is often a problem or making it easy to use. Typically this is one of the main documents that the CB Auditor will work with during the audit and it has to be clear, link to the appropriate places or documents and be understandable;

l        Demonstrating management commitment. Only too often do I hear that the barest minimum of staff have been put on the project and these are not ring fenced so the project suffers resource leakage;

l        Sometimes the organisation has no idea of how or what to expect. I recently had a case of someone asking for a quote to roll out BS 7799. I said I would ‘spec’ it out for them after visiting them, understanding their business and providing a full proposal. They stated that they already had two proposals and just needed a third for completeness. I asked if the others had visited and they said no, they were local computer shops and had each quoted 5 days work and some hardware to implement BS 7799 on a scope of 200 self employed associates, all using their own equipment with a common server and network resources. This best thing about it was that it was to connect to a UK government network. When I told them the Gap Analysis could take that long, they said they were hoping for a fast implementation and a half day seminar to implement BS 7799 was suggested. As some (well actually most) of the associates could not attend the half day – would that matter? I kid you not. I also guess that they paid for their 5 days and that the IT Manager stated they were compliant just so they could get connected.

Information Security Policy Document

l        Often missing (Many companies do not have one);

l        Frequently out of date;

l        Often unknown by staff especially third parties and most especially IT Contractors and Consultants;

l        Not enforced;

l        No records to show who has received the policy with supporting training;

l        Rarely evidence of review.

Security Organisation

l        No one tasked with the job of monitoring security regularly. This is often a part-time job for someone in IT who gets pulled off to do project work elsewhere;

l        No security awareness or training undertaken for staff or third parties working for the organisation. HR generally will not touch anything to do with Consultants, Contractors or other third parties in my experience audit is left to local line managers;

l        Too often the Information Security Manager is an IT person who reports to the IT Department with no ability to go direct to the board. In effect, they are reporting on the people they are reporting to. The chances of serious issues getting escalated in this setup are slim, to say the least, unless it is so catastrophic it cannot be hidden;

l        Outsource the problem – often with disastrous consequences. There are numerous scare stories in the press about outsourcing, but few organisations either monitor or mange outsourced contracts appropriately. There are some good contractual and outsourcing controls in A4.2.2 andA.4.3.1. - even if I say so myself – these were carried forward from the 1999 version;

l        Little outside contact with similar minded professionals or exchange of views with other security processionals;

l        Ineffectual Information Security Forum that either rarely meets, has the wrong level staff attending, has whole business areas that do not/will not get involved, does not have the authority to alert the Board and no minutes for meetings to show issues carried forward and resolved.

Asset Classification and Control

l        There is often little or no concept of data or information ownership, or of asset classification;

l        There is often little control over movement of equipment;

l        Security (if implemented) is not based on this process (or associated risk management processes);

l        Little, if any, personal accountability by anyone, especially owners (whether they are aware of their role or not);

l        Owners rarely review their information from a security viewpoint or for whom has access to it;

l        Information (of any sort) is rarely classified consistently and handled according to the requirements of that classification

Personnel Security

l        There are rarely up to date job descriptions. If they do exist, they rarely have any information security requirements in them for all staff;

l        Little advice exists on reporting security incidents;

l        Little security based training or awareness is available;

l        Rarely are references checked - especially for ‘sensitive’ positions;

l        I have yet to see a Contractor or a Consultants references checked or to prove that they hold qualifications held. This can allow all sorts of charlatans and criminals into your organisation. Lying on your CV in the UK is a criminal offence (remember Shrewsbury and Telford Hospitals NHS Trust – he is facing up to 5 years in Jail for ‘Pecuniary Advantage by Deception – S16 of the Theft Act 1968 defines this as ‘Being given an opportunity to earn remuneration or greater remuneration in an office or employment, e.g. where D lies about his qualifications and secures a job as a result, the job is the pecuniary advantage obtained by deception’)

l        Contractors – who are they? There is usually no process for HR checking for Third Parties or Contractors;

l        Contracts often do not afford adequate protection for the organisation;

l        Confidentiality agreements are rarely used by the organisation or centrally recorded so they can be relied on in case of need. Staff signing Confidentiality Agreements or Non Disclosure Agreements (NDAs) often do not understand what they are signing or to what they can commit the organisation.

Physical & Environmental Security

l        Supposedly secure buildings can easily have their physical security breached by a variety of means (e.g. Social Engineering, Piggybacking, Fire Doors left open etc.);

l        Power supplies are often unprotected against unauthorised access.

l        Critical equipment is not always protected by UPS;

l        Generators and UPS are often not regularly tested with test results available;

l        Equipment maintenance is not always carried out in accordance with manufacturers instructions – possibly invalidating the manufacturers warranty;

l        Off premises security of equipment is often overlooked by the organisation;

l        Secure disposal / removal of equipment is often not recorded or carried out securely leading to unauthorised disclosure of information;

l        Clear desk / screen processes are often not carried out, especially in the IT Department for both. Usually, but not always, IT forces other users to have clear screens, but often there is no clear desk process in place and no lockable cabinets to store securely anything needed to be locked away due to its classification.. This can be exacerbated if there is no information classification process in place and used across the organisation or if there are no handling procedures based on the information classifications.

Communications and Operations Management

l        There are often no standards and little or no documentation of the Corporate Systems;

l        Rarely is there an effective and implemented change management process. There are often no formal change management processes or records of change meetings available. Change management meetings often have the wrong level staff attending, have whole business areas that do not/will not get involved, and no minutes for meetings to show changes successfully and unsuccessfully implemented changes;

l        Often no management software for network, or any form of planning for the IT systems or capacity planning;

l        Rarely are Service Level Agreements in place and if they are they are rarely monitored and used effectively. Often the business has unrealistic ideas of IT Service availability and the IT Department cannot meet the requirements without serious investment, which the business may not be willing to provide. This can lead to a breakdown in relationships between business units and IT;

l        No standards for development or security being embedded into any new project or upgrade. Usually the Information Security Manager is not advised of new projects or is so stretched that they cannot make the time to provide assistance;

l        A backup process that does not provide full backup integrity or recovery capability.

Access Control

l        Few records are kept of total account histories;

l        Rarely is there a documented access control policy, and if it is present it is rarely up to date;

l        Few standard set ups or templates are used for accounts;

l        Few, if any, monitoring or reporting tools are available for reviewing, managing or monitoring accounts;

l        Poor password management an be implemented and not noticed;

l        Rarely are there added security measures for portables PCs so corporate information is easily accessed, disclosed, modified or erased if the portable device is stolen. If an MI6 agent can lose a laptop by getting ‘blind drunk’ in a London Tapas Bar then what chance have we mere mortals got of keeping our laptops secure. Oh yes, and we all believed that it only contained out of date training materials and that the disk was encrypted!

l        A general lack of understanding of threats posed by inappropriate access control on office based or portable devices.

System Development and Maintenance

l        There is often claimed to be no development or maintenance – but on researching this it is often found not to be correct;

l        Few standards are available for development or change management or are implemented;

l        Testing is often omitted – there is a ‘fix on fail’ mentality as someone in Marketing has promised the delivery without consulting the Development Team. Some cynics would say that this is why Microsoft has a beta testing program, but I could not possibly comment;

l        Source code is often accessible on live system;

l        No segregation of duties or development/testing/production environment;

l        Often ‘real’ data is used that could divulge either recent corporate data or personal data in breach of the Data Protection legislation. This is often not properly protected during use or at disposal. Typically access control is less well implemented on development or test systems than it is on ‘live’ or ‘production’ systems;

l        Poor project management, over-runs or scrapping the project;

l        Little documentation or it is out of date and none of the current staff were present when the project started, so it is impossible to determine how security was to be addressed in the project – if at all.

Business Continuity Management

l        Often I have found a plan that was untested, out of date,  incomplete and was not maintained;

l        There is often no Business Impact Analysis (BIA) carried out or if they are carried out they are out of date

l        There is often a heavy reliance on complacence and make do ‘if it happens’;

l        Lack of management support;

l        Often an IT driven Disaster Recovery Plan with little business input or knowledge within the business as to how they would work in the case of a disaster

l        Failure to test and maintain the plan.

Compliance

l        Often no compliance/conformance monitoring;

l        External audits rarely at appropriate depth;

l        Often knee jerk reactions to issues;

l        Lack of understanding of requirements or penalties (personal and corporate ones);

l        Lack of training.





 

 


**The Newsletter**

The ISO 17799 and ISO 27001 Newsletter is published periodically. It provides news and background for those interested in information security generally, and ISO17799 / ISO27001 specifically. In addtion, we provide occasional 'breaking news' bulletins covering any major event related to the standards.



Subscribe

Free subscription is via our online form

 

 

Contact Us

© Copyright 2005/2006.