Servicing ICT – Merging Security and Service Management

A broad range of ISO/IEC (International Electrotechnical Commission) standards are addressing key issues faced by the world’s fast- growing information and communications technology (ICT) industry. These include preventing cyber attacks, ensuring information security and maintaining business continuity.

A common business tool in most organizations, ICT serves many business purposes and is used in a wide range of business applications and processes. Their use requires associated services provided within an organization, for example through an internal ICT services department, or through a third party.

 Up and running

Over recent years, cloud computing has become a fashionable term for the delivery of services such as applications as a service, software as a service and infrastructure as service.

An example is data storage in a third- party cloud server. This can reduce an organization’s costs as it does not need to manage and maintain its own server. There is a possible downside too: can the cloud provider manage the ICT and data storage service efficiently, securely and effectively?

This raises issues of how to provide effective ICT service management and information security. For example, if the cloud service provider is in one country and the provider of personal data is in another, how does the cloud provider protect its customers? In addition, how does the cloud provider conform to national laws when its clients are geographically dispersed around the world?

ICT services management also has a key role in the delivery of ICT services. If these are implemented properly it can increase efficiency and cost-effectiveness, increase flexibility in the use of ICT resources and applications, reduce response times and improve quality of service. To achieve these benefits, information security plays a key role in ensuring effective service delivery.

In the case of critical national infrastructure, service provision needs to be carefully considered. Appropriate solutions and controls are necessary for ICT service management, ICT readiness and preparedness for dealing with disasters and continuity issues, incident handling and information security.

To guarantee delivery, critical infrastructure requires many services to be able to work together. Examples include medical, food, energy, utility and emergency services. Most of these rely on ICT-based systems to keep services up and running.

In cyber attacks or other disasters, it is essential to be able to recover ICT systems to restore services quickly. Before an incident occurs, it is also necessary to have effective early warning, detection and monitoring systems in place.

 Best practice guidelines

The delivery of effective ICT service management is being addressed by the ISO/IEC 20000 (Information technology – Service management) family of standards; and information security issues are being addressed by the ISO/IEC 27000 (Information technology – Security techniques) family of standards.

There are also sector and application specific information security standards such as ISO/IEC 27011 for telecom services; ISO/IEC 27017 and ISO/IEC 27018 for cloud computing; and a standard for integrating information security with ICT service management, ISO/IEC 27013.

One area covered by ISO/IEC 20000 is service availability and continuity management. This addresses key questions such as:

What level of customer service does the service level agreement guarantee?

What does the service provider need to do to deliver this level of service?

What does the service provider need to do to withstand an online denial-of- service attack?

What if the service provider experiences a malware attack on its systems?

Does the service provider have the information security controls in place to deal with these cyber attacks and maintain its services?

ISO/IEC 20000 features several processes to maintain service availability while tackling problems such as cyber attacks and system failures. These processes include service continuity and availability monitoring and testing, incident handling and problem management, capacity management and information security management.

In the case of information security, ISO/IEC 20000 is linked with the information security management system standard ISO/IEC 27001, which provides a full range of solutions to assist service providers with protecting their systems.

One of the important aspects of system protection is to understand the risks the service provider faces. A risk-based process, ISO/IEC 27001 requires the service provider to undertake a risk assessment to help it decide what information security controls should be implemented to ensure service availability and continuity.

ISO/IEC 27005 provides guidance on risk management for service providers that implement ISO/IEC 27001.

Given the importance of information security to the provision of ICT services, ISO/IEC 27013 is being developed to consider the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000.

The “ other ” business options

Additional standards in the ISO/IEC 27000 series provide guidance and service and application specific controls to support service providers. For example, ISO/IEC 27031 applies to any organization developing its ICT readiness to deal with incidents or threats, therefore ensuring business continuity.

ISO/IEC 27035 provides organizations with guidance on information security incident management. This standard describes a basic set of documents, processes and routines. It also gives guidance to external organizations supplying information security incident management services.

ISO/IEC 24762 gives guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management. This applies to both in-house and outsourced ICT DR service providers of physical facilities and services.

In cloud computing, ISO/IEC JTC 1/SC 27, IT Security techniques, is developing two new standards: ISO/IEC 27017 covers cloud-specific information security controls; and ISO/IEC 27018 considers controls for personal data. Both of these standards are being designed and developed to work alongside ISO/IEC 27001.

This article was originally published in ISO Focus  by Edward Humphreys.

Make Your Organization’s Security Program Relevant in 2012

By: Chris Hinkley, from SecurityWeek.com

Today more than ever, organizations are examining existing security programs. Those that don’t have a formal security plan in place are thinking about, if not scrambling, to make one. Great security means first identifying your needs and then making a resolution to revamp or create your company’s plan for the New Year. Here are some tips to help lay the groundwork.

  • Assess your technology. While technology should be a major (but not the only) focus of your security program, chances are your software might not be totally up to date, or in some cases even relevant to your company anymore depending on how the business has grown. Revamping or creating a security program is a great time to look at all of the technology you have in place, from servers to software, and see what needs an upgrade, a patch, or a replacement. A small patch missed, can mean a large breach. And a solution you passed on a year ago may have a better feature set and fit better with your organization now than what you currently have in place. If you’re working with regulatory compliance mandates, there are likely new protocols that you need to follow and become current on. This is because compliance standards and regulations change quite frequently, sometimes too quickly for us to keep up with. Remember though that compliance follows security and not the other way around. Don’t mistake following a compliance mandate as sufficient security.
  • Define Your Company’s Security DNA.There is no one-size-fits-all approach to security. Every organization has different structures, both physically and logically. This translates to unique risks and vulnerabilities.Don’t overlook the physical facilities such as the office building and back up facilities. No matter what size of business you have, if you’re dealing with sensitive and critical customer data, then the easiest way for a thief to access that data is to walk into your building and take it. Do you have a security system? Do you need security cameras or new lighting around the building? Is your business big enough where it makes sense to move into a building with a security guard, or hire a few of your own?

    Next is your hardware.

    Few employees sit at their office desk 9-5, Monday through Friday. How is information protected on laptops that go to work in coffee shops, home offices, airports, and trade shows? This measure mostly involves training for the people who carry the devices. There are policies you should develop and enforce on those devices and with your personnel as an added layer of protection. You can also invest in specific software (back to my earlier point) that will lock up mobile devices and programs automatically on a scheduled basis when they’re not in use.

    Also, be logical about who in the organization has access to certain physical areas and information. Not everyone should be allowed in the server room. Not everyone, even certain management, should have access to back end systems, financial software, and any other data where a leak would be devastating. Make sure you have checks and balances in place so the risk of fraud is minimized and the possibility of any kind of internal threat possibility is reduced. Be sure to establish a policy for when employees quit or are let go that their administrative rights are revoked immediately – before they can take data with them.

  • Make Security Part of the Culture.Just like anything else in leadership, it has to come from the top down to work. Start by getting the whole c-suite engaged with the program. Impress upon them that wide spread adoption throughout the company is critical to keeping the company safe from both internal and external threats. If you sense that the leadership is just nodding their heads but doesn’t understand the level of importance, share with them use cases of other companies that have experienced attacks in the last year and the consequences that were suffered because of these actions. Without management and executive approval, you are essentially dead in the water.Share the plan with the entire company. Add into your plan a budget to do company-wide training, that’s the best-case scenario. Corporate training and engagement can greatly boost the likelihood that employees will learn and retain what they need to know to do their part. It also sends a message of the importance of the security plan.

    If formal training isn’t an option, then create content that will explain the program in a simple way, using relatable scenarios that make sense to everyone from IT to marketing. Training doesn’t have to happen in a formal settings, sometimes training is even more effective in informal avenues. Think of a company screensaver that is constantly cycling through updates, announcements, and security news. Intranet landing pages and Yammer posts (if you use a social system like this internally) are also a good place to disseminate information.

    Finally, don’t make security education a one-time thing. Your organization’s employees can either be the biggest vulnerability or the biggest security asset. They won’t know what a suspicious email that contains a virus looks like unless you teach them. Continual participation and education on how to create a safe, secure business is ultimately what will make it a success. Send out quarterly reminders, put posters up in the break room, whatever you have to do to make it visible. Above all else, make sure the IT team and entire leadership of the company lead by example.

Philippine firms view compliance as complicated maze

MANILA–While the global market, thanks to the Internet, has undoubtedly been a boon to the Philippine outsourcing industry, ensuring compliance to various regulations is proving to be a headache for local companies in the borderless business era.

With reports of security breaches and data leaks making headlines around the world, the Philippines is in the midst of implementing a host of measures that can benefit, or constrict, local businesses.

Recently, in the Senate deliberations for the proposed Data Privacy Act, a top-ranking senator cautioned the chamber against enacting an excessively strict law that could hamper the ease of access that companies need to operate efficiently.

IT companies, such as software maker ECCI Group, also have to consider the data privacy policies in the markets they target. “Each country has a different Data Protection Act that we need to be in compliance to,” said Chenthil Kumar, sales director of the ECCI. “The other thing that needs to be considered is how we are protecting critical customer transactions.”

Local companies have acknowledged that compliance is a necessary task, but also agree that applying numerous regulations remains an enormous challenge to most.

Source: ZDNet Asia. Read the full article here.

Security Techniques

ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).

ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance, and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks. It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, and nonprofit organizations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.

Bringing information security under management control is a prerequisite for sustainable, directed, and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities, and impacts of information security failures, using review and improvement activities specified within the management system.

According to JTC1/SC27, the ISO/IEC committee responsible for iso 27000 and related standards, ISO/IEC 27001 “Is intended for different types of use.”

The information security controls from ISO/IEC 27002 are noted in an appendix (annex) to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information security risks, which is one vital part of the ISMS.

HISTORY OF ISO/IEC 27001
ISO/IEC 27001 was born as BS 7799 Part 2 in 1999. It was revised by the British Standards Institute (BSI) in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cycle, and was adopted by ISO/IEC in 2005.
Since ISO/IEC 27001 is an active certification standard, major/structural changes are likely to be difficult and even minor changes will have to be justified in order to retain “backwards compatibility” with the existing standard wherever possible. Nevertheless, there is pressure to realign 27001 with 27000, 27002, 27003, and 27005, reducing duplication and potential conflict, and to realign with other ISO management systems standards such as ISO 9000 and ISO 14000. Hopefully, confusion around the meaning and purpose of “Statement of Applicability,” “ISMS Policy,” and “Information Security Policy” will be resolved.

Oracle and other companies ‘punkd’ in hacking contest | BusinessWorld Online Edition

LAS VEGAS — A weekend contest at the world’s largest hacking convention in Las Vegas showed one reason why big corporations seem to be such easy prey for cyber criminals: their workers are poorly trained in security.

Amid a spate of high-profile cyber assaults on targets ranging from Sony Corp. to the International Monetary Fund, one would think that many companies would be paying special attention to security these days.

But hackers taking part in the competition on Friday and Saturday found it ridiculously easy in some cases to trick employees at some of the largest US companies to reveal information that can be used in planning cyberattacks against them.

Oracle and other companies ‘punkd’ in hacking contest | BusinessWorld Online Edition.

Secure Information = Secure Business

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

It is important for us to understand that there is no such thing as a “fully secured information system”. We live in a world of vulnerability, be it information or human life.

Security risks are increasing by the day, enterprises are becoming externally focused and open. Hackers are increasingly turning fraudulent and criminal, but centralized assets are becoming distributed assets, increasing the vulnerability. New viruses are on the prowl and applications are thrown open to Internet.

Today, the enterprises live in a world where security attacks can crumble the business to its knees. This has become a part of everyday life. It is important for enterprises to take cognizance of the fact that security threats are real. They need a structured program to protect the information from external and internal threats.

These programs need to include concepts, techniques, technical and administrative measures used to protect information assets from:

  • Deliberate or inadvertent unauthorized acquisition
  • Damage
  • Disclosure
  • Manipulation
  • Modification
  • Loss
  • Misuse

Information resides everywhere in our organization – in printed sheets, files, computers, laptops, CD-ROMs, Blackberries, iPhones, data centers, back-up tapes stored in a remote location and all these are vulnerable to be misused. The damages can be significant if information is not managed securely.

How to secure data and information will be articulated in the next article.

- Raja Kumar, Senior Consultant, ECCI

APEX Global successfully holds 3 public trainings on week of May 30 – June 3

Last week, APEX Global successfully conducted 3 trainings at the New World Hotel, Makati City. Forty-five professionals and executives from various firms attended the Business Continuity Management Practitioner, Sustainability Reporting Practitioner and Combined Lead Auditor trainings.

On May 30-31, the Business Continuity Management Practitioner training was held to help professionals learn the best practices of BCM implementation using the BS 25999 standard. Business Continuity is a key factor for an organization to maintain its critical operations during and following a disruption and the speed at which it is able to re-establish its full functionality. RCBC, Smart Communications, Allied Bank and Jollibee Foods Corporation are some of the companies who sent representatives to learn from this course.

Simultaneously, the Sustainability Reporting Practitioner workshop was conducted focusing on the principles and best practices of structuring, designing and developing a successful corporate sustainability report. Tips from GRI (Global Reporting Initiative) G3 Guidelines, AA1000 (AccountAbility and ISO 26000 (Guidelines for Corporate Social Responsibility) were shared to participants from Ayala Corporation, Development Bank of the Philippines, Bangko Sentral ng Pilipinas and Globe Telecom.

The Combined Lead Auditor Training was also conducted from May 30 to June 3. The training course is the first of its kind in the Philippines combining ISO 27001 (Information Security Management System) and ISO 9000 (Quality Management System).  Whereas conventional training programs would require 10 days for the two standards, the duration of APEX Global’s delivered the program in only 5 days. Participants come from companies such as UnionBank, BlastAsia, Toshiba Information Equipment, SPI CRM, Zuellig Pharma, HP and Fujitsu.