Information Security: Innovation or Necessity?

Modern businesses face many challenges and opportunities. Competitive advantage and sustained profitability are essential for survival and development in the marketplace. Standards and performance in the private and public sector are also under constant and ever closer scrutiny.

The Nationwide Building Society was fined nearly £1m in 2006 by the FSA for failing to have effective systems and controls in place to manage information security risks. These failings came to light following the theft of a laptop from the home of one of their employees. The FSA found that the building society’s procedures were not adequate and exposed its customers to an increased risk of financial crime. These failings included not being aware that the laptop held confidential customer data and not starting an investigation until three weeks after the theft. The FSA stated “Firms internal controls are fundamental in ensuring customers details remain as secure as they can be”.

A critical area that is too often overlooked is that of information security. The previous examples show that if your information security is not managed in a proper way this will not only increase the risks within your own organisation, but as well the risk areas towards your suppliers and even worse, your customers.

Information in this context needs to be defined as ‘an important asset which is essential to an organization’s business needs. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation’.

The process of Information Security must be embedded within an organisation from the top down, underpinned by a culture of support and cooperation. When it is done correctly, tangible business benefits can be realised, including increased efficiency, greater clarity and visibility of business processes, awareness of critical assets, risk reduction, and ultimately a direct improvement on the bottom line. Your customers can also be assured that information security is taken seriously, including such key aspects as data protection and freedom of information.

The challenge for business leaders is to understand the extent to which information security management already exists within their organisation and to mobilise market leading information security management services to provide the specialist support that will guarantee compliance with industry best practice and national and international standards.

Managing Information Security in practice (Case Study)

To manage Information Security risks within organisations implementing an Information Security Management System (ISMS) is the solution as it covers all relevant aspects for the business. An ISMS will help identify and reduce critical security risks, as it helps you focus your information security efforts and protect your information.

The outsourcing group within a major IT systems and services provider needed a flexible approach to implementing information security. A core grouping of functions and staff were clustered in a few geographically-close sites but the full organisation was distributed more widely over the UK. A pragmatic decision was taken to implement the ISMS in the core cluster first. This was to ensure the common policies and controls were firmly established and so that organisational learning could take place on how best to use the ISMS.

The initial implementation was done following the steps outlined in the ISO 27001 standard on information security management. The initial task was to scope out the extent of the system in terms of its physical and logical boundaries and the data to be protected. A thorough and detailed risk assessment was then done by identifying the critical IT assets and listing the key threats and vulnerabilities for each asset. All of this was documented in a risk register and each entry was then evaluated by considering the mix of threats, vulnerabilities and existing security controls. This clearly identified those risks which needed new or stronger controls to ensure they were below the tolerance threshold set by the organisations management team.

The ISMS then went live with staff training and awareness; publishing the security policy and procedures and documenting the final set of security controls that had been selected. After a period of live operation and monitoring the effectiveness of the system was reviewed; in particular the feedback from internal audits and security incident records was used to identify improvement opportunities in the system. These related to missing confidentiality agreements; lack of planning for business continuity tests and ensuring supplier contracts included security requirements.

Benefits

Since then the ISMS has been rolled out from the original three sites to cover eight locations and encompass a highly leverage delivery model using both internal and external suppliers and infrastructure. It has proven pleasantly resilient in coping with this organisational and technical complexity.

When the organisation reviewed the performance of the management system it was able to highlight several benefits:

• Reduction in security breaches
  
• Improved understanding of business operations and related critical assets
• Ensuring compliance to regulatory and legislative requirements
• Reduced risk to reputation in the market sector
• Increased protection of key IT assets and related data
  
• Enforcing a systematic approach to identifying and handling security incidents.
  
• Providing confidence to external financial auditors that security controls are in place and effective.

Future

One thing is clear and that is that information security is here to stay. The pervasiveness of IT systems in all business sectors and the explosive growth of connectivity mean that security risks will continue to increase. We can expect security threats to increase in terms of aggressiveness and impact whether through exploiting hacking or malicious software. Recent security breaches such as those at Nationwide and TK Maxx suggest that databases will be key targets with particular focus on opportunities for identity theft. Regulatory requirements to report such loss already exist in the USA and the same can be expected in the European arena.

The compliance regime will undoubtedly increase especially where high profile breaches indicate weaknesses either in the regulations or in their implementation. The Privacy and Electronics Communications Act of 2003 focuses on the B2P channel but further review of regulations can expected as new technologies and initiatives such as RFID, biometrics and the ID Cards Bill proceed. Key sectors such as government, healthcare and finance are raising the bar with requirements for effective information security and with an expectation that information security management systems are a key means to realise those requirements.

One specific technical issue for CIOs to cope with is the increasing impact of the ‘zero day’ exploit. The need is to prevent security breaches occurring in the gap between a new vulnerability being published and application of the patch to fix the vulnerability. Rolling out patches takes time so we can expect more stringent controls being applied during the threat window.

Weaknesses

Implementing an effective ISMS is not necessarily complex or difficult but some weaknesses do seem to recur across the wide range of systems which have been assessed under formal certification conditions. This list can be seen as common pitfalls to avoid as you get your ISMS underway:

1. Security of back up data
2. Staff training and awareness
3. Limited use of metrics to characterise security performance
4. Lack of effective testing of business continuity arrangements
5. Poor software licensing controls

DNV

As a renowned certification body for ISO 9001, ISO 14001, OHSAS 18001 and ISO 27001, DNV also provides services in the fields of Climate Change, Corporate Responsibility and Training.

If you would like to know more about any of our services, please contact us at:
T: 020 7716 6543
E: certificationuk@dnv.com