ISO27000 and the Need for a Standards Approach

It’s been interesting to note that in recent weeks, several customers have expressed the need to incorporate some information security standards within their organisation. The reason behind this has been the requirement from their customers to have certain minimum qualifications in place in order to bid for business.

Not untypical of supply chain management, it’s often the crucial missing ingredient that gives certain standards a push.  Although there are a number of standards around, perhaps the most widely used is the ISO 27000 family.  Derived from a British Standard (BS7799), it has been adopted – with a few adjustments – by ISO. In the retail sector, businesses using credit cards have been forced into adopting and complying with PCI DSS (Payment Card Industry Data Security Standard) in order to continue offering them as a form of payment.

True of most standards, their impact is often felt years after the initial adopters have bought into them by the supply chain. Also true, standards are often not taken aboard as a “must have” until there is either supplier, customer or regulatory pressure applied. It’s an understandable situation as there is a cost involved in achieving a standard’s accreditation and the benefit of so doing may not be altogether obvious. With Information Security, there are, perhaps, some compelling reasons for incorporating best practices into the organisation and formalising the approach, starting at the board and working down through the layers of the business.

Computer Weekly reports that Cyber attacks on the UK have reached "disturbing" levels, according to Ian Lobhan, director of communications intelligence agency GCHQ. The attacks are targeting sensitive data on government computers and defence, technology and engineering firms' designs, he said in The Times.  According to Lobhan, "Such intellectual property theft doesn't just cost the companies concerned; it represents an attack on the UK's continued economic wellbeing.”

Speaking at the London Conference on Cyberspace earlier this month, William Hague stated that “it will become harder to protect users and prevent defences from being swamped as the scope for malignant activity widens alongside advantages.” Putting this in perspective, more than six million unique types of new malware were detected by industry in the first three months of 2011 alone, according to Hague.

Heavy stuff.  Scary too, especially if you haven’t got your corporate defences in good shape, which is  quite likely given current cost, time and understanding constraints.   Worst of all, it’s the good old IT department’s neck on the block.  But if you look at how information security standards, like ISO27000, are shaped, it’s actually a business problem that is - or at least should be - owned by the CEO and their heads of departments. It’s not the IT that’s at risk: it’s the business.  Too many organisations are too slow in getting this message through to their senior management.

By taking a high level look at what ISO27000 and other information security standards are aiming to achieve, senior management should start to get the picture, taking a great deal of pressure away from the IT department as well as making budgetary funds available to implement mitigation strategies and solutions.

Vioptim is positioned to help promote this high level view and engage with the necessary consultancies to move towards standards compliance and accreditation.

 http://www.vioptim.co.uk

The recently published figures for Apple make for some eye watering reading. The quarter to 24th September 2011 resulted in a total of 17 million iPhones and, get this, 11 million iPads sold. Wow! The Guardian produced an interesting article on 22/9/11 which showed the actual and forcasted growth in tablets compared to the PC market:

Whilst there's a good deal of speculation in where the figures are going in the future, one thing is for sure and that is that the tablet market, which is forecast to be 50% Apple iPads, is going to shake up the entire industry as we know it today. But, so what?

The increase in the use of mobile technologies, which includes smartphones as well as tablets/pads, is going to have a fundamental impact on:

• corporate access, data loss prevention & confidentiality
• use of wireless and roaming
• what is company owned v. what is privately owned
• lifestyle

From a technology point of view, the first two points are incredibly important. I was interested in an article by Joanie Wexler entitled "iCloud to Test Wi-Fi Performance Mettle" (you may need to register with Webtorials to see this) in which she asks the question whether the existing Wi-Fi infrastructure is going to be able to cope with all of the automatic synchronisation of devices, citing Apple's new iCloud as the primary example. If you add to that the cost of using 3G, whilst roaming when no Wi-Fi is available, it's food for thought.

Aligned with the increase in mobility solutions comes the protection of information either on the device or being accessed by the device especially in corporate environments. Make no mistake, these mobile devices are going to have a significant impact in the corporate environment. There is absolutely no way that the IT department is going to fend off the use of corporate provided and privately owned devices from accessing corporate information. There will be delaying tactics, no doubt, but like King Canute and the sea, the tide is coming in and you're going to get wet!

So it's time to get serious with the issues surrounding the use of mobile devices in the corporate environment. In fact, it's time to rethink the corporate IT strategy to take account of the development of mobility, the use of the cloud (public and private) and all of the security issues surrounding this change in direction.

We're already doing our bit at Vioptim

Most organisations are already aware of the legislation associated with appending information automatically to emails, but I thought it worthwhile just providing a reminder here in the blog.

The following is courtesy of Pinsent Mason's outlaw.com, the full text of which can be found at http://www.out-law.com/page-5536. In short If your business is a private or public limited company or a Limited Liability Partnership, the Companies Act 1985 requires all of your business emails (and your letterhead and order forms) to include the following details in legible characters:

•     Your company's registered name (e.g. XYZ Ltd)
•     Your company registration number;
•     Your place of registration (e.g. Scotland or England & Wales); and
•     Your registered office address

So, if you're not already doing so, update your signature files straight away. If you're using a service that sends emails on your behalf then go and check their standard templates and/or automatic service for adding this information. Chances are, you're in for a shock.

Vioptim is a SaaS security specialist, providing information security services and solutions in the UK www.vioptim.co.uk