Sunday, 3 November 2013

Dimensions of auditing

I have been playing around with ISO/IEC 27001/2 and the Department of Health's Information Governance Toolkit (IGTK) over the last few days, and it's reminded me of something I noticed years ago. Basically, when it comes to auditing against anything, an auditor tends to always ask the same sort of questions. The IGTK and 27001/2, despite their initally obvious differences (e.g. the emphasis on pseudonymisation in the IGTK, and the assumption that continuous improvement is normal in 27002), have these same questions at heart. So here goes.

If you are going to do anything (information security, quality, business continuity etc), pick a topic in it (say password management) and ask yourself the following questions:

1) Is it happening?
2) Is it documented?
3) Does what's happening actually match documentation?
4) Does what you have documented meet requirements?
5) Is compliance between activities, documentation and requirements reviewed/monitored?
6) Are required changes/improvements identified and implemented as required?
7) Is someone formally responsible for all the items above?
8) Is the whole thing approved and supported by top management?
9) How can you prove that any items in the above list are true (assuming that they are)?

If you can get through the above - especially Question 9 - succesfully, then you are in a pretty good position with regard to the questions an auditor may ask.
Posted by at No comments:

Tuesday, 24 September 2013

Why build in information security from the start?

Think of a project to build a bridge across a massive river. Right at the beginning, you decide what the height should be. At that stage, it's just a line on the drawing. Easy to change.

Now roll on a year; you have scheduled all the steel deliveries, hired the workers, and the planning permissions, legal work and contracts are done. The foundations have been laid, and the project is on schedule. Then you realise that a supertanker travels down that river every week. The design is too low to let it under. 

The cost of changing things now is horrendous. Much recriminations, emergency meetings, and discussion of temporary solutions ensue.

You have to pick a feasible option: the best is to make the bridge open and close. So when the supertanker goes through, the traffic on the bridge has to stop. The changes also result in the project being significantly over time and budget.

If you had known about the supertanker at the design stage, you could have made the bridge higher, to let it under without disrupting traffic.

This is exactly equivalent to the situation with information security. Designing it in from the start is cheaper, more feasible, and prevents infinite pain down the line. Requirements gathering needs to include information security.
Posted by at No comments:

Saturday, 14 September 2013

27002: the supermarket of controls


OK, welcome to what will hopefully be a vaguely interesting and not entirely infrequent series of posts on various aspects of information security. Your host for this set of trips into the slightly known is one Bridget Kenyon, information security enthusiast.

For my first foray, join me, gentle reader, as we peer under the hood of 27002, the "supermarket of controls", as a very wise friend of mine calls it.

It's the good buddy of 27001, the set of things which make up an Information Security Management System, or ISMS, for those who like their acronyms.

If 27001 is "what you should end up with", then 27002 is a whole catalogue of security measures (controls) you can use to get you there. Stuff like physical perimeters, cryptography, user training, passwords ("secret authentication data"- don't ask) and so on. It's about 81 pages long, and a great bedtime read.

So why a supermarket? Well, in the ideal world, shopping for groceries is done by deciding what you need, writing a list, and then going to the supermarket and picking up what you need. While you're there, you may notice something you forgot to put on your list, and add it to your shopping cart. Good. 

In the real world, you either: a) turn up at the supermarket hungry, with no list, and go home with twenty doughnuts, a bar of chocolate, and a sieve; or b) turn up with a list, get side tracked, and end up with twice as much as you needed, and missing something vital (like washing up liquid). Not so good. NB: I am Shopper Type a)...

It's the same for 27002. In the ideal world, you do a risk assessment, decide what controls you need to apply to satisfy contractual obligations, the law, and make it possible for you to sleep at night. Then you write them down (your shopping list), and visit 27002 to check them off. While you're there, you can add anything vital (like passwords) you should have included originally, but forgot.

In the real world, people tend to treat 27002 itself as a shopping list. No. Please don't! You wouldn't go into a supermarket and buy everything, would you? Nor should you go into it with a vague intent, and pick out everything which looks about right. You will end up getting home and finding you now have fifty eggs and no toilet paper (metaphorically speaking). 

To spend your money and time wisely, don't let 27002 cozen you into picking the wrong things, or more than you need. Remember your shopping list.
Posted by at No comments:
Subscribe to: Posts (Atom)