NEWSLETTER - EDITION 10
Welcome to the
tenth issue of ISO 17799 News, designed to keep you abreast of developments
and news with respect to ISO17799 and information security. The information
within the newsletter is absolutely free to our subscribers and provides
guidance on various practical issues, plus commentary on recent Information
Security incidents. Included in this edition are the following topics:
Implementing ISO17799 in Your Organization
Security Awareness: ISO17799 Section 4
Introducing an Effective Email Security Policy
ISO17799: a World Wide Phenomenon
Introducing a Disaster Recovery Team Into
12) Preparing for
an Information Security Audit
15) It Couldn't
Happen Here.... Could It?
It is becoming
increasingly critical that information security is given the attention and
level of importance it deserves. Most organizations are now totally dependent
upon their information and business systems, so much so that serious
disruption to those systems and the business information they contain can mean
disaster or critical loss.
ISO17799 is the
only internationally accepted worldwide standard/code dealing comprehensively
with these issues. Purchasing
this standard is a good first step, but as the standard is by necessity a
comprehensive and therefore a fairly complex document, guidance is often
necessary to help organizations decide where to start and what priorities
should be applied to the implementation process.
Toolkit was of course introduced to solve many of these issues in one step.
As well as containing both parts of the standard, it also includes a
full set of compliant policies ready for implementation, a road map for
potential certification of the organization, an audit kit for network based
systems, a business impact analysis questionnaire together with many other
supportive items (eg: a disaster recovery kit, a
management presentation and an IS glossary).
This toolkit represents extremely good value as it can enable
organizations to commence work with the introduction of vital security aids
without reference to expensive external consulting resources.
armed with a support kit like this, it is important to understand that the key
to the standard is PROCESS... the creation and maintenance of
a robust ISMS. This is occasionally overlooked, as some organizations
simply adopt a tick list from the first part of the standard (ISO 17799). This
is certainly a good stride forward, but is by no means the end of the journey.
considering the standard, therefore, it should be understood that the path
forward will certainly include enhancement and improvement of security, but it
will largely be driven via the creation and maintenance of information
security management systems and supporting procedures.
AWARENESS: ISO17799 SECTION 4
breaches occur at ground level, through employees making mistakes or
inadvertently revealing information. It is ironic therefore that so many
organizations do not have a comprehensive awareness program in place, perhaps
missing the obvious and focusing upon the more stimulating high-tech threat
ideally be part and parcel of company culture. To meet this objective however
requires determination, support from the top, and a properly planned and
comprehensive awareness program.
should include a range of different aspects. To assist, we list some of the
most common below:
- A Security
Newsletter. This is an important vehicle and can include both news and
information in a topical context. Please feel free to extract from this
newsletter for inclusion.
- A 'Roadshow'.
Security personnel regularly give presentations to senior management and staff
on current threats and issues.
- The Screen
Saver. Why not use it for security related messages?
- Posters. Use
them and replace them often.
Training. If your organization produces internal courses for staff on other
topics, make sure that the security angle is covered.
- Video/DVD. If
you have the budget, produce and distribute.
- Cheap gifts.
Pens, key fobs, and coffee mugs bearing a security message may seem tacky, but
- Competitions. Security
crosswords, puzzles and problems, with a suitable prize for the winner.
Some of these may
well be seen as mundane. But in the final analysis, threats are usually far
more likely to materialize through lack of awareness than through complex
EFFECTIVE EMAIL SECURITY POLICY
breach is becoming an increasingly significant threat to organizations around
the world. To counter this, most organizations will already have a firewall
and anti-virus software in place. Hopefully, as new viruses are found daily,
they have made sure that their virus protection is also updated on a daily
course, can sometimes penetrate the firewall by hiding within emails. Once
opened, the virus can spread and cause significant damage to internal systems.
The virus may not always be serious enough to cause permanent damage but, even
with moribund viruses, the disruption may well take time and money to rectify.
risks, there is no escaping the fact that e-mail is rapidly becoming the
principal means of business communication. Draconian restrictions on use are
therefore not tenable. However, rigid application of stringent security policy
high level best practice statements should be adhered to as a basic minimum
should understand the rights granted to them by the organization in respect of
privacy in personal e-mail transmitted across the organization’s systems and
networks. Human Resources Department should incorporate a suitable wording
into employee contracts to ensure that this privacy issue is fully understood.
and sensitive information should not be transmitted by e-mail - unless it is
secured through encryption or other secure means.
should not open emails or attached files without ensuring that the content
appears to be genuine. If you are not expecting to receive the message or are
not absolutely certain about its source, do not open it.
should be familiar with general e-mail good practice e.g. the need to save,
store and file e-mail with business content in a similar manner to the storage
of letters and other traditional mail. E-mails of little or no organizational
value should on the other hand be regularly purged or deleted from your
From these, it is
recommended that more specific corporate requirements are produced and
Fact: Every day
of every week dozens of corporate websites are hacked and defaced. This
statement may surprise some people, but it does illustrate that this problem
is extremely large scale and the threat is very significant. Even on the very
day this item is being written, well known sites owned by Lycos and the
European Union have been defaced.
A future edition
of this newsletter will therefore investigate this issue in some depth. We
will explore some of the more high profile attacks, and offer advice on what
to do to minimize risks... and recover should you become a victim.
In the meantime,
if you ever wondered what drives these people, Zone-H reports the following (from a substantial sample):
for fun! 35%
I just want to be
the best defacer 12.5%
As a challenge
that website 1.9%
They also report
that over half of successful hacks exploit either configuration errors, or
un-patched systems: which are very basic security issues!
Focus reports that charges have been filed against
man known as 'The-Rev', for his alleged role in the high profile 'Deceptive
Duo' hacking team. The 'Deceptive Duo' are
responsible for defacing a significant number of government and corporate
- Currently, of
course, we have ISO17799 and BS7799-2. However, efforts are currently on-going
to convert BS7799-2 to an ISO document as well (ISO17799-2). We hope to
provide an update on this in the next issue.
- At time of
publication a security alert has been issued regarding a new fast spreading
worm, the 'Sasser' worm. This already has several
variants and threatens to achieve similar notoriety to previous attacks last
year (eg: Blaster). Now seems a pretty good time
to update those anti-virus definition files.
WORLD WIDE PHENOMINON
Our source list
for recent purchases of the ISO17799 standard always proves to be a popular
talking point. The up to date version of the most recent thousand or so is as
Isle of Man
United Arab Emirates
The same health
warnings apply as usual: these are online credit card sales from a single
source. As a consequence, those cultures that are less familiar with this form
of commerce will be under represented.
DISASTER RECOVERY TEAM
Even for small
enterprises, it is often necessary to establish a Disaster Recovery Team to
handle the initial stages of an emergency situation. Certainly, it is
essential for larger corporations.
Recovery Team should be made up of a group of specialists who have previously
been nominated as being able to assist in dealing with the initial emergency.
These will not necessarily be the same persons who are members of the
Business Recovery Team. Although
the configuration of the DRT will depend upon the type and severity level of
the emergency, and the nature of the organization itself, the following
personnel may need to be involved depending upon the circumstances:
Key members of Senior Management
Premises of Facilities Manager
Fire and Safety Officer
Premises Maintenance Staff
Information Security Officer
Recovery Team (DRT) is responsible for working with the emergency services to
clear the initial emergency crisis situation, in order that the Business
Recovery Team is able to start their activities.
The DRT itself will only be able to start their own recovery activities
once the emergency services have given permission for these duties to
commence. During the initial
emergency, the DRT will normally make themselves available to provide
assistance to the emergency services, as appropriate.
from the DRT should actually be ‘on-call’ or available at all times, and
should ensure that their contact details are known. All members of the DRT
should maintain an up-to-date copy of the BCP in a secure location off-site,
and each member should also be issued with special equipment such as torches,
hard hats, gloves, overalls, hand held dicta-phones and mobile phones to use
in such emergencies.
preparations can of course make all the difference to the outcome of the
disaster situation, and at the very least, will create a sound platform for
the Business Recovery Team.
PREPARING FOR AN
INFORMATION SECURITY AUDIT
Information Security audit to be effective it must be planned and have
adequate preparation. A common purpose of conducting the audit is to enable
the Information Security Officer (or the person who is responsible for the
security of information) to measure the level of compliance with the
organization’s Information Security Policies and associated procedures.
At the highest
level, the Information Security Officer should initially prepare an audit
program which ensures that all key risk areas are audited and reviewed on a
regular basis. The greater the threats, and the higher the risk or probability
of an Information Security incident, the more often the audit should be
Once the risk
area to be audited has been selected, the Information Security Officer should
prepare a list of the INFORMATION that needs to be collected to carry out the
As an example, if
the audit chosen is regarding the Portable Computing Facilities, the documents
to be considered for review are:
• Hardware register.
• Software register.
• User Profile.
• Issue form.
• General terms
• Removal of
Security Officer will also decide on which PERSONNEL need to be audited and
arrange an interview schedule. In the same example, the following personnel
would be audited:
• The issuers
of portable computers.
• A sample of
the user population who use portable computers.
As with many
tasks, pre-planning is sometimes seen as a necessary evil, and there is
temptation to shortcut. However, in most cases, there is little doubt that the
quality of the planning is likely to go a long way in determining the quality
of the audit.
HAPPEN HERE....OR COULD IT?
Every issue of
The ISO17799 Newsletter features at least one TRUE story of an information
security breach and its consequences. This issue considers genuine cases
illustrating different threats from WITHIN the organization:
fired an employee who had been known to be less than happy in his work and had
been causing problems for management through a variety of activities. Unbeknown
to the organization, this employee had made a copy of the main client database
for himself and therefore had access to sensitive information.
Shortly after the
employee was dismissed, major customers started receiving offensive material
purportedly being sent by the organization itself. The ex-employee used a
simple open SMTP server to simulate the organization's email addresses.
Customers immediately started to move away from the organization and even when
they were informed that this material had been maliciously sent to them by a
previous employee, they remained unimpressed with a company that had so little
security in place.
quickly went out of business, paying a heavy price for not having sufficient
control over employee access to sensitive information.
A firm in
developed a range of new products mainly by utilizing the services of one of
its employees who was particularly skilled at these activities.
Once these products had been developed, they were successfully marketed
by the firm and a good revenue stream emanated from this new business area.
the firm had not considered protecting the intellectual property rights of
work undertaken during the employee’s time with them and it was subsequently
successfully sued by the employee who had authored the products, and who then
claimed ownership over the intellectual property rights contained within them.
The lesson to be
learned here is that employees' contracts should clearly state the ownership
of any work developed for the company during his/her employment.
This agreement should be signed by the employee to signify acceptance
of these terms and conditions prior to undertaking this type of work.
3) Who Audits the
A large financial
company thought they had security in the bag. Their security department was
active, and involved in most activities of the Group. It had a reputation for
being on top of new technology, and had an aggressive audit schedule, with all
sensitive applications and projects being regularly audited.
What a pity they
got a fundamental principle so badly wrong! As the Group's security area they
had full access to security settings, and administered access control for key
applications. As auditors they audited the same. That was the crunch.
The same individuals
who set security levels and granted access to information resources, also
audited them. A classic case of insufficient segregation
In one sense they
were lucky. The incident which brought this to light was petty. The individual
in question could not resist the temptation to adjust his overtime figures on
the payment database. He inflated the figures by several hundred dollars, each
month, for several months. He was caught because someone else on his team
spotted his payslip (which he had left inside his
briefcase, which he left open!) and knew instinctively that he had not been
working long hours in recent weeks and therefore that the salary figure was
far too high.
however, just as easily been an accounting database he adjusted, or a number
of financial databases, and the company could have been facing a substantial
and embarrassing loss.
The golden rule
of course is that auditors usually need only read access to audit, and not