There is increasing awareness in the media and elsewhere of cyber terrorism and cyber crime. These are very real risks. Less publicised are the internal risks of data loss – through deliberate action or simple carelessness/lack of understanding of the risks. I like ISACA’s definition of information security. It defines information security as something that:
“Ensures that within the enterprise, information is protected against disclosure to unauthorised users (confidentiality), improper modification (integrity) and non-access when required (availability).”
This definition clearly makes it the responsibility of the organisation to protect its information, in the same way as it would any other asset and clearly defines loss in this context.
The area of IT/information security is one where much has been written and it is not my intention to give a full or technically detailed account. What I can do is to give you the basics so that you can conduct an audit or review. For example, you may need to know the distinction between information security and IT security, as these two terms are often confused. Information security looks at all information whether processed manually or on IT systems, whilst IT security addresses the specific technology controls required to support information security.
Many IRM specialists specialise in this single field – why? Because it represents the main area people think of in information risk. There are so many media articles about hacking cases, threats from governments or terrorist organisations, etc. There are also data privacy regulations to consider and initiatives, such as cyber security. The IRM audit specialist needs a basic understanding of the concepts of IT and information security and often sits as an interpreter or go between, bringing the deeper security specialists together with the rest of the business. Whilst the technical aspects can be very involved, IT security is not just about ticking checklists – it’s about changing behaviours and culture so that users are aware of the potential for phishing/social engineering and the need to act as the first line of defence against potential threats and vulnerabilities.
Like all areas of information risk, it should start with a consideration of risks and controls and then develop into how we approach our audit.
A review of IT security often starts at the technical level. In my opinion it is better to start at the business level. Why do we want to keep our information confidential?
• Risk of financial loss if transactions are intercepted (direct and indirect risk).
• Embarrassment and loss of reputation (including future business prospects) if data is revealed.
• Fines or other sanctions from non-compliance with data privacy legislation or regulations.
Each organisation will have different threats and vulnerabilities. This will partly depend upon their choice of technologies, their profile (some business areas are higher risk than others) and culture/security awareness. It is hence necessary to conduct a specific risk assessment for each organisation.
The main types of control are summarised below:
Security principles and policies
These set out the organisation’s risk appetite for loss of information and are expressed in business rather than technical language. The policies will vary between organisations but will generally include data classification, information security, data protection/privacy, acceptable use, data retention and incident management.
Governance and management processes
Provides tools and processes to enact the policy. The UK Government’s Cyber Essentials scheme identifies five key controls that all organisations should have as a minimum:
1. Boundary firewalls and Internet gateways – can effectively restrict access to or from networks if properly configured and maintained.
2. Secure configuration – ensuring systems are configured in a secure way. Examples include use of single sign on and development of specific user profiles restricted to the user’s legitimate need. This could, for example, include the lockdown of PCs to prevent use of USB drives or other media that could be used to copy and remove data from the organisation’s network.
3. Access control – to ensure only authorised users have access and then only to the data specified for their use by the security configuration.
4. Malware protection – ensuring that virus and malware protection is deployed, installed and used.
5. Patch management – ensuring that software used is the latest supported versions with up-to-date security patches provided by the vendor.
Culture, ethics and behaviour
Tools and processes alone are not enough. If the culture does not drive correct behaviours, users will quickly find dangerous workarounds that will leave systems vulnerable to attack. There are some very effective ideas for communicating the expected culture and behaviours – including screensavers, life-size cardboard statues and stickers for laptops.
Examples of IT security controls
Some examples of basic IT security controls are as follows:
• Access controls – approval (processes to ensure that users are approved to access information resources), authorisation (ensuring access permissions are defined) that systems are configured to provide the right level of access (least privilege, need to know and SoD being considered), authentication (ensuring that when users access an information resource we can authenticate that they are indeed that person through user ID and password controls, biometrics, certificates, etc.).
• Network controls – firewalls, routers, etc. (secure configuration for boundary and internal network protection), network design (segregation of networks, use of DMZs, remote access methods), wireless network security (ensuring wireless devices are configured securely and that rogue wireless networks are detected and removed).
• Application and system development – ensuring that security is built into the development lifecycle and design of any software (e.g. input, validation and output controls, protection of web-based applications (see OWASP), secure coding), ensuring systems are tested before being implemented, ensuring code is safely stored (e.g. in escrow or backed up), segregating development and live environments.
• Vulnerability management – ensuring antivirus and malware protection is installed on all hosts and end point devices, preventing unauthorised mobile code from running, such as ActiveX or Java, ensuring systems are securely configured to approved standards (e.g. NIST, CIS, etc.), ensuring patch management is regularly performed and that software versions are kept current.
• Physical security – ensuring that physical access (secure facility, cameras, etc.) and environmental controls (fire and flood prevention, UPS, etc.) are in place at hosted or internal computer room sites.
• Communications security – use of encryption where information classification requires so either at rest or in transit, protection of email outbound and inbound, restrictions or protection over Internet usage.
• Monitoring controls – logging and review of security events, monitoring network device activity (IDS/IPS), regular monitoring of users and associated access permissions, monitoring of email usage, log in banners which inform users that monitoring may be performed.
• Incident management – defining how incidents will be identified, recorded, handled and escalated, linkage into IT service continuity processes.
• IT availability and service continuity – understanding recovery times for systems and ensuring that systems are built with redundancy and resilience, reducing single points of failure, backup facilities, hot sites and failover solutions, defining disaster recovery plans and testing them, integration of DR plans into BCPs.
The ISO27001 series consists of:
Information technology – Security techniques – Information security management systems – Requirements
Information technology – Security techniques – Code of practice for information security controls
Information technology – Security techniques – Information security management system implementation guidance
Information technology – Security techniques – Information security management – Measurement
The main standard, 27001, covers:
• Organisational context
• Performance evaluation
The standard is highly popular and widely used. Organisations can obtain certification to the standard. Some information risk managers obtain qualification and provide audit of 27001.
Case study examples
Help (yourself) desk
At one organisation I phoned the helpdesk with an issue and was asked to provide my access ID and password – I refused. This request was in contravention of the organisation’s security policy.
In the days before passwords were encrypted, I was helping to implement a new system and decided to check the password file. I found the passwords were ‘Newt’, ‘Frog’, ‘Toad’ and ‘Tadpole’. There was obviously some disclosure amongst the four members of staff in this team and so I made them change the passwords and checked a week later.I found the passwords were now ‘Robin’, ‘Thrush’, ‘Blackbird’ and ‘Sparrow’. Easily guessable passwords are as worthless as if they were written down.
Documenting, assessing and testing security and confidentiality controls
• Review the risk assessment for IT security to ensure that it is up to date for current threats facing the organisation.
• Review policies and principles to ensure they cover all of the identified security risk areas and are up to date and approved. It is also worth checking that they have been circulated and that staff are aware of them. Most organisations now require a formal sign-off of acceptance from all new members of staff and higher risk organisations also require an annual renewal of this acceptance.
• Identify the tools and processes in place, including for the five major cyber security controls. Review arrangements for ensuring that these are up to date and deployed and operating effectively.
If all of the above show that controls are generally adequate, I may then consider requesting a more detailed specific IT security audit from an appropriate specialist – for example penetration testing, firewall security, etc.
IT security is a highly specialised area. However, there are a number of checks that any IRM auditor can perform to assess whether their organisation has the basic starting components to address risk.