CogniBlog

Software for product document control and customer web portals

Cyber Essentials: Why your organisation should ‘Get Badged’! – Part II

December 19, 2014

Does Cyber Essentials involve any form of Risk Assessment?

A question that I posed to BIS and GCHQ at the ISO27001 User Group in August this year. The short answer was: “We’re doing that bit for you”.

The slightly longer but no less controversial answer would appear to be: “Risk management is the fundamental starting point for organisations to take action to protect their information. However, given the nature of the threat, Government believes that action should begin with a core set of security controls which all organisations – large and small – should implement. Cyber Essentials defines what these controls are.”  [from the Cyber Essentials Scheme, Summary, June 2014, Addressing the Threat, page 3].

So, no requirement for a risk assessment. But is that good news?

Should we care that Government is stepping in to define what ‘core security’ should be like in your organisation (assuming that you do some business with Government and want to continue doing so in the future)?

And is the ‘cyber threat’ serious enough to justify a Government Scheme?

Leaving aside the Media hype, I would recommend that you read Sir Iain Lobban, then Director GCHQ, who contributed a thought-provoking article entitled “Countering the cyber threat to business” to the Spring 2013 edition of the Institute of Directors Big Picture policy journal. Sir Iain outlines for a business audience in non-technical terms the nature and scale of the threat to businesses from cyberspace, why cyber security should be at the top of boards’ agendas and the role GCHQ is playing in helping counter the threats. You can read the full article in the Spring 2013 back issue of Big Picture. Just follow the link on the IoD’s website:

http://www.iod.com/influencing/big-picture/big-picture-archive/big-picture-spring-2013

In my view, the Cyber Essentials is long overdue. It’s only likely to be a voluntary undertaking for most organisations unless they fall within the categories listed in Annex A of the Policy document (see above); hence, it is unlikely to be taken as seriously as it should be by the Boards of the UK’s smaller enterprises, many of whom assume that they are too small to attract the interest of professional cyber criminals. They miss the point that they can be a gateway to confidential data held on their clients’ computer systems. And also, that a great deal of today’s automated hacking software randomly identifies system vulnerabilities by attempting an intrusion via the Internet and then exploiting IT security weaknesses. The fact that few people have spotted your physical office address or that your company website attracts low numbers of does not make you safe.

Rather, the opposite is generally true, because your sense of security is completely false; therefore: your cyber risk assessment processes and mitigation measures are likely to be equally unrealistic when it comes to understanding the nature of the threats posed to data on your systems.

Why do we need Cyber Essentials if ISO27001 is an option?

In simple terms: not enough organisations are ISO27001 certified, and, theoretically, the management system framework – however valuable – allows organisations to opt out of controls specified in Cyber Essentials.

In practice, few if any organisations adopting ISO27001 are likely to choose a control set that doesn’t cover the fundamental technical issues; however, that’s a story for another day. Cyber Essentials is here to stay.

The UK Government clearly believes that ISO27001 is simply too big and unwieldy a Standard for most organisations to invest in accredited certification. In my experience, the fear factor regarding ISO27001 adoption, especially when it comes to the risk assessment aspect and the selection of suitable information security controls, is not justified when the right expert help is available. However, the basic technical control set defined in the Cyber Essentials Scheme does fill an important ‘gap in the market'; enabling organisations, particularly SMEs, to understand and properly address the most important technical aspects of cyber security protection. It also fits nicely into IASME’s wider governance approach to information assurance for smaller organisations. About which, more later.

Even then of course, small organisations under 50 employees (including single employee businesses), and even some medium-sized organisations, may need to obtain further guidance and support to ensure the technical controls presented in these requirements can be implemented adequately.

What types of cyber threat does Cyber Essentials hope to combat?

Cyber Essentials focuses on basic cyber hygiene. The theory is: your organisation will be better protected from the most common cyber threats if you have a set of controls which, when properly implemented, comply with the scheme’s requirements. These controls will provide organisations with protection from the most prevalent threats coming from the Internet. In particular, those resulting from malware and hacking strategies which require low levels of attacker skill, and which are widely available online.

The Scheme has two progressive levels: “Cyber Essentials” is an independently validated self-assessment submission, whilst “Cyber Essentials Plus” additionally requires a comprehensive, independent technical assessment to validate that the selected security controls have been implemented effectively.

Cyber Essentials is FREE to download and any organisation can use the guidance to implement the five essential security controls, but some may want or need to gain independent assurance that they have fully deployed the controls. Organisations that have been successfully independently assessed or tested through the scheme’s assurance framework will attain a Cyber Essentials certification badge. This will help you demonstrate to customers, partners or clients that your company takes cyber security seriously – boosting reputations and providing a competitive selling point.

Therefore, to sum up this introduction to the Cyber Essentials Scheme:

Cyber Essentials is relatively inexpensive compared to implementing ISO27001:2013 and does have significant attractive features for SMEs. The most obvious being that not all of your competitors in a particular market sector will be certified Cyber Essentials compliant and displaying the distinctive badge. Those who do are saying that they are good at protecting client data at least at a basic level – make that a selling point.

Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations in the UK can implement and potentially build upon. Government believes that implementing these measures can significantly reduce an organisation’s vulnerability. However, it does not offer a silver bullet to remove all cyber security risk; for example, it is not designed to address the more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy. What Cyber Essentials does do is define a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes. As such, it has value.

If you would like more information and guidance about Cyber Essentials requirements, including how to prepare for and answer the questions in your self-assessment questionnaire and what to expect from the results of a Cyber Essentials penetration test, I will be writing about this subject in 2015 – so let me know that you are interested by posting a comment!

Next time: Cyber Essentials: Part III: How to address the detailed Technical Requirements of the Cyber Essentials Scheme with a look at all five Controls and the steps that you will need to take to gain certification.


 

This guest post was written by Michael Shuff. You can email him here. Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM

Cyber Essentials: Why your organisation should ‘Get Badged’!

December 16, 2014

What is the Cyber Essentials Scheme – and will Business buy in?

The Jury is assembling. What will businesses make of the UK Government’s ideas on cyber security controls, and is Cyber Essentials worth the cost?

The UK Government’s Cyber Essentials Scheme announced in April 2014 aims to drive awareness of the risks posed by cyber crime, and help smaller enterprises delivering products or services to the UK public sector to defend their IT systems, networks and customers’ data from attacks.

Government is widely encouraging its adoption and is making it mandatory for Central Government contracts advertised after 1 October 2014 which feature characteristics involving handling of personal information and provision of certain ICT products and services. Details are set out in Annex A of the HMG Procurement Policy Note – Use of Cyber Essentials Scheme certification. Action Note 09/14 25 September 2014

How does the scheme operate? Is it a ‘Standards framework’?

Well, no. In a nutshell: The Cyber Essentials scheme has been developed by Government and industry to provide a clear statement of the basic technical controls that all organisations should implement to mitigate the risk from common internet based threats. However, and despite words to the effect that it would be a “kite-marked” standard, Cyber Essentials is being described as a Scheme and definitely not a British Standard (BS).

The scheme’s requirements have been developed within the context of the Government’s 10 Steps to Cyber Security. The documentation so far produced by BIS maps the five Cyber Essentials controls to controls in the ISO27001, ISAME and ISF Standards. The British Standards Institution (BSI) have collaborated on the project (at least in the early stages), as has CREST, who (in their own words) “…were engaged by CESG, the Information Security arm of GCHQ, to develop an assessment framework to support the scheme, which forms a key deliverable of this strategy”. Hence, on the basis of the credibility of the various partner organisations, we can assume that the Assurance Framework will offer, as BIS suggests: “a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions”.

What’s the Government’s purpose in fostering Cyber Essentials?

To begin, more or less, at the beginning. In 2011, the UK Government launched The UK Cyber Security Strategy – ‘Protecting and promoting the UK in a digital world’. The strategy stated the Government’s declared aim to improve the information available to people buying security products by encouraging the development of [sic erat scriptum] security ‘kitemarks’.

BIS was tasked to work with domestic, European and global and commercial standards organisations to stimulate the development of industry-led standards and guidance. This would help customers to navigate the market and differentiate companies with appropriate levels of protection and good cyber security products. Action 24 stated the aim:

Action 24: Encourage industry-led standards and guidance that are readily used and understood, and that help companies who are good at security make that a selling point.

Fast forward three years: then Universities and Science Minister, David Willetts, said at the launch of the Cyber Essentials Scheme in June 2014:

“Cyber Essentials is an easy to use cost effective way to help businesses and the public sector protect themselves against the risks of operating online. … Organisations will now be able to easily demonstrate they are cyber safe – reassuring their clients, boosting confidence and profitability. I encourage all organisations to adopt it.”

However, by the time of the launch hosted by the ICAEW IT Faculty at Chartered Accountants’ Hall in the City of London, Cyber Essentials was less of a ‘standards framework’ in the sense of ISO27001, and more an MOT test for cyber security hygiene. Gone was any reference to the “kite-marked” cyber security standards concept heralded in the 2011 Strategy.

What remained was the idea that the cyber security control requirements would be ‘readily used and understood’ and that they would be a selling point for organisations that are good at putting in place effective security.

This is the Cyber Essentials Scheme; aptly named since the mandated controls are essential to secure any IT system connected to the Internet.

Why is the UK Government promoting ‘cyber security assurance’?

The Government ICT Strategy also sets out how Government is working to make its own critical data and systems secure and resilient from cyber threat. This is important in understanding what is, I would suggest, the primary motivation for introducing the Cyber Essentials Scheme and why it is important for the organisations supplying government to take notice.

Government is working with industry to develop rigorous cyber security and IA standards for ICT products and services supplied to Government and its Public Services Network. In particular they are in the process of raising the standard of cyber security that Government can expect from suppliers for sensitive defence equipment. Just as they already have in place certain requirements on contractors’ physical security, the growth of services supplied to Government that use the internet now means that it makes sense for them to look again at their cyber security requirements.

It’s worth bearing in mind here that, these days, some of the companies providing services to Government are frankly tiny compared say to the Big Four professional services firms or the likes of Capita, Serco and G4S. They include organisations that qualify for membership of the Federation of Small Businesses, classified in the business size categories of micro: 0-9 employees, small: 10-49 employees, and medium: 50-249 employees.

And then there’s the issue of the patchy uptake of ISO27001 and other information security standards by large organisations that would already be expected to have some knowledge or experience of cyber security. Just like their smaller counterparts, and despite the risks that they run, many it seems have only a limited capability to implement the full range of controls necessary to achieve robust cyber protection. The Cyber Security Strategy talks about modelling best practice on cyber security in reference to Government’s own ICT systems, in an effort to set strong standards among suppliers to government to ensure they “raise the bar”.

So what’s wrong with ISO27001 when setting higher standards?

ISO27001 is currently being viewed as too complicated and costly for smaller organisations and, judging by the level of uptake, resisted by too many large organisations to be a realistic alternative to Cyber Essentials. The simple piece of evidence for this assumption is that there were only 1,923 accredited certificates issued to ISO27001 in the UK in 2013 from a total of 22,293 worldwide. However, at the start of 2014, there were 5.2 million businesses in the UK with small firms accounting for 99.3 per cent of all private sector businesses. ISO27001 has been around for 10 years and its predecessor, BS 7799 was published by BSI Group back in 1995. From a politician’s viewpoint, this standard doesn’t appear to be popular with the majority of organisations – certainly when compared to ISO9001 with a respectable 44,985 certificates in the UK, and 1,129,446 globally.

Some would argue that ISO9001 has been around a lot longer, hence the number of certificates issued to date is markedly higher than ISO27001.

ISO 9000 was first published in 1987. It was based on the BS 5750 series of standards, once again, from BSI, that were proposed to ISO in 1979. Even so, if annual growth rates for ISO27001 stick around the 14% mark as was the case in 2013, it will be 20+ years before ISO27001 achieves a third of the certificates issued to the ISO9001 Standard on a global basis. Cyber criminals are not going to wait around while this process continues.

As far as basic hygiene goes, I agree with the Government and GCHQ: businesses need a steer in terms of IT controls and penetration testing – and they need it now, before the damage done by cyber threats worsens.

With Cyber Essentials, any fears over certification costs are not justified. For example, ISAME Consortium is offering a self-assessment route to certification against the Cyber Essentials Scheme costing only £300 +VAT.

The price is right for smaller organisations with limited budgets for cyber security – assuming they are serious about bidding for Government work.

Of course, meeting the scheme’s requirements may cost them a lot more. But then so would a data breach resulting from inadequate cyber security!

Next time: Cyber Essentials: Part II: Does the Scheme involve any form of Risk Assessment and how does this aspect compare with ISO27001?


This guest post was written by Michael Shuff. You can email him here.Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM

ISO27001:2013: What has changed from 2005? – Part III

December 9, 2014

Documentation Requirements set out in ISO/IEC 27001:2013

For those of you who are currently ‘transitioning’ to the 2013 version of ISO27001, and who want to keep any additional workload down to a bare minimum, let’s start with the optimistic news: No changes should be required to your existing documented procedures concerning control of documentation. However, as for the documents themselves, a lot will depend on the approach that you take to the transitioning process itself.

Here’s why. A transition strategy might be one of the following options:

  1. A straightforward “make-over”, taking the minimum necessary changes to the existing ISMS processes and existing documentation; or
  2. Take a completely fresh look at the ISMS, using the revised standard to make improvements, which might be quite significant for some organisations.

There are some really good reasons to go for option 2 that merit several more future blog posts, but for the time being, I shall assume that you simply want to make updates to your existing ISMS documentation in time for the assessor’s next visit. Also, because you are human, you’ve left this rather late and don’t want to look as if you haven’t prepared as well as you should before the fateful day dawns. As always with ISO compliance, the main thing to remember before you make a start is that you need to attend to the Requirements of the Standard first, however tempting it may be to reorganise your Controls; especially given the fact that by now you have probably had the time to peruse for yourself the 114 Control objectives and Controls in the 2013 version of Annex A and realise that they have, to quote an authority on ISO27001 “got mixed up quite a bit”.

At this point, it’s also worth delivering a timely reminder of the fact that no two organisations are identical in terms of their documentation needs – something that a DMS software developer like CogniDox is fully aware of.

A Note in Clause 7.5 of ISO27001:2013 says: “The extent of Documented Information can differ from one organisation to another due to:

  1. the size of organization and its type of activities, processes, products and services
  2. the complexity of processes and their interactions; and
  3. the competence of persons.

As was the case with the 2005 version, the best advice is not to make life complicated for yourself and your organisation by generating too many documents or going for the ‘fine-grained’ detail – no matter how tempting!

Identify first what Documented Information is required by the Standard.

Which documents and records are required by ISO27001:2013?

The requirements for documented information are spread throughout the standard. Here’s a document checklist and the relevant clause numbers.

Required Documents ISO 27001:2013 clause number
Scope of the ISMS 4.3
Information security policy 5.2
(Information on the)
Information security risk assessment process
6.1.2
(Information on the)
Information security risk treatment process
6.1.3
Statement of Applicability 6.1.3 d)
Information security objectives (and Planning to achieve them) 6.2
Evidence of Competence 7.2 d)
Documented information determined by the organisation as being necessary for the effectiveness of the ISMS 7.5.1 b)
Documented Information of External Origin (necessary for the planning and operation of the ISMS) 7.5.3
Operation planning and control (Information necessary to have confidence that processes are being carried out as planned) 8.1
Results of the information security risk assessments 8.2
Results of information security risk treatment plan 8.3
Evidence of the monitoring and measuring of results 9.1
Evidence of the audit programme(s) and the audit results 9.2 g)
Evidence of the results of the management reviews 9.3
Evidence of the nature of non-conformities 10.1 f)
Evidence of the results of corrective action 10.1 g)
Annex A Control Objectives and Controls – Document RequirementsIn addition to the Requirements, there are a number of Controls listed in the Annex A that require documented information; see the Table below.
Inventory of Assets A.8.1.1 (formerly A.7.1.1)
Acceptable use of assets A.8.1.3 (formerly A.7.1.3)
Access Control Policy A.9.1.1 (formerly A.11.1.1)
Documented Operating Procedures A.12.1.1
Confidentiality or non-disclosure agreements A.13.2.4 (formerly A.6.1.5)
Secure systems engineering principles A.14.2.5
Information security policy for supplier relationships A.15.1.1
Response to information security incidents A.16.1.5
Implementing  information security continuity A.17.1.2 (formerly A.14.1.3)
Relevant legislative, statutory and contractual requirements A.18.1.1 (formerly A.15.1.1)

Cautionary note:– The standard allows other documents to be added to improve the level of information security; therefore, what you see above is by no means a definitive list of documents and records that can be used during the ISO 27001 implementation. For example, organisations often include in their information security management system non-mandatory policy, procedure and control documents such as the ones shown below:

Documents ISO 27001:2013 clause number
Procedure for document control 7.5
Controls for managing records 7.5
Procedure for internal audit 9.2
Procedure for corrective action 10.1
Bring your own device (BYOD) policy A.6.2.1
Mobile device and teleworking policy A.6.2.1
Information classification policy A.8.2.1, A.8.2.2, A.8.2.3
Password policy A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3
Disposal and destruction policy A.8.3.2, A.11.2.7
Procedures for working in secure areas A.11.1.5
Clear desk and clear screen policy A.11.2.9
Change management policy A.12.1.2, A.14.2.4
Backup policy A.12.3.1
Information transfer policy A.13.2.1, A.13.2.2, A.13.2.3
Business impact analysis A.17.1.1
Exercising and testing plan A.17.1.3
Maintenance and review plan A.17.1.3
Business continuity strategy A.17.2.1

 

After you have determined the boundaries and applicability of the ISMS to establish its scope, it is then necessary to make the scope available, both within the organisation and to interested parties. The 2013 wording says:

“the scope shall be made available as documented information (4.3), and this term is used in other clauses; for example, from Clause 5.2 Policy:

The information security policy shall:

e) be available as documented information;

f) be communicated within the organization; and

g) be available to interested parties, as appropriate.

Documented Information that defines the chosen Risk Assessment Process and Risk Treatment Process required by ISO27001:2013

Documented Information in ISO27001:2013 includes the definition of the risk assessment process that establishes and maintains risk acceptance criteria and criteria for performing risk assessments. The documented results of the risk assessment should identify security risks associated with loss of Confidentiality, Integrity and Availability and the Risk Owners.

These risks are then analyzed in terms of their potential consequences, the realistic likelihood of occurrence is determined, and the levels of risk. It is necessary to define and apply an information security risk treatment process to; select treatment options,

  • Determine controls “from any source”
  • Compare controls with Annex A
  • Produce a Statement of Applicability
  • Formulate a treatment plan
  • Obtain owners approval of treatments and residual risks

And…

  • Retain documented information.

At this point, it is worth a moment to reflect that ISO27001:2013 aligns with the principles and generic guidelines provided by ISO31000, a family of standards in which risk management principles, policy, framework and process documentation, the risk culture of the organisation, and the risk recording and sharing system, are all touched upon in the documentation.

If you would like more information and guidance about ISO27001:2013 Requirements, including Risk Assessment Process options and selecting Control objectives and Controls, I will be writing about this subject in a later post – let me know that you are interested by posting a comment!

Next time: Cyber Essentials: what’s all the fuss about another self-assessment process and what is this rumour about penetration testing?

Read the rest of this entry »

ISO27001:2013: What has changed? – Part II

December 1, 2014

Information Security Risk Assessments in ISO/IEC 27001:2013

ISO/IEC 27001:2013 aligns with the principles and guidance given in ISO 31000 (risk management). Therefore, organisations with integrated management systems can apply the same risk assessment methodology across several disciplines. But what are the likely differences between this approach and the risk assessments conducted as part of ISO27001:2005?

Let’s remind ourselves of what an ‘asset-based risk assessment’ is about.

ISO27001:2005 and ‘asset-based risk assessment’ methodology

The first step in a risk assessment was the identification of all information assets in the organisation. That is to say, all the assets which may affect the security of information in the organisation. A value was assigned to each asset in terms of the worst-case impact that the loss of Confidentiality, Integrity or Availability (C-I-A) may have on the organisation. In essence, this was intended as an asset prioritisation mechanism. The higher value assets went through to the next stage, namely identification of the threats and vulnerabilities associated with the higher value assets.

Assets could be associated with several threats. And every threat could be associated with several vulnerabilities. With the battlefield now laid out in this way, i.e. with all the organisations assets assigned an appropriate value and the potential impacts in worst-case scenario determined – the probability of threats exploiting the vulnerabilities was then assessed, along with the impact should this occur, assuming that no controls were in place. A pre-control (or inherent) risk score was then calculated. Risks that scored medium to high were then taken to the next step in the process.

Existing controls or mitigating factors which reduce the impact or probability of each risk were identified. Impact and probability scores were then reassessed to reflect the impact of these controls. Risks with scores that were deemed ‘unacceptable’ (i.e. above the acceptable risk threshold) were then raised on the Information Security Risk Register, were mitigating actions were tracked by the Information Security team, and reported and escalated.

The end game of this process was to design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that were deemed unacceptable.

So what does ISO27001:2013 expect you to do differently to assess Information Risk? Let’s start with Clause 6, which is headed Planning.

6.1 Actions to address risks and opportunities

When planning for the information security management system, ISO27001:2013 says that the organisation “shall consider the issues referred to in 4.1 [Understanding the organisation and its context]”. This means determining external and internal issues that are relevant to its purpose. Skip to 5.3 Organisational roles, responsibilities and authorities, and we find that it is the role of “top management” to ensure that the responsibility and authority for roles relevant to information security and assigned and communication. Specifically, they shall assign responsibility for ensuring that the information security management system (ISMS) conforms to the requirements of the International Standard, and, that the performance of the ISO27001:2013-compliant ISMS is reported to top management. Note as well that in 6.1.1, actions to address risks and opportunities include in 6.1.1(c) achieving “…continual improvement’.

Top-level Information security policy in ISO 27001:2013 does not need to establish criteria against which risks will be evaluated – this was the requirement of ISO 27001:2005 4.2.1 b); however, you will still need to define the risk assessment criteria, but not as part of the top-level policy.

In ISO 27001:2013 you need to identify risk owners for each risk.

The 2013 revision does not require a so-called asset-based risk assessment, as outlined above, i.e. which would identify the risks based on assets, threats and vulnerabilities. Rather, in ISO27001:2013, your organisation can identify risks using some other (perhaps one more familiar to risk managers?) risk methodology. Significantly, in ISO 27001:2013 ‘asset owners’ are replaced by ‘risk owners’ [See Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 [PDF], published by BSI UK, page 4.]

What exactly is a ‘risk owner’? ISO 27000:2014 defines the risk owner as a “person or entity with the accountability and authority to manage a risk”. It is worth remembering that the ‘asset owners’ as defined in ISO/IEC 27001:2005 very often did not have the authority to resolve potential information security risks. The 2013 version addresses this problem by requiring that risk owners approve the information security risk treatment plan and accept of the residual information security risks. Risk owners are also responsible for monitoring risks assigned to them.

Clause 6.1.2, Information security risk assessment, specifically concerns the assessment of information security risk. In aligning with the principles and guidance given in ISO 31000, this clause removes the identification of assets, threats and vulnerabilities as a prerequisite to risk identification. This widens the choice of risk assessment methods that an organisation may use and still conform to the standard. The clause also refers to ‘risk assessment acceptance criteria’, which allows criteria other than just a single level of risk. Risk acceptance criteria can now be expressed in terms other than levels, for example, the types of control used to treat risk. This is the clause that refers to ‘risk owners’ rather than ‘asset owners’ and later (in Clause 6.1.3 f)) requires their approval of the risk treatment plan and residual risks.

Selection of controls from Annex A is no longer a requirement?

Clause 6.1.3 describes how an organisation can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. It is similar to its counterpart in ISO/IEC 27001:2005, however, it refers to the ‘determination’ of necessary controls rather than selecting controls from Annex A.

The 114 controls in the 14 groups listed in Annex A are now used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)). Annex A has effectively become a reference source against which you can cross-check the controls determined in 6.1.3 b) with “a comprehensive list of control objectives and controls”, in order to ensure that “…no necessary controls are overlooked”. – A significant change.

Statement of Applicability (SOA) – is it required and what format?

In keeping with ISO 27001:2005, organisations are still required to produce a Statement of Applicability (SOA). The format of an ISO/IEC 27002:2013 conformant SOA doesn’t need to be different from the previous standard. However, be aware that the control set is different.

Organisations transitioning to ISO/IEC 27001:2013 will be required to update their SOAs. When doing so, you will need to ensure that control implementation strictly conforms to the new wording given in Annex A.

Next time: In ISO/IEC 27001:2013 the requirements for documented information are no longer summarised in a clause of their own, as they are in the ISO/IEC 27001:2005 Standard; instead, they are spread throughout the standard, presented in the clause to that they refer to.

I will list these clauses and what Documented Information you need.

Read the rest of this entry »

ISO 27001:2013 – What has changed from the 2005 version?

November 20, 2014

The short answer is ‘A lot more than many professionals currently think’.

To start, though, the basic facts: ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) for any organization, regardless of type or size. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO/IEC 27001:2013 is not obligatory in most jurisdictions, but the standard does provide much-needed market assurance. An ISO 27001:2013-certified Information Security Management System (ISMS) gives the market confidence in an organization’s ability to look after information securely. Confidence that it will maintain the ‘confidentiality, integrity and availability’ of customer information and as a result, protect its own and its partners’ reputation.

keyboard lock icon What is the underlying purpose of the ISO27001:2013 Standard?

Put simply, the ISO 27000 family of standards helps organizations keep information assets secure. They help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

Whereas in the past, government and large organisations required their suppliers to be ISO 9001-compliant, now those who provide lucrative contracts are also looking for assurances from their suppliers with regards to ISO/IEC 27001.

Large-scale enterprises have a duty of due care to preserve the security of the information in their custody – increasing founded on legal requirements for Data Protection. If that information is shared with a supplier, then the company would be failing in its duty of care if the supplier’s handling of that information was inherently insecure for lack of adequately defined policies, procedures and controls that form a management system. Whether the company chooses to do this for reasons of governance or market assurance, the pressure is mounting to do the right thing even if the cost of standards compliance seems high. Therefore, increasing numbers of organisations are choosing to adopt ISO27001:2013.

Is your Information Security Management System (ISMS) ISO 27001:2013 compliant?

It will need to be if you are to achieve UKAS-accredited ISO27001:2013 certification in the year to come.

One year after publication of ISO/IEC 27001:2013, the IAF has issued a resolution stating that “…all new accredited certifications issued shall be to ISO/IEC 27001:2013″. [See: Transition to ISO/IEC 27001: 2013 – Updated June 2014, UKAS]. This means that UKAS-Accredited Certification Bodies CBs have not been issuing any new accredited certificates to ISO/IEC 27001: 2005 since September 2014. Organizations that previously complied with the requirements of ISO27001:2005 are required to transition promptly to the 2013 version of the standard, and transition audits will be carried out at the next scheduled visit to each certified client. It is time to embrace the changes in ISO/IEC 27001:2013.

So what can you expect from ISO27001:2013 that is different? Two basic changes need to be understood straight away; they are:

  1. Move to the Annex SL structure

The ISO has determined that all new and revised management system standards must conform to the high level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives. Conformance will mean that management system requirements that are not discipline-specific will be identically worded in all management system standards. This change will also apply to the much-anticipated revision of ISO 9001 Quality Management System standard when it is published in late 2015.

  1. Alignment with ISO 31000 Guidance for Risk Management

The ISO also decided to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). This is good news for integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines, including information security risk. The asset-based risk assessment in the 2005 version of the standard required the identification of asset owners both during the risk assessment process and as control A.7.1.2 in Annex A.

The 2013 revision doesn’t have this requirement and only references asset ownership as control A.8.1.2 in Annex A – about which, more later. Although the A.8.1.2 Ownership of Assets control says that “Assets maintained in the inventory shall be owned”, ISO27001:2013 allows organisations to choose the risk assessment methodology most appropriate for their needs.  The identification of assets, threats and vulnerabilities as a prerequisite to the identification of information security risks is no more!

The 2013 version says that the organization shall define and apply an information security risk assessment process that:

a) establishes and maintains information security risk criteria that include:

  1. the risk acceptance criteria; and
  2. criteria for performing information security risk assessments;

The information security risk assessment should produce “…consistent, valid and comparable results”; identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the ISMS; and, importantly in consideration of the changes, “identify risk owners”. Analysis and evaluation of information security risks are also required, including determining the realistic likelihood of a risk occurring and the levels of risk posed. You are required to compare the results of risk analysis with the risk criteria established in 6.1.2 a) and prioritize the analysed risks for risk treatment.

In Part II of this post, I will look at the following considerations:

How to apply the CIA requirements mentioned in the standard at business objectives level. In particular, at how to conduct a Risk Assessment on business objectives at a high level that will drill down to the actual risk present at the information level, taking account of the InfoSec objectives that are fundamental to the control of specific vulnerabilities and threats.


This guest post was written by Michael Shuff. You can email him here.

Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM

New release of OfficeToPDF server-based PDF conversion tool

August 26, 2014

We’ve made a new release (1.4) of our OfficeToPDF open source project and pushed the code to its usual home on CodePlex (http://officetopdf.codeplex.com/releases/view/129209).

Apart from a general improvement on stability and exception-handling, the latest version can now support PDF conversion of additional file types:

  • Microsoft Project mpp files (requires MS Project >= 2010)
  • Microsoft Visio vsdx, vsdm files (requires MS Visio >= 2013)
  • Comma-separated values (CSV) files
  • OpenDocument odt, odc, odp files
  • Microsoft PowerPoint Template pot, potm, potx files

It also added new flags such as /markup to allow document markup in the PDF when converting Word documents or /pdfa which creates PDF/A files in supported applications (Powerpoint, Word, Visio & Publisher).

If you measure popularity as a function of number of downloads and user reviews, it’s true that OfficeToPDF isn’t the most popular of our various open source projects. But it addresses a very specific need and user feedback gives us the impression that it’s considered very useful.

We started OfficeToPDF back in the day when fewer applications could save as PDF and we wanted a tool that converted documents via a command line utility on the server rather than on individual desktop / laptop clients. We had an integration then with a leading third party PDF conversion and assembly tool. The USP for that tool was that it could convert from a very large number of document types, and it could be linked to ECM products.

But, the majority of the types supported were never actually encountered by our users, and we were primarily interested in integration with our CogniDox tool. The company seemed to go through a business model change and the most obvious impact of that was a hike in prices. The cost per server now started in the $20K to $24K range, and the annual support was considered high as a result. Most of our users stopped using it and switched to OfficeToPDF instead.

Our house rule is that if any of our CogniDox technologies can stand alone and serve a purpose independent of the CogniDox application, then we open source it. As a conservative estimate, we’re ‘giving away’ at least $10K of value in this software. We still get the occasional request from people to buy a license, and they seem a little confused when we send them the download link and tell them it’s free.

The fact that other developers can freely integrate this code into their process tools and adapt the code to their needs is just as important as zero cost.

Maintaining open source projects when you are busy working “to keep the lights on” isn’t always easy, and it takes a well-funded project to build up a sizeable developer (as opposed to user) community that can help. It still feels good to do it, in the pure spirit of open source development.

Do You Trust Your Ex-Employees?

August 20, 2014

It’s one thing to ask whether companies truly trust their employees with company information, but I think most would agree that trusting their ex-employees is definitely not desirable.

I was thinking about this while closing down the logins of a recent leaver on our various SaaS accounts. The internal systems were relatively straightforward – it’s all controlled via a directory service so one inactivation command disabled all logins to our tools.

1f6525ad-b838-48ed-afff-f83fc9e44d8d.jpegBut, like many companies out there we’ve signed up to various ‘must have’ SaaS applications running on the public cloud. I’m talking about sales tracking tools, sites for desktop screen-sharing, and of course social media sites. The social networking sites are arguably the worst because they accept credentials from consumer-facing sites (e.g. Twitter, Google, Facebook, Hotmail) and therefore blur the distinction between your personal sites and company / enterprise usage. If you sign up to a work-related account using your personal email address, it can bring problems for you as an employee. With things like Microsoft accounts, where you can associate multiple email addresses with a single account, an employee who has joined a work email address with a personal address runs the risk of their former employer locking them out of their personal account by using their former email address to gain access.

Add to this the security problems caused when an ex-employee’s devices are hacked or stolen – along with the linked work accounts. An employee might alert the company to the problem, but would an ex-employee do the same?

Going back to my task-in-hand, there was no fear in this case of a ‘bad leaver’. It was just a chore trying to remember all the places we’d shared or granted access to accounts. We were so quick to sign up when we found a good application, but we kept no records because ever shutting down these accounts seemed a remote possibility.

It would seem from some survey stats out recently that many companies don’t even bother to try closing accounts. One survey found that 89% of ex-employees could still access very confidential information using their ‘old’ logins. This data is on sites such as Salesforce, Facebook, Google Apps, etc. It also found that 45% of these ex-employees did login at least once. That’s close to another stat I’ve seen where 51% of companies found that ex-employees tried to access company data.

IT departments would argue that part of the problem here is that nobody (apart from the users of course) knows these applications are in use. Staff create workspaces on the file sharing sites because it serves a pragmatic need during one busy period or another. The same solution is then re-used to store files that might be needed when access to the company network isn’t possible or convenient. That’s why a huge 68% admit to storing work information in their personal file-sharing cloud.

Another real possibility is that passwords for these applications are shared. There are various reasons for this, but chief among them is avoiding cost and maximizing simplicity. So, say five people have access and one leaves the company. The other four still need to carry on using the tool. Do they remember to change the password? Probably not.

It’s in the interests of SaaS vendors to make the sign-up process as easy as possible. But while I was struggling with the chore of closing down those accounts, my allegiance was definitely with those who warn us about the lack of security that this can bring.

Like many things, a little planning and record-keeping will help in the long run. Here are some suggestions to bear in mind:

  • Keep a list of services you’re using – help IT by sharing the list with them
  • When signing up for a site, spend some time finding out how to manage accounts for the day you need to disable / remove an account. Keep a record of the process somewhere central
  • As part of your social media policy explain to employees that mixing personal email addresses with work accounts is not a good idea
  • As part of the employee exit process include a task that encourages them to remove their former work email from any personal accounts

Virus-infected Office Macro threats and self-signed SSL certificates

July 9, 2014

I saw an article today whose headline (“Remember macro viruses? Infected Word and Excel files? They’re back…”) drew my eye. It also got coverage on The Register in their usual style :-).

The gist is that virus-infected Macros fell out of fashion due to security changes in Office, but now the target is the User rather than Office. The aim is to persuade the User that the document is more secure because the macro is present and to just click to enable the content.

The article (and the comments that follow) are mostly about random documents sent to you from somewhere out there on the Internet. Clicking to open those (let alone to enable macros) is rarely a good idea.

Inside an Enterprise, macros are used more frequently than the article needs to acknowledge. They’re used to add extra automation functionality to Word and Excel. In this case, the macro-enabled document is often from a known colleague and the enterprise web domain from whence it came is a trusted zone.

Typically, a layered security model would be used inside an enterprise to defend against this threat.

The first perimeter layer should be mail scanning – do you really need macro-enabled documents coming in? If not, block them from inbound mail.

The next layer should be that all the client PCs are up-to-date with anti-virus signatures. Check that your enterprise anti-virus solution is scanning Office documents. This catches cases where a document has come in from a USB stick or a file sharing service like DropBox.

Application level filtering such as setting the macro security to “Disable all macros except digitally signed macros” provides a final layer, but it has the disadvantage that signing isn’t well understood.

A way to improve security (not mentioned in the article) for behind-the-firewall macro-enabled usage is to generate and use a self-signed SSL security certificate. These are not so suitable for public websites, but are useful for internal sites and applications such as code signing (to confirm the software author and guarantee the code has not been altered). This is especially true if the organisation is large and there’s a chance the colleague sending the file is not known to the recipient.

Self-signed certificates can be created for free using a tool such as the OpenSSL toolkit, which can be used to generate an RSA Private Key and CSR (Certificate Signing Request) for Linux/Apache environments. In a Windows based environment, you can use a tool such as SelfCert.exe, or generate a code signing certificate using Microsoft Certificate Services.

In some implementations the end-user will still get a warning and have to accept the certificate. Some argue this can promote bad habits if end-users become blasé about accepting SSL certificates because “they were told to”. However, in the internal enterprise model we are addressing, the way around this is to pre-install the SSL certificate on every machine. That way, the trust question is never asked. A means to achieve this is for IT departments to push the certificate out as a trusted publisher to client PCs using group policies. Read this Microsoft technet article for more detail.

Improve Email Management with CogniDox DMS Integration

June 17, 2014

Sorry to state the obvious, but you receive a lot of emails and your number of unread messages only ever seems to go up.

It’s not just you. The statistics1 say you are one of around >3 billion worldwide active email accounts, and you are in line to receive your share of around 150 billion total worldwide emails per day. On average, corporate users send or receive around 120 emails a day – roughly 80 received and 40 sent. Other studies suggest that the average knowledge worker spends 14.5 hours per week reading and answering emails.

You can tweet and update your social media statuses as much as you like, but your email inbox will still contain the same number of messages. And, that will likely increase by around 5% in the next 12 months.

There is a lot of criticism of email along the lines that it shreds our attention for other tasks and kills our productivity and time management. Yet, the email client continues to be our business “command and control centre” where work is received and tasks are delegated.

Perhaps the better strategy is to improve email, not replace it.

Researchers identified the problems that people experience with task management in email as far back as 20032, but the changes required to solve these are only slowly appearing in email clients. For example:

  • Most email clients support threading of messages via Find Related or Open Message in Conversation.
  • Most email clients allow you to establish rules that sort email into different folders as it arrives.
  • It is usually possible to create a to-do list from the email message.
  • Tools such as Google Priority Inbox or SaneBox use machine learning to decide which emails appear in your ‘important’ list and which get moved to a folder for later reading.
  • A number of email client add-on / plug-in tools combine social information about contacts with emails from/to those contacts.

But some problems with email should probably not be solved in the email client.

Email is at its best as a notification engine, and email used as file storage is not playing to its strengths (ask any Exchange Server administrator :-)). Other business applications are better at managing content. For example, using email attachments to forward documents for review is not a good idea. If anything changes that requires a new version of the document, the reviewers have to sort and search their email messages to make sure they respond to the correct version. Links in email messages to a document repository are a much better idea. Generating those email notifications as part of a document review workflow in the document control system is even better.

Another example is receiving emails (with or without attachments) from external sources that need to be shared with a wider team. An example might be a bid / tender process where the Sales Account Manager receives a set of documents that require a response or completion. Rather than forward these in email, better to store them directly in the document repository where they can be version controlled, reviewed, and edited until the content is final and approved.

To follow on from that with another example, at some point the approved documents need to be sent back to the sender. It is much better if that can be done by directly referencing the document in the repository (rather than the one saved to a hard drive or sent as an email attachment). It removes the opportunity for error.

One ‘problem’ for achieving this is that we use so many different email client applications to read our emails. At present, around 50% is done from Mobile devices; the rest from Desktop and Webmail (around 30% and 20% respectively). But in the business office environment the typical usage is desktop-based, with Microsoft Outlook as the most widely used email client.

This is very similar to the fact that the majority of documents that end up in a document repository are produced using the Microsoft Office desktop tools – Word, PowerPoint, and Excel. In a previous software release we dealt with that by providing an add-in for those applications. The aim was to encourage good practice (storing documents in a controlled manner) without having to leave the tools in which they were created.

The solution for better email management therefore is to extend our Microsoft Office Add-in to include support for Outlook.

There was an important shift with the introduction of Outlook 2007 which brought in a new UI and event interface. It’s different enough to make us decide not to support Outlook 2000, 2003 or Express. The Outlook add-in is compatible with Outlook 2007, 2010 and 2013 running under Microsoft Windows XP, Vista, 7 and 8.

We also had a constraint that our internal CogniDox API had to be extended to support email integration. We made the required changes in CogniDox 8.8.0, and so using that version (or later) is mandatory to make use of the latest Add-in version.

What the new Add-in provides for Outlook are features such as:

  • Save an Outlook .msg file as a document in CogniDox (can include attachments)
  • Save one or more attachments from email message as individual documents in CogniDox
  • Attach a CogniDox document as a link to email during composition (for internal recipients)
  • Attach a CogniDox document as a file to email during composition (for external recipients)

The Outlook Add-in appears as a sidebar in the same style as the Word, Excel and PowerPoint add-ins. One extra feature is support for drag and drop: for example select a message in Outlook and drag it onto either a category or a document title in the Browse View. It will then either create a new document or version, either as a draft or issue.

The new Add-in and User Guide are available as follows:

You will need a user account to access the support site. The software is free to download for existing customers.

Notes:

1 Based on various reports from The Radicati Group Email Statistics Reports http://www.radicati.com/

2 Bellotti, V., Ducheneaut, N., Howard, M., Smith, I., Taking Email to Task: The Design and Evaluation of a Task Management Centred Email Tool, 2003 [PDF]

The Technology Behind LinkedIn Publish

June 11, 2014

LinkedIn has opened its publishing platform called LinkedIn Publish to the rest of us that are not “Influencers”. You know you have this feature if there is a pencil icon in the “Share an update” field on your LinkedIn homepage. If you don’t, you can ask for access here: http://specialedition.linkedin.com/publishing/.

It’s been promoted as a way to publish “long form posts” (as opposed to the limited character length status update). Not exactly clear why this isn’t called a blog, but maybe it’s to avoid comparison with the other blogging platforms.

The social media commentators have been active in discussing it, and their advice on whether to use it seems to be: Why not? It’s another way to get engagement. And, it’s a more focussed and targeted audience then other platforms.

But it isn’t a ‘silver bullet’. You need a large number of connections or followers to be effective and your content needs to be read, liked, and shared to be promoted. There’s also the assumption that your connections are interested in what you have to say – many of us have a mixed bag when it comes to LinkedIn connections. When I joined (in 2004, according to my Account info) the main rationale was to stay in touch with former work colleagues. They are now doing all manner of things, and not necessarily interested in what I am doing today.

I have no insights into whether this or Facebook, Google+, or something else is the future of social media. So I did the obvious geeky thing and looked instead at the technology. The rich text editor they’re using is TinyMCE (the main alternative is CKEditor). It’s been themed in the LinkedIn style but otherwise looks like an ‘out of the box’ TinyMCE toolbar. You can do the expected things like embed images and other media, but you can’t use embedded HTML. That still means you can (for example) embed a video sharing code, so it may not be all that important to you. But you can use HTML in WordPress.

If you follow the advice I’ve seen on the web and use Microsoft Word to edit the post then directly copy/paste into TinyMCE, I think you will encounter formatting issues sooner rather than later.

One major difference / deficiency compared to WordPress is the lack of categories / tags that you can assign to a post. That will severely hamper search for your future readers when you’ve amassed a decent number of posts. If I understand correctly, tagging your content to suitable channels is something that LinkedIn Publish does by algorithm. You can’t control it.

Also, WordPress is more transparent when it comes to where your posts are stored. It’s my guess this post will be stored at one of the two LinkedIn data centres in either Virginia or Texas. But it’s under their control, not mine.

It raises two thoughts for me. The first is that I’d prefer to have my content stored in a document control repository (for version control, review, approval) and then upload it automatically to the LinkedIn Publish site. The second is that marketing folk will want to publish content to many sites (content syndication) and it might be a good feature for us to consider adding LinkedIn Publish to our existing WordPress publishing plug-in. One for the roadmap.


Blog