IT security demystified

Updated 10.12.11

IT as a profession when compared to other professions is relatively new. As such even 10-15 years ago, many ‘control measures’ used within the profession currently either did not exist or were not used by many organisations. I will use the word ‘control measures’ to describe all the standards, laws, frameworks and best practice guidelines as a collective for the purpose of this blog post. As the profession has matured, a plethora of ‘control measures’ have continued to emerge and organisations have adopted these ‘control measures’ as their IT has matured. The purpose of today’s blog post is to clarify these ‘control measures’ to aid further adoption where required. All these ‘control measures’ arrive with a caveat however. Organisations need to find an acceptable level of ‘control measures’ that ensure that the organisation is adept at dealing with security threats and any prevailing laws that affect it, locally or globally. If organisations are not careful, they could spend unnecessary amounts of time implementing different but complementary ‘control measures.’ The best is to find happy mediums that will allow the organisation to meet its business objectives without spending too much time on ‘control measures.’

This is a topic for another day but I have seen many organisations’ spend enormous amounts of time on preparing the ‘perfect’ business case consisting of 100’s of pages and not enough time on planning to ‘fit business requirements’ or actually actioning the project (too much planning, not enough action). The same is true for ‘control measures’, even with ‘control measures’ such as Sarbanes Oxley and Basel II, the banks still managed to crash the world economy (averted only by global governments leading ‘control measures’). Let’s also not forget that no system is completely 100% secure either! I will cover as much as I can today and hope that if I miss anything, my readers can engage as usual and assist in not only filling in the blanks but making it a truly interactive discussion.

According to the Symantec 2010 state of enterprise security study (Click here for 2011 study)  You Tube 2010 (Click here for You Tube 2011), 75 % of organisations are losing on average $2 million annually ($2.8 million for the largest ones).The study found that 42 percent of organisations rate security their top issue. This isn’t a surprise, considering that 75 percent of organisations experienced cyber attacks in the past 12 months. These attacks cost enterprise businesses an average of $2 million per year. Organisations reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues. The study is based on surveys of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries in January 2010.’ Symantec’s study found that organisations are exploring approximately 19 different standards or frameworks and are using 8 of them. I am predominantly covering these 8 and a few others.

Firstly, let me quickly define the four ‘control measures’ that I will be using (Courtesy of Dictionary.com):

1. Standards:

Something considered by an authority or by general consent as a basis of comparison; an approved model.

2. Frameworks or Best practice guidelines:

I. Frameworks – A set of assumptions, concepts, values, and practices that constitute a way of viewing reality.

II. Best Practice – A technique or methodology that, through experience and research, has reliably led to a desired or optimum      result. For example, a manual documenting best practices in the industry.

My research shows that these two terms are used inter changeably, so to avoid further confusion, I will be bundling them together.

3. Law:

Any written or positive rule or collection of rules prescribed under the authority of the state or nation, as by the people in its constitution. For example, statute law.

There is a good article in this week’s Computing regarding IT security that mentions a book by Alan Calder ‘IT Governance: a manager’s guide to information security and BS7799/ISO17799.’ The book is on my ‘to read’ list now and is the selected text for Open University’s Information Security Management Course, according to the reviews.

1. Standards:

I. ISO 27001 consists of two parts. ISO/IEC 27001:2005 (formerly BS 7799-2:2002) that specifies Information Security Management  and ISO/IEC 27002:2005 (previously named ISO/IEC 17799:2005) that specifies the code of practice for Information Security Management. An important aspect to remember regarding this standard is that it replaces and incorporates the old BS 7799 standard. In my opinion, this standard should be adopted by most organisations, especially global players.

II. ISO/IEC 20000 defines the requirements for a service provider to deliver managed services. ITIL provides good practice guidelines, advice and options that can be selectively adopted and adapted. ISO/IEC 20000 is a standard in two parts. Part 1, ISO/IEC 20000-1 is the distillation of the “must do” practices of service management. Part 2, ISO/IEC 20000-2 is a code of practice giving advice. Achieving ISO/IEC 20000 is undertaken when organisations want to test and prove they have adopted ITIL advice.

III. Basel II is the second of the Basel Accords that are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision (BIS). The purpose of Basel II, is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face. Basel II holds financial institutions accountable for the economic consequences of high operational risk (e.g., the neglect of data security) and helps reap the economic rewards of lowering operational risk (e.g., the deployment of data security measures). Within its three “pillars” of thought—(1) Minimum Capital Requirements; (2) Supervisory Review; and (3) Market Discipline—Basel II addresses several key security requirements.

IV. PCI DSS – The Payment Card Industry Data Security Standard . The Payment Card Industry (PCI) data security framework was created by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. Prior to 2004, each of the associations had a proprietary set of information security requirements which were often burdensome and repetitive for participants in multiple brand networks. The associations subsequently created a uniform set of information security requirements for all national card brands. These requirements became known as the PCI Data Security Standard (PCI DSS), governing all the payment channels: Retail, mail orders, telephone orders and e-commerce. The PCI DSS framework is divided into 12 security requirements.

V. The Standard of Good Practice for Information Security is compiled by the Information security forum with 300 member organisations globally. According to its website:

‘Included in the Standard are topics that are extremely important to many organisations including:

  • Controls aimed at complying with legal and regulatory requirements, such as Sarbanes-Oxley Act 2002, the Payment Card Industry (PCI) Data Security Standard, Basel II 1998, and the EU Directive on Data Protection.
  • Coverage of all the main security controls in other major information security-related standards, such as ISO/IEC 27002 (17799) and COBIT.
  • ‘hot topics’ in information security, such as Threat Horizon, Digital Rights Management, Eurosox and Virtualisation (e.g. reflecting the output from ISF Briefings and ‘Future Watch’ projects).’

2. Frameworks or Best practice guidelines

I. ITIL (UK) – The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for managing Information Technology (IT) services (ITSM) that includes security management. It describes the organisation of IT resources to deliver business value, documents processes, functions and roles in IT Service Management (ITSM). ITIL introduced the concept of service desks intended to provide a Single Point of Contact and a common database to meet the communication needs between the users and IT providers. The original version of ITIL was developed at the same time as, and in alignment with BS 15000, the former UK standard for IT Service Management. BS15000 was fast-tracked in 2005 to become ISO/IEC 20000, the first international standard in ITSM.

II. COBIT (USA) – The Control Objectives for Information and related Technology is a set of best practices (framework) for information technology (IT) management and is complementary to ITIL. It is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. To read how ITIL, COBIT and ISO 17799 can be aligned, Click here. ISACA have recently made available mapping ITIL V3 to CoBit 4.1, click here for more details.

III. CIS – (The centre for Internet security) provides benchmarks for best practice standards for security configurations. When the Payment Card Industry Data Security Standard (PCI DSS) published its requirements it cited CIS Benchmarks.

3. Law (for more information, please refer to my previous blog post International and UK Law and how it relates to IT and Computers):

I. HIPAA (USA)The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (enacted by US congress in 1996).  It protects health insurance coverage for workers and their families when they change or lose their jobs. The Security Rule is a key part of HIPAA. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.

II. Sarbanes Oxley (USA)The bill was enacted as a result of major corporate accounting scandals including Enron and WorldCom. According to Mark Rasch, ‘IT security is important under SOX only to the extent that it enhances the reliability and integrity of that reporting. Because of SOX’s reliance on controls, the Committee of Sponsoring Organizations of the Treadway Commission (headed by former SEC member James Treadway) developed a series of controls for financial processes which are now known as the COSO guidelines. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. For IT auditors, the relevant guidelines are COBIT (Control Objectives for Information and Related Technologies) which is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. (In the UK, there is the IT Infrastructure Library, published by the Office of Government Commerce in Great Britain which compliments COBIT.) These are a series of IT controls which should be in place in order to make such a SOX certification with respect to IT.’

III. Data Protection Act (UK) 1998 – Defines UK law on the processing of data on identifiable living people (extended the scope of data protection beyond automatically processed data). It was enacted to bring UK law into line with the European Directive of 1995 that required Member States to protect people’s fundamental rights and freedom, in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves. In terms of IT security the data needs to be Secured against accidental loss, destruction or damage and against unauthorised or unlawful processing – this applies even if the business uses a third party to process personal information.

In summary, Symantec’s study found that organisations are exploring approximately 19 different standards or frameworks and are using 8 of them. This is without taking into account specific areas and industries. Any organisation’s IT security strategy should take into account these three areas of standards, Frameworks or Best practice guidelines and law and ensure that it selects appropriately from within these three areas. On going developments such as the recent health care reform bill (USA) will continue to have their own implications on IT security.

Advertisements

International and UK Law and how it relates to IT and Computers

Even when I was in university, I used to be both fascinated and confused by law. It was just as well that I had to contend with just one module of law as I made a conscientious decision that when I embarked on my career, I would leave the law and related computer crime etc to lawyers. As most of my regular readers know by now, I am usually sat around subconsciously searching for a topic. I don’t usually have a list of topics lying around and usually during the week something happens that leads to an article being posted. Well, it’s either that or on the weekend, I have a sudden panic attack that leads to me writing or babbling on about something. A few days ago, something similar happened that has led all of us to this post.

While researching, I came across an intriguing paper by Warren B. Chik, titled Challenges to Criminal Law Making in the New Global Information Society: A Critical Comparative Study of the Adequacies of Computer-Related Criminal Legislation in the United States, the United Kingdom and Singapore. This led me to find another interesting paper released by the UK home office on The police recording of computer crime that seeked to contribute to the Home Office and law enforcement efforts in tackling the lack of visibility of computer crime offending, a situation that was hampering efforts to assess and tackle the problem.

Let me clarify a few things first before we go international. British law is based on common law. The underlying principle of common law is the principle that it is unfair to treat similar facts differently on different occasions. IT and computers are not likely to be governed by common law, unless there is a case precedent.

The next one is Tort law concerns civil wrong doings and is used as a civil action by one citizen against another. Tort law may be used in some cases of IT/Computers, for example under the Tort of negligence and copyright infringement.

The last one that I want to discuss is statutory law. This is the law that has been passed by parliament. ‘Statute’ is generic and collective, while ‘act’ is specific and singular. An act is thus a statute, and the acts generated by a legislative body are collectively referred to as satutes, but ‘act’ is normally used in the formal title of a statute. You could thus talk about ‘the statute on rural land use planning’ or ‘the statutes regarding rural land use planning’, but the title(s) of the actual statute(s) would be something such as ‘Rural Land Use Planning Act’.

As the UK is part of the European Union, the UK is subject to the Law of the European Union. That means that EU law has direct affect within the member states and overrules any other existent law.

In addition to the measures above, internationally, many governments assist each other through Extradition treaties. This is the official process whereby one nation or state surrenders a suspected or convicted criminal. In the UK, the Extradition Act 2003 underpins the high profile case of Gary McKinnon.

As I said in a previous post, the ugly side of social media, UK’s national law is adequate for dealing with national social media abuse but there are no international agreements/treaties in place where a cross border offence happens, for example, significant online abuse is concerned involving two individuals in two different countries. The encouraging factor I found during the investigation of that post was that even countries such as Pakistan have produced legislation to combat electronic crimes. The main act to combat computer crime within the UK is the Computer misuse act 1990

The scope of Computer law is to protect individuals and liberty, so these are the current laws applicable within the UK:

Human Rights

  • Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms 1950 (not enforced in UK until November 2000)
  • UK Human Rights Act 1998
  • Consumer protection act 1987

Freedom of Information

  • UK Freedom of Information Act 2000

Data Protection

  • Data Protection Act 1998 (extended the scope of data protection beyond automatically processed data)
  • The Privacy and Electronic Communications Regulations 2003 – EC Directive

Health and safety

  • UK Health and Safety at Work Act 1974, supplemented by
  • UK Health and Safety (Display Screen Equipment) Regulations 1992

Rights of disabled  people

  • Disability Discrimination Act 1995 and 2004

Intellectual property rights

  • Registered Designs Act 1949
  • Design Rights (Semiconductor) Regulations 1989
  • Patents Act 1977
  • Trade Marks Act 1994
  • Copyright, Designs and Patents Act 1988 amended by:
  • Copyright (Computer Programmes) Regulations 1992
  • Copyright and Rights in Databases Regulations 1997
  • EC Directive  on  the  Harmonisation  of  certain  aspects  of  copyright  and  related  rights  in  the  information  society  2001 (should  have  been  implemented  in  EC  countries  in  2002;  is  proving  controversial  and  has  not  yet  been  implemented  in  UK  law)

Contracts  for  computer  systems  and  software

  • Supply of Goods and Services Act 1982 (Software)
  • Sale of Goods Act 1979 (Hardware)
  • Misrepresentation Act 1967 (Hardware)
  • Unfair contract terms act 1977

Electronic  commerce  and  contracting

  • Consumer protection – Distance Selling Regulations 2000

Torts

  • Civil liability may attach to a person independently of the existence of a contract; I.e. negligence, defamation, malicious falsehood and nuisance
  • Computer  Misuse  Act  1990  is  now  in  urgent  need  of  reform,  but
  • Computer  Misuse  (Amendment)  Bill  2002  was  not  passed  by  parliament

Unlawful  data  use  and  data  publication, Obscenity  and  pornography

  • Obscene  Publications  Act  1959
  • Protection  of  Children  Act  1978
  • Criminal  Justice  Act  1988 e.g.  Harassment
  • Telecommunications  Act  1984
  • Protection  from  Harassment  Act  1997