I am often approached by owners of small businesses who ask me how can they be assured that they have taken the basic steps to protect their information assets. These companies often do not have any internal IT or information securty expertise and rely on external vendors or contractors to secure their systems. What these owners want is a list of questions that they can ask themselves and their IT/Information Security experts to ensure they have taken the appropriate steps. The following is what I recommend they check on and if they have any incomplete or negative responses then these areas need to be addressed;
Does a director, or equivalent, have responsibility for information security?
Have all members of staff given written acknowledgement that they have read, understood and accepted the information security policy?
Do all users on your computer systems receive regular training on their security responsibilities and how to identify and deal with various security threats?
Do staff members with specific security responsibilities receive proper and regular training to support their role?
Computer security policy
Have you a documented security policy, with associated operating procedures, signed off and fully supported by senior management?
Does senior management authorise third party access to confidential and/or commercially sensitive information pending completion of appropriate confidentiality forms?
Are critical systems such as firewalls and routers regularly tested for vulnerabilities and are computers checked to ensure no copies of illegal software are present?
Incident Planning and response
Are documented and frequently tested plans in place, with clearly defined roles and responsibilities, to ensure the company can respond to any security breaches such as a virus attack, fraud or natural disasters such as fire?
Are all default passwords on all systems reset from the default vendor installed passwords? Are users forced to use complex and hard to guess passwords?
Is there a mechanism to ensure that critical security patches are deployed to systems in a timely and audited fashion?
Are systems and databases that store personal data secured properly to ensure compliance with regulatory and legal requirements such as the Data Protection Act?
External Network Security
Are external connections, such as to the Internet, authorised by senior management, properly documented and secured using Firewalls?
Are all computer systems protected with the most up to date anti-virus software? Are users educated on how to identify and deal with suspect files that may contain computer viruses?
Do you properly monitor the content of emails and Internet browsing activity to protect your company from computer viruses, SPAM, or litigation due to the nature of the content?
Are the log files of important security devices actively monitored to detect potential security breaches?
Are critical IT resources, such as file servers, located in a secured area that is protected from unauthorised access?
If you have any ideas on how to improve the above list please let me know via the comments.
Courtesy of Brian Krebbs from the Washington Post it appears that the largest ever breach of credit card data may have occurred. It appears that a payment processor company in the United States, Heartland Payment Systems, discovered malware on their network that may have captured the credit and debit card details of over 100 million credit cards. The data captured include names, credit and debit card numbers and expiration dates.
There are no details yet as to how the malware got onto their network or indeed what type malware it is or the type of systems infected. Often when I do security assessment for clients I see strong malware controls on desktops and servers but often the network is one area that is overlooked. Routers, switches and other network components are often never looked at once they have been installed. These devices invariably are not included in any vulnerability or patch management strategies and will probably not have been upgraded, reviewed or tested since they were installed. This leaves a gaping hole in your security infrastructure as once an attacker controls a router or switch they have access to all the data that passes through it.
Another item to consider is what monitoring was in place to detect any suspicious behaviour. Again this is often something I find clients overlook as part of their information security infrastructure. The article does explain that Heartland found the malware as the result of an investigation so to be fair it is possible that their monitoring systems alerted them to some suspicious behaviour. However, until more details are available we can only rely on speculation at the moment.
No doubt questions will be asked as to whether or not Heartland was PCI compliant. To me this is a non-issue. If you have implemented a strong information security infrastructure then PCI compliance, or indeed any compliance, will practically be a side benefit. As always I will repeat the mantra, just because you are compliant does NOT mean you are secure.
I await more details on this breach with interest. As always we should use all of these breaches as an opportunity for ourselves to learn how better to protect our own networks and data.
One of the biggest projects I worked on last year was writing my first book. The book is called “Implementing ISO 27001 in a Windows Environment“. I wrote this book in response to the many questions clients have asked me on how best to put in place the various controls and goals outlined in the ISO 27001 Informration Security Standard (formerly BS 7799).
Very often these people were IT Managers who were mandated by their senior management to implement the standard in order to provide the business that they were using recognised best practises to secure their information assets.
However these managers suddenly faced a number of major challenges.;
They had to first become familiar with the ISO 27001 Information Security Standard and understand how it works.
Identify what controls were applicable to their organisation based on their risk assessment and resultant required controls.
How to ensure that the controls that required technical configurations were being properly implement
Last but not least how to do all the above in the most effective and cost efficient manner possible.
As someone who has a lot of experience with implementing the standard, and also a strong technical background, I decided to write this book to help address those issues. I also decided to focus on how to leverage some of the existing Microsoft technology, such as Microsoft Windows Server 2008, Microsoft Windows Vista and various other Microsoft secruity tools, that most organisations have employed.
So last summer my journey as an author began. It is been a long and at times challenging journey but I am happy to say that it is coming to an end.
My book “Implementing ISO 27001 In a Windows Environment” will be published on February the 3rd 2009 and is now available for pre-order at the IT Governance website. If you are considering rolling out ISO 27001 in your organisation, I would recommend that you purchase the book as it may save you a lot of time, money and frustration.
I am regularly asked by clients, training course attendees and contacts in non-Irish companies looking to expaned into Ireland what is the most relevant legislation relating to information security for organisations in Ireland. So here is my top list of legislation that you should be concerned about regarding information security and your business in Ireland; I hasten to point out that I am no legal expert and that the information below is purely for guidance and should be verified with your own legal team. If anyone else I have forgotten any items then please let me know ;
Article 40.3.2 of the Irish Constitution regarding defamation.
Approved EU directives.
Third party litigation
The ones of concern to most companies would be The Data Protection Act, 1988 & Data Protection (Amendment) Act 2003. Under the above an organisation is obliged to ensure the confidentiality of personal information of customers and staff. This means ensuring that information is available only to those who need it and only for the purposes gathered.
So for example if you buy something of a shop and they ask for your mobile number to facilitate delivery this is all they are allowed to use that data for. If you then get a SMS message from them advertising new services they are in breach of the Data Protection Act and could face fines of up to €3,000 per message.
Similarly if your organisation was to misuse personal information in a similar manner you could face the same fines. You can also face fines for not securing the information properly. The Data Protection Commissioner have a good video on their site outlining the obligations
Under the above everyone has the right to privacy in all their communications. This means that a company cannot read employee’s emails or monitor their phone calls or their Internet usage. In order to do so you need to make staff aware of this in an Acceptable Usage Policy so that in effect waive this right.
The Employment Equality Act 1998 obliges you to provide a safe working environment for all without fear of discrimination. An area that could be of issue is if a member of staff feels they are being sexually harassed due to the content other members’ of staff view on their computer. It is important that all staff are aware of what they are allowed and not allowed to do when using organisational resources such as computers and what type behaviour is acceptable. This would be outlined in an Acceptable usage Policy. Ideally this should then be managed and monitored to ensure people are not breaching the policy and disciplinary action taken where appropriate.
Under this act any copyrighted material found on your systems could result in a prosecution against the directors of the company and NOT the individual who violated the agreement. So if a member of staff copies the latest Spiderman movie onto their PC it is the board of directors that could face prosecution and not the individual.
Finally you are also obliged to protect credit card data in accordance with the PCI DSS Credit Card standard. This is a standard produced by the credit card companies to ensure retailers secure credit card information belonging to customers. If you are found to be in violation of this standard which resulted in credit card information being compromised the organisation will face increased credit card charges, possible fines and will have sanctions such as annual third party audits enforced on the organisation.
Knowlege Ireland recently published an article I wrote discussing how the ISO 27001 standard can be used as a foundation to help companies ensure they meet their compliance requirements, be that SOX, Basel II, PCI or the Data Protection Act. The premise that I put forward is that having a certified Information Security Management System in place provides you with a strong basis which you can use to meet your compliance requirements.