Business Assurance in the 21st Century

As you may recall from my “Outlook is Cloudy” post I am the Chief Operations Officer for the Common Assurance Maturity Model (CAMM).  I have been involved with CAMM for nearly two years and it has been a pleasure to work with some brilliant minds and excellent people on the project.  Earlier this week the “Business Assurance in the 21st Century” whitepaper (PDF File) was released.

This whitepaper was developed by a number of key organisations, such as The Shared Assessments Program; the Information Security Forum (ISF); the Cloud Security Alliance (CSA); the Payment Card Industry (PCI); the Common Assurance Maturity Model (CAMM); and ISACA.  The whitepaper outlines the plans of the above organisations to create a global repository of assessments for assurance of the IT supply chain (including cloud services).  In addition this “initiative and repository should be independent and ‘not for profit’ in order to ensure its focus, provide transparency and secure wider endorsement”.

The full whitepaper can be downloaded from the CAMM website.

Keep an eye out for more exciting announcments from CAMM over the coming weeks.

NIST Publications

The US National Institute of Standards and Technology, NIST, have released a number of publications that are well worth reading;

The above publications are well worth taking the time to download and review.

Irish Ways and Irish Laws

 I am regularly asked by clients, training course attendees and contacts in non-Irish companies looking to expaned into Ireland what is the most relevant legislation relating to information security for organisations in Ireland.  So here is my top list of legislation that you should be concerned about regarding information security and your business in Ireland; I hasten to point out that I am no legal expert and that the information below is purely for guidance and should be verified with your own legal team.  If anyone else I have forgotten any items then please let me know ;

The ones of concern to most companies would be The Data Protection Act, 1988 & Data Protection (Amendment) Act 2003.  Under the above an organisation is obliged to ensure the confidentiality of personal information of customers and staff. This means ensuring that information is available only to those who need it and only for the purposes gathered.

So for example if you buy something of a shop and they ask for your mobile number to facilitate delivery this is all they are allowed to use that data for. If you then get a SMS message from them advertising new services they are in breach of the Data Protection Act and could face fines of up to €3,000 per message.

Similarly if your organisation was to misuse personal information in a similar manner you could face the same fines. You can also face fines for not securing the information properly. The Data Protection Commissioner have a good video on their site outlining the obligations

You also need to be aware of the European Convention on Human Rights

Under the above everyone has the right to privacy in all their communications.  This means that a company cannot read employee’s emails or monitor their phone calls or their Internet usage.  In order to do so you need to make staff aware of this in an Acceptable Usage Policy so that in effect waive this right.

The Employment Equality Act 1998 obliges you to provide a safe working environment for all without fear of discrimination. An area that could be of issue is if a member of staff feels they are being sexually harassed due to the content other members’ of staff view on their computer. It is important that all staff are aware of what they are allowed and not allowed to do when using organisational resources such as computers and what type behaviour is acceptable. This would be outlined in an Acceptable usage Policy. Ideally this should then be managed and monitored to ensure people are not breaching the policy and disciplinary action taken where appropriate.

The Copyright and Related Rights Act 2000.

Under this act any copyrighted material found on your systems could result in a prosecution against the directors of the company and NOT the individual who violated the agreement. So if a member of staff copies the latest Spiderman movie onto their PC it is the board of directors that could face prosecution and not the individual.

Finally you are also obliged to protect credit card data in accordance with the PCI DSS Credit Card standard. This is a standard produced by the credit card companies to ensure retailers secure credit card information belonging to customers. If you are found to be in violation of this standard which resulted in credit card information being compromised the organisation will face increased credit card charges, possible fines and will have sanctions such as annual third party audits enforced on the organisation.

UPDATE – 22/05/08
For those of you based in the United States the following post on “10 ways you might be breaking the law with your computer” may be of interest.

NIST Issues Draft Guidance for Securing Servers

NIST, the US National Institute of Standards and Technology, have released a draft version of their Special Publication 800-123 “Guide to General Server Security” for comments.  The document provides guidance to those wishing to ensure their servers are secure.

NIST provide an invaluable range of guidance documents to help you secure your network infrastructure and information systems.  I would recommend you have a look at their site and review their guidelines.  The Center for Internet Security is also a great resource.

It is a draft standard so feel free to submit your comments and feedback to NIST if you feel there are areas that need improvement.