Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Tuesday, 23 September 2008

A Directors' brief on ISO27001 Information Security Management

It is generally accepted that information is the greatest asset any organisation has under its control. Managing Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations.

Today more and more organisations are realising that information security is a critical business function. It is not just an IT function but covers:

  1. Governance;
  2. Risk Management;
  3. Physical Security;
  4. Business Continuity;
  5. Regulatory and Legislative Compliance.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems. It encompasses knowledge retained by people, paper documents as well as traditional records held in a variety of media. A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries. It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.

  1. Confidentiality
  2. Integrity
  3. Availability

These are the three requirements for any ISMS.

Managing Directors' Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives. Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector. This is being driven by adoption of the standard as part of their legal and regulatory obligations. In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/ client confidence and win new business. With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value. The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making. This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area. This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management. It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital. Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making.

Business Continuity

How well would you cope if a disaster affected your business?

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest. The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business.

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered. Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail.

ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001 Sections

  • Security policy - This provides management direction and support for information security.
  • Organisation of assets and resources - To help manage information security within the organisation.
  • Asset classification and control - To help identify assets and protect them appropriately.
  • Human resources security - To reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information.
  • Communications and operations management - To ensure the correct and secure operation of information processing facilities.
  • Access control - To control access to information
  • Information systems acquisition, development and maintenance - To ensure that security is built into information systems.
  • Information security incident management -To deal effectively with any identified security incident.
  • Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
  • Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.

Monday, 8 September 2008

Security and Banks

I have just been through a most frustrating time with my bank. It all started when my landlord increased the rent and service charges for our offices in Tolleshunt Major; I went online, accessed my account and tried to amend the standing order to take account of the increased charges; a message told me that I couldn't do this on line but to contact the help desk.

I rang the help desk and was asked the usual security questions and one answer was rejected. I re-iterated that my answer was correct and the lady re-entered it only to have it rejected again. She obviously had entered it incorrectly as I had entered the same information to get online in the first place. I said that she must have entered the information incorrectly as I was on line. The next thing she says that the system has locked me out and she would have to pass me through to the online team. I expected the online team to unlock my account, but no; They would send me a form which I could complete and return to them and I would get an activation code to get me going again.

A week later the form arrived and I signed the appropriate part and sent it back. Four days later I received a letter telling me that they had had some technical problems with my log in and here was a temporary activation code which would be ok for a few weeks but they would need to change my customer number and supply me a new activation code for that new number. The activation code did not work so I telephoned again only to be told that they should not have sent the temporary activation code and had cancelled it before it arrived.

I asked when I could expect the new information and activation code; a few days was the response. A few days later the new customer number arrived and then the following day a new activation code.

With much trepidation I entered the new customer number and activation code; so far so good. I was then asked for a 4 digit pin number and a complex password. The password was accepted but the pin number was rejected. I telephoned yet again only to be told that any pin number cannot have a repeated number in it nor consecutive numbers. My pin number did have two numbers the same in the sequence but not sequential. I had used then same pin number for some time but change my password frequently. This was not good enough for NatWest. I was told either I used all their security requirements or I couldn't use their on line system at all. I protested saying that my security was ok two weeks ago before they messed up my access but not now. I asked if the Bank's security was more important than customer service. The sheer indifference shown by the chap on the other end of the phone left me in no doubt that I could do what I liked but they would not move at all.

This was the final straw in a saga that goes back months and included wrongly debiting my account with amounts that bore no relation to the printed cheques that my sage system had prepared, deducting income tax from the interest paid on business deposit account and then taking three months to repay it.

My branch bank manager keeps apologising but cannot do anything with the bureaucracy that is the bank.

Apparently I am an ideal customer, never pestering the bank staff, never exceeding my overdraft, never complaining about the charges levied. Prepare few cheques and carry out most of my banking online so there is little for the bank to administer . Our deposit account has a reasonable balance in it and my Gold Business card, used for business expenses is never over the agreed limit. So why treat me so badly? Perhaps it is a sign of the times where Banks have a virtual stranglehold on their customers, make an obscene amount of money and employ morons in call centres.

I am actively seeking another bank to handle my business banking; will I be able to find a good bank? I don’t know but surely customer service cannot be a bad as that I have been subjected to.

It is also strange that Quality Matters sets up secure systems including ISO27001 and we always advocate good security but we recognise, as do most institutions, that security is a trade off between total security where nothing gets done and lax security where systems are at severe risk. We know that there is a compromise point where good security also allows users to get on with their business. The balance seems to be lost on my bank.

Security gone mad.

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design