- Email: [email protected]
Is ISO 27001 worth it?
FEATURE
Is ISO 27001 worth it? Cath Everett, freelance journalist Even though the internationally recognised ISO 27001 information security management system standard has been around in various guises for the past decade, uptake is not as widespread as might be expected. According to the International Register of ISMS Certificates, out of a total of 6,942 organisations accredited worldwide, the UK comes fourth in the rankings with only 454 under its belt, while the US languishes in eighth place with a mere 96. The biggest advocate of ISO 27001 by far is Japan, accounting for more than half of the total at 3,657, trailed by India and China at 509 and 495 respectively. As Mike Gillespie, director at information security consultancy Advent-IM, says: “For the last 10 years, I’ve been saying that this will be a big year for ISO 27001, but it’s only really this year that I’ve started seeing significant adoption.”
“Conformance is perceived to require huge amounts of time, effort and money” So what is going on? And given an apparent widespread respect for the standard, why have adoption levels remained so low? Giri Sivanesan, senior manager for policy, risk and compliance at risk management consultancy Pentura, attributes the poor showing in the US at least partially to a nationwide preference for SAS 70 (Statement on Auditing Standards Number 70). This situation stems from the fact that SAS 70 includes fewer formal security requirements than its more focused ISO cousin and enables organisations to pick and choose the areas in which they wish to be audited. But another more general explanation for the low uptake in most countries – including the UK, where the standard was originally developed by the government’s then Department of Trade and January 2011
Industry – is that conformance is perceived to require huge amounts of time, effort and money.
Alignment rather than accreditation Nonetheless, the numbers can be deceptive, Sivanesan argues. While only a small number of UK organisations may have gone down the full accreditation route, he estimates that 20-40% of large to medium-sized businesses in the UK have at least reached a level that he describes as “aligned” or working towards it.
“It can be tricky simply to convince budget holders of the value/business and operational benefits of such a move or to push it high enough up the senior management agenda to have it taken seriously” “The issue is that it can take anything from a few months to a few years to become fully compliant,” says Sivanesan. “You have to have the proper policies, procedures and controls in place, but to be audited, they have to be enforced through the entire company and for large organisations, that takes time.” One repercussion of this scenario is that it can be tricky simply to convince budget holders of the value/business and operational benefits of such a move or to push it high enough up the senior management agenda to have it taken seriously. But cost-benefit analyses can help here. Such activity involves working out how much it would cost an organisation
Catherine Everett
both financially and in terms of time to undertake a compliance initiative. This is weighed against the potential economic impact of not doing so in terms of damage to reputation, fines or even the inability of the business to function following an information security incident. Ideally, it should also include evidence of more active benefits, such as enabling the company to reduce overheads or introduce new products and services. While making satisfactory cost arguments is always going to be challenging in a difficult economic climate characterised by a number of priorities competing for limited resources, decisions about whether to act are likely to rest on the risk appetite of the organisation as well as whether it has suffered a serious security breach in the past. That can help to focus minds.
Who is doing what and why? The sectors that have been the most forthcoming in terms of compliance are financial services, defence, energy and telecoms. But the retail industry has also started to move since the Payment Card Industry’s Data Security Standard (PCI DSS) became obligatory. This is because the gap between the two standards is relatively small, and the need to focus on protecting payment card data often raises awareness that other sensitive data requires safeguarding too. Although compliance has been mandated for central – but not local – government departments in the UK for some time, conformance is still patchy, with ‘alignment’ or lip-service being the Computer Fraud & Security
5
FEATURE general order of the day. Interestingly though, such compulsion has had spin-off effects on the private sector. While not all public authorities are fully compliant or accredited to ISO 27001 – and some aren’t even close – central government bodies in particular often include accreditation as a requirement in their tenders these days.
“It ensures that we’re watertight when dealing with a lot of client data and our own – it’s a reputational thing” Charles Hughes, partner and head of the IT practice at management consultancy AT Kearney, which recently became accredited, explains: “ISO standards are becoming increasingly significant in terms of scoring for public sector tenders. Compliance enhances your chances of winning and we’ve seen the requirement emerge more in some central government department tenders lately, although it’s not consistent across the board. It depends on the tendering authority.” Although the firm’s compliance initiative was only one element of a wider quality assurance programme, which also included work on other standards such as ISO 14000 for environmental management, it was deemed an important one given the amount of sensitive client data that it holds. “For us it was important because it ensures that we’re watertight when dealing with a lot of client data and our own – it’s a reputational thing,” Hughes says.
Market forces Public authorities are not the only ones to increasingly demand compliance. Large private sector companies – again, regardless of whether they are themselves compliant – are likewise jumping on the bandwagon, or at least encouraging suppliers and partners to consider taking action. Sometimes this insistence is for no other reason than to bring some standardisation to bidding and procurement proc6
Computer Fraud & Security
esses – for example, to avoid repeatedly having to fill in detailed questionnaires, each of which is worded slightly differently, on what they are doing to comply with the standard’s 133 controls. Advent-IM’s Gillespie says: “It was the same with quality management in the 1980s where telcos, utilities and the like demanded compliance even though they weren’t compliant themselves. But a situation like that snowballs and eventually leads to more widespread adoption due to market forces.” Although the need for conformance today will undoubtedly depend on each organisation’s business model and the sectors that they operate in, for some it will definitely be worth it now, while others are likely to find that they require it in the future.
“Although most organisations perceive information security to be an IT problem, it is a business governance matter and, as such, has to be dealt with via the management of processes, policies and people” For those organisations that do decide compliance is of imminent value, however, one of the most important considerations is understanding information risk. Despite the fact that too few companies today have directors responsible or accountable for this issue at board level, and well-trained and experienced risk managers are notoriously hard to come by, establishing what the business risks are and working out how to mitigate them to an acceptable level and cost is crucial. Just as critical, however, is obtaining buy-in at board level, because without that high-level sponsorship, any initiative will be doomed to failure. The big issue here is that, although most organisations perceive information security to be an IT problem, it is, in fact, a business governance matter and, as such, has to be dealt with via the management of processes, policies and people.
Identifying gaps As a result, information security professionals tasked with implementing the standard should, in an ideal world, report to the board, the corporate governance or quality management function. However, if this is impossible, they should at the very least try to ensure that information risk is added to the corporate risk register, which today tends to include only business operational, financial and health and safety risks. As Gillespie points out: “While 60-70% of the 133 controls in ISO 27001 are IT-oriented, which means that they tend to be put in the hands of the IT director, you could actually be accredited to the standard without having a single computer in the business.” AT Kearney’s Hughes agrees. The most useful element of the compliance programme, he found, was going undertaking a thorough risk assessment as it helped the organisation identify gaps in its processes. “It really helped us tighten up there and ensure that things were fully and consistently documented and kept up to date. So it’s also about the rigour that you’ve got to apply and the thinking about what needs to change,” he explains.
“We looked at what worked for the business in order to protect our own and our clients’ data as part of an overall quality improvement programme and we were certified first time around” Another frequently misunderstood point, however, is that it is not necessary to adhere slavishly to the standard or, worse still, adopt a tick-box approach to implementing controls. As long as there are good documented reasons for justifying decisions made and actions taken, or not taken, based on the company’s risk profile and appetite, auditors will be happy. January 2011
FEATURE “You can approach this at various levels. Some people put in as little effort as possible, while others go in so deeply that it becomes a mammoth effort,” Hughes says. “But we approached it very pragmatically. We looked at what worked for the business in order to protect our own and our clients’ data as part of an overall quality improvement programme and we were certified first time around.”
And all in all, he believes that the couple of months of concerted effort required to achieve accreditation was worth it. “It was a valuable learning exercise and helped us to identify gaps so we feel now that our processes are more robust and resilient as a result of bringing in best practice,” says Hughes. “It’s not that onerous and it does provide a base standard, which assures our clients that our data
and theirs is protected and managed properly.”
About the author Cath Everett is a freelance journalist who has been writing about business and technology issues since 1992. Her special areas of focus include information security, HR/management and skills issues, marketing andhigh-end software.
Towards near-real-time detection of insider trading behaviour through social networks Sumit Gupta, Liaquat Hossain, University of Sydney The monitoring of capital frauds and malicious trading behaviours, and implementing changes to correct traders’ and firms’ behaviour, is increasingly seen as a priority in today’s financial markets. Many governments and financial institutions are investing capital and resources to maintain the integrity of their markets and promote fair-trade practices. Of all the capital scams, insider trading is one of the hardest to detect and therefore the most difficult to prove in a court of law. There has not been a great deal of empirical research conducted or published on the detection of insider trading. The traders’ self-learning and self-adaptive capabilities make it almost impossible to detect such acts in time and to therefore undertake corrective actions to eliminate the practice. Further, inconsistencies in the legal definition of the term ‘insider trading’ between nations make it even more difficult to apprehend the perpetrators. To address these challenges, we propose an approach combining social network analysis, behavioural theory and co-ordination theory in a single framework referred to as a Surveillance Tracking and Anomaly Revelation System (STARS) that would enable the detection January 2011
and surveillance of such activity. First, it’s important to explain the domain problem – ie, insider trading. Second, we’ll discuss the application and relevance of social networks, behavioural and co-ordination theory for such detection. Last, we present and discuss our research model in a single framework integrating social networks, behavioural and co-ordination theory in proposing STARS, leading to a conclusion and discussion of our work.
of professionals.1 As a result, now it’s not only corporate officers, directors and managers who are considered as insiders but also professionals such as lawyers, investment bankers, printers, auditors and so on who work within or alongside the organisation. When these people trade in company stock and other securities, this is deemed to be insider trading. Although the term, in general use, means the same everywhere, the laws against insider trading vary from
Insider trading The term ‘insider’ is used to refer to those who hold managerial positions within organisations. However, recent enforcement practices have broadened the context by focusing on various types
Figure 1: Types of insider trading. These three categories are mutually inclusive and thus an insider trading act covers all three categories.
Computer Fraud & Security
7
Is ISO 27001 worth it? Cath Everett, freelance journalist Even though the internationally recognised ISO 27001 information security management system standard has been around in various guises for the past decade, uptake is not as widespread as might be expected. According to the International Register of ISMS Certificates, out of a total of 6,942 organisations accredited worldwide, the UK comes fourth in the rankings with only 454 under its belt, while the US languishes in eighth place with a mere 96. The biggest advocate of ISO 27001 by far is Japan, accounting for more than half of the total at 3,657, trailed by India and China at 509 and 495 respectively. As Mike Gillespie, director at information security consultancy Advent-IM, says: “For the last 10 years, I’ve been saying that this will be a big year for ISO 27001, but it’s only really this year that I’ve started seeing significant adoption.”
“Conformance is perceived to require huge amounts of time, effort and money” So what is going on? And given an apparent widespread respect for the standard, why have adoption levels remained so low? Giri Sivanesan, senior manager for policy, risk and compliance at risk management consultancy Pentura, attributes the poor showing in the US at least partially to a nationwide preference for SAS 70 (Statement on Auditing Standards Number 70). This situation stems from the fact that SAS 70 includes fewer formal security requirements than its more focused ISO cousin and enables organisations to pick and choose the areas in which they wish to be audited. But another more general explanation for the low uptake in most countries – including the UK, where the standard was originally developed by the government’s then Department of Trade and January 2011
Industry – is that conformance is perceived to require huge amounts of time, effort and money.
Alignment rather than accreditation Nonetheless, the numbers can be deceptive, Sivanesan argues. While only a small number of UK organisations may have gone down the full accreditation route, he estimates that 20-40% of large to medium-sized businesses in the UK have at least reached a level that he describes as “aligned” or working towards it.
“It can be tricky simply to convince budget holders of the value/business and operational benefits of such a move or to push it high enough up the senior management agenda to have it taken seriously” “The issue is that it can take anything from a few months to a few years to become fully compliant,” says Sivanesan. “You have to have the proper policies, procedures and controls in place, but to be audited, they have to be enforced through the entire company and for large organisations, that takes time.” One repercussion of this scenario is that it can be tricky simply to convince budget holders of the value/business and operational benefits of such a move or to push it high enough up the senior management agenda to have it taken seriously. But cost-benefit analyses can help here. Such activity involves working out how much it would cost an organisation
Catherine Everett
both financially and in terms of time to undertake a compliance initiative. This is weighed against the potential economic impact of not doing so in terms of damage to reputation, fines or even the inability of the business to function following an information security incident. Ideally, it should also include evidence of more active benefits, such as enabling the company to reduce overheads or introduce new products and services. While making satisfactory cost arguments is always going to be challenging in a difficult economic climate characterised by a number of priorities competing for limited resources, decisions about whether to act are likely to rest on the risk appetite of the organisation as well as whether it has suffered a serious security breach in the past. That can help to focus minds.
Who is doing what and why? The sectors that have been the most forthcoming in terms of compliance are financial services, defence, energy and telecoms. But the retail industry has also started to move since the Payment Card Industry’s Data Security Standard (PCI DSS) became obligatory. This is because the gap between the two standards is relatively small, and the need to focus on protecting payment card data often raises awareness that other sensitive data requires safeguarding too. Although compliance has been mandated for central – but not local – government departments in the UK for some time, conformance is still patchy, with ‘alignment’ or lip-service being the Computer Fraud & Security
5
FEATURE general order of the day. Interestingly though, such compulsion has had spin-off effects on the private sector. While not all public authorities are fully compliant or accredited to ISO 27001 – and some aren’t even close – central government bodies in particular often include accreditation as a requirement in their tenders these days.
“It ensures that we’re watertight when dealing with a lot of client data and our own – it’s a reputational thing” Charles Hughes, partner and head of the IT practice at management consultancy AT Kearney, which recently became accredited, explains: “ISO standards are becoming increasingly significant in terms of scoring for public sector tenders. Compliance enhances your chances of winning and we’ve seen the requirement emerge more in some central government department tenders lately, although it’s not consistent across the board. It depends on the tendering authority.” Although the firm’s compliance initiative was only one element of a wider quality assurance programme, which also included work on other standards such as ISO 14000 for environmental management, it was deemed an important one given the amount of sensitive client data that it holds. “For us it was important because it ensures that we’re watertight when dealing with a lot of client data and our own – it’s a reputational thing,” Hughes says.
Market forces Public authorities are not the only ones to increasingly demand compliance. Large private sector companies – again, regardless of whether they are themselves compliant – are likewise jumping on the bandwagon, or at least encouraging suppliers and partners to consider taking action. Sometimes this insistence is for no other reason than to bring some standardisation to bidding and procurement proc6
Computer Fraud & Security
esses – for example, to avoid repeatedly having to fill in detailed questionnaires, each of which is worded slightly differently, on what they are doing to comply with the standard’s 133 controls. Advent-IM’s Gillespie says: “It was the same with quality management in the 1980s where telcos, utilities and the like demanded compliance even though they weren’t compliant themselves. But a situation like that snowballs and eventually leads to more widespread adoption due to market forces.” Although the need for conformance today will undoubtedly depend on each organisation’s business model and the sectors that they operate in, for some it will definitely be worth it now, while others are likely to find that they require it in the future.
“Although most organisations perceive information security to be an IT problem, it is a business governance matter and, as such, has to be dealt with via the management of processes, policies and people” For those organisations that do decide compliance is of imminent value, however, one of the most important considerations is understanding information risk. Despite the fact that too few companies today have directors responsible or accountable for this issue at board level, and well-trained and experienced risk managers are notoriously hard to come by, establishing what the business risks are and working out how to mitigate them to an acceptable level and cost is crucial. Just as critical, however, is obtaining buy-in at board level, because without that high-level sponsorship, any initiative will be doomed to failure. The big issue here is that, although most organisations perceive information security to be an IT problem, it is, in fact, a business governance matter and, as such, has to be dealt with via the management of processes, policies and people.
Identifying gaps As a result, information security professionals tasked with implementing the standard should, in an ideal world, report to the board, the corporate governance or quality management function. However, if this is impossible, they should at the very least try to ensure that information risk is added to the corporate risk register, which today tends to include only business operational, financial and health and safety risks. As Gillespie points out: “While 60-70% of the 133 controls in ISO 27001 are IT-oriented, which means that they tend to be put in the hands of the IT director, you could actually be accredited to the standard without having a single computer in the business.” AT Kearney’s Hughes agrees. The most useful element of the compliance programme, he found, was going undertaking a thorough risk assessment as it helped the organisation identify gaps in its processes. “It really helped us tighten up there and ensure that things were fully and consistently documented and kept up to date. So it’s also about the rigour that you’ve got to apply and the thinking about what needs to change,” he explains.
“We looked at what worked for the business in order to protect our own and our clients’ data as part of an overall quality improvement programme and we were certified first time around” Another frequently misunderstood point, however, is that it is not necessary to adhere slavishly to the standard or, worse still, adopt a tick-box approach to implementing controls. As long as there are good documented reasons for justifying decisions made and actions taken, or not taken, based on the company’s risk profile and appetite, auditors will be happy. January 2011
FEATURE “You can approach this at various levels. Some people put in as little effort as possible, while others go in so deeply that it becomes a mammoth effort,” Hughes says. “But we approached it very pragmatically. We looked at what worked for the business in order to protect our own and our clients’ data as part of an overall quality improvement programme and we were certified first time around.”
And all in all, he believes that the couple of months of concerted effort required to achieve accreditation was worth it. “It was a valuable learning exercise and helped us to identify gaps so we feel now that our processes are more robust and resilient as a result of bringing in best practice,” says Hughes. “It’s not that onerous and it does provide a base standard, which assures our clients that our data
and theirs is protected and managed properly.”
About the author Cath Everett is a freelance journalist who has been writing about business and technology issues since 1992. Her special areas of focus include information security, HR/management and skills issues, marketing andhigh-end software.
Towards near-real-time detection of insider trading behaviour through social networks Sumit Gupta, Liaquat Hossain, University of Sydney The monitoring of capital frauds and malicious trading behaviours, and implementing changes to correct traders’ and firms’ behaviour, is increasingly seen as a priority in today’s financial markets. Many governments and financial institutions are investing capital and resources to maintain the integrity of their markets and promote fair-trade practices. Of all the capital scams, insider trading is one of the hardest to detect and therefore the most difficult to prove in a court of law. There has not been a great deal of empirical research conducted or published on the detection of insider trading. The traders’ self-learning and self-adaptive capabilities make it almost impossible to detect such acts in time and to therefore undertake corrective actions to eliminate the practice. Further, inconsistencies in the legal definition of the term ‘insider trading’ between nations make it even more difficult to apprehend the perpetrators. To address these challenges, we propose an approach combining social network analysis, behavioural theory and co-ordination theory in a single framework referred to as a Surveillance Tracking and Anomaly Revelation System (STARS) that would enable the detection January 2011
and surveillance of such activity. First, it’s important to explain the domain problem – ie, insider trading. Second, we’ll discuss the application and relevance of social networks, behavioural and co-ordination theory for such detection. Last, we present and discuss our research model in a single framework integrating social networks, behavioural and co-ordination theory in proposing STARS, leading to a conclusion and discussion of our work.
of professionals.1 As a result, now it’s not only corporate officers, directors and managers who are considered as insiders but also professionals such as lawyers, investment bankers, printers, auditors and so on who work within or alongside the organisation. When these people trade in company stock and other securities, this is deemed to be insider trading. Although the term, in general use, means the same everywhere, the laws against insider trading vary from
Insider trading The term ‘insider’ is used to refer to those who hold managerial positions within organisations. However, recent enforcement practices have broadened the context by focusing on various types
Figure 1: Types of insider trading. These three categories are mutually inclusive and thus an insider trading act covers all three categories.
Computer Fraud & Security
7