View Full Version : Issue 18 of The ISO 27000 Newsletter Released

Sue Thomas
05-15-08, 01:59 PM
Welcome to Issue 18 of The ISO 27000 Newsletter, designed to provide
news and background with respect to the ISO security standards. The
information provided is totally free to our subscribers and offers
guidance on practical issues and commentary on recent developments.

Covered in this issue are the following topics:

1) Obtaining the ISO 27001 and ISO 27002 Standards
2) Security Awareness Programs (ISO27002 8.2.2)
3) Website Hackers: Why?
4) Third Party Service Delivery Management
5) More ISO 17799/27001 Frequently Asked Questions
6) Trials and Tribulations of an Information Security Officer Part 2
7) Information Security News
8) Critical Success Factors (ISO 27002)
9) Disposing of Equipment (ISO 27002 Section 9)
10) Implementing A COBIT Compliance Initiative
11) ISO 27000: The World Wide Phenomenon
12) ISO 27001/2: Common Mistakes Part 2
13) ISO 27000 Related Definitions and Terms
14) It Couldn't Happen Here, Could It?

Appendix: Subscription Information

Obtaining ISO 27001 And ISO 27002

The most frequent question we receive is "Where can I obtain a copy of
the standards?" The standards themselves are available from:

This is the web site for the ISO 27000 Toolkit. This download support
package includes both ISO 27001 and ISO 27002, and was created to help
those taking the first steps towards addressing the standards. It
includes both of the standards, audit checklists, a roadmap, a set of
ISO compliant security policies, and a range of other materials.

This is the BSI Online Standards Shop, a vending site for instant
downloadable copies.

Security Awareness Programs

The importance of awareness (ISO 27002 8.2.2) is not an issue that be
over-exaggerated. It is a critical component of your organization's
security. However, it is also an area which is often taken for
granted, or simply not given anything like appropriate emphasis.

Often, serious breaches can be traced back to sheer ignorance, or lack
of understanding, by one or more internal personnel. This picture
emerges time and time again, yet time and time again little or no
thought is given to improving awareness through training or other

The most effective programs involve both short formal training
sessions, and an ongoing plan. The following list of possible
initiatives should hopefully stimulate some ideas on how to approach
this essential topic within your own organization:

- A Security Newsletter, which can include both news and information
in a topical context (please feel free to extract from this
- Cheap gifts, such as pens, key fobs, and coffee mugs bearing a
security message (this is actually quite effective).
- A 'Roadshow' in which security personnel regularly give
presentations to senior management and staff on current issues.
- A security DVD (assuming adequate budget).
- A Screen Saver bearing security related messages
- If your organization produces internal courses on other topics, make
sure that the security angle is covered.
- Posters should be used and replaced often.
- Competitions are often effective, for example, security crosswords,
puzzles and problems.

Whichever route you take, building security awareness into your
organization's culture is a must.

Website Hackers: Why?

Defacement of company websites by 'hackers' and others is a constant
threat. Even the largest and most security conscious of organizations
have experienced problems with respect to this But why do they do it?
What is the most common motive?

The Zone-H monitoring portal performed some research on this via what
is probably the largest poll ever undertaken. They reported the
following as the major motives:

Just for fun: 35%
No reason specified: 19.2%
Pride: quest to be the "best defacer": 12.5%
For a challenge: 11.7%
Patriotism: 10.5%
Other political reasons: 9.2%
Revenge against the particular website: 1.9%

The other disturbing aspect is the numeric dimension: this is not just
a handful of individuals, but many thousand across the world.

If your corporate website is therefore of significant importance to
the organization, defending it is not something that can just be left
to a hosting provider. It should be treated as any other security
sensitive production system, with protection commensurate with risk
and potential business impact.

Third Party Service Delivery Management

ISO/IEC 27002 provides specific guidance on the implementation and
maintenance of information security for organizations who receive
third party service delivery. It stipulates that third party service
agreements should be regularly checked, and compliance monitored.

Agreed security levels must be maintained by the third party covering
specific service definitions and all critical aspects of the service
managed. Where there are outsourcing arrangements, within periods of
service interruption, the organization should ensure that security is
maintained throughout this period. The organization should also
ensure that the third party has suitable business continuity and
disaster recovery procedures in place to meet agreed levels of
continuity of service delivery.

There should be regular formal monitoring of services delivered and
delivery performance. Reports and records provided by the third party
should be regularly reviewed, and audited. These procedures should
ensure that the information security terms and conditions of the
agreements are being adhered to in practice.

Specifically, it is important to create a regime which includes the

• service performance levels regularly monitored to check compliance
with the agreements;
• service reports discussed at regular progress meetings as dictated
by the agreements;
• information security incidents fully recorded and actions taken
included in a subsequent report;
• regular scanning and checking of audit trails, records of incidents,
operational problems, performance deficiencies, and fault

In summary, the old adage "You can outsource services, but you can't
outsource responsibility" applies to most third party service
situations. It is an important message, particularly with respect to
information security.

More ISO 17799/27001 Frequently Asked Questions

1) How Does Risk Analysis/Assessment Relate to the Standards?
The next issue of this newsletter will focus primarily on risk issues.
Don't miss it!

2) What is ISO 27799?
This is a version of ISO 27002 (formerly known as ISO 17799) created
specifically for the health sector.

3) What is the Certification Process for ISO 27001?
As might be expected, it isn't trivial. The most straight forward
certification route map we have found is the diagram on the following
web page:

4) Can I republish articles from the ISO27000 Newsletter (internally
or externally)?
Yes, subject to a link to our website (www.molemag.net).

5) Where Do Security Policies Fit Into The Equation?
Security policies are a critical part of your organization's security
profile, and are often the major interface between staff and security
matters. It is essential that they exist and are up to date.

Regarding ISO 27002, some organizations view them as the bridge
between this standard and employees: in some respects, a partial
interpretation of the standard, customized and in plain English. This
is why the policies included in the ISO 27000 Toolkit (see above)
contain a tag aligning them with the appropriate part of the standard

6) How many organizations are now Certified?
These numbers are always approximates, as the certification bodies are
diverse, but the latest estimates are that over 4,000 certificates
have been issued.

Trials and Tribulations of a Part-Time Information Security Officer –
Part 2

After the embarrassing incident last week in which a confidential
management document was accessed on the network by employees who
unfortunately (for the personnel department management that is)
learned prematurely about their own impending redundancies, the
Whithertech management have decided to start an information
classification project urgently. As the part-time Information
Security Officer the organization of this task apparently falls to
me. Fortunately, my Information Security Manual contains some useful
suggestions on how to proceed with this for this project together with
a number of templates that we can adapt for our use.

The first part of the project involves setting up some suitable
classification levels for confidentiality and ownership and then
applying them to the documents that are produced throughout the
organization. I have learnt recently that this is an important part
of information security as it supports the control over sensitive data
and helps to prevent unauthorized access to key information. My first
task was to call a meeting of the all the department heads to thrash
out how it was going to work.

The meeting was pretty well attended considering it was being held on
a Friday evening. I suppose that was probably a reaction to the CEO’s
undisguised anger. Some of those present at the meeting felt that the
significant levels of additional work were unnecessary and that it was
all a bit of a knee-jerk reaction, but I think most saw immediately
the benefits of getting better control over sensitive information. I
presented an overview of what the project would entail and we got down
to a detailed discussion on the classification levels that would be
adopted. We eventually decided that the following five levels would be
suitable for Whitertech:

1. Top Secret: Highly sensitive internal documents.
2. Highly Confidential: Information which is considered critical to
the organization's ongoing operations and could seriously impede them
if made public or shared internally.
3. Proprietary: Information that is normally for proprietary use by
authorized personnel only.
4. Internal Use Only: Information not approved for general circulation
outside the organization where its disclosure would inconvenience the
organization or management, but is unlikely to result in financial
loss or serious damage to credibility.
5. Public Documents : Information in the public domain.

This was considered to be a good first step for the project and I was
charged with the task of providing a proper description for each
proposed classification level. The next meeting will be on Wednesday
morning and I was also asked to come up with some suggestions for
establishing information ownership criteria and for labeling of
information in time for this meeting. This was not actually too
onerous a set of tasks as I already have some boilerplate texts.

I will let you know how the project progresses in due course.

Related Information: The Security Officer’s Manual http://www.security-manual.com

Information Security News

1) 2008 On Track For Security Breach Record
The Identity Theft Resource Center (http://www.idtheftcenter.org)
reports that in the first three months of 2008, the number of data
breaches more than doubled over the same period in 2007. A rise in
insider thefts, particularly within the business community, is also

2) Internet Crime Rises Too
In a similar vein, IC3 (http://www.ic3.gov/media/annualreports.aspx)
reports that internet-related criminal activities resulted in nearly
$240 million in reported losses last year, up $40 million from 2006,
Auction fraud was the most widely reported criminal activity referred
to law enforcement agencies.

3) FTC Settle With Reed Elsevier and Seisint
The US Federal Trade Commission (http://www.ftc.gov) has announced a
settlement with data brokers Reed Elsevier and Seisint on charges that
they failed to provide 'reasonable and appropriate security' for
sensitive consumer information. The FTC alleged that Reed Elsevier,
through its LexisNexis data broker business, and Seisint allowed
customers to use easy-to-guess passwords to access Seisint's Accurint
databases, which contained sensitive consumer information. The FTC
stated that identity thieves exploited these security failures
accessing the information of about at least 316,000 consumers.

4) 4.2 million Card Numbers Stolen
The Hannaford Bros grocery store chain has disclosed that hackers have
stolen 4.2 million debit and credit card numbers from its computer
systems. The thefts occurred whilst the cards were being verified for

5) Smart Phone Attack (winCE//infojack Trojan)
Researchers at Sophos (http://www.sophos.com) and McAfee (http://
www.mcafee.com) have discovered a trojan that attacks the Windows
Mobile smartphone platform. The devices become infected with the
trojan when a user visits one of several websites in China, which is
bundled in an apparently legitimate package of applications. It then
lowers the security settings on the device so it accepts unsigned

6) 419 Scammers Plead Guilty
Three men pleaded have guilty in New York to running 419 spam schemes
via email. A fourth defendant fled to Nigeria where he is being held
pending extradition to the US. They are understood to have made more
than $1.2 million, according to the Justice Department (DOJ).
Sentencing is pending.

7) More Website Breaches
Two of the most popular websites (Expedia.Com and Rhapsody.com) have
recently been compromised by malicious banner advertisements, designed
to deliver malware. According to Trend Micro (http://
www.trendmicro.com) the adverts utilized Flash software.

Critical Success Factors

The question of which factors are considered most critical when
implementing the ISO 27001 standard, particularly with respect to ISO
27002 (ex-17799), is one which is raised frequently. However, guidance
on this actually provided within the standard itself, which indicates
that these are:

- security policy, objectives and activities that properly reflect
business objectives
- clear management commitment and support
- proper distribution and guidance on security policy to all employees
and contractors
- effective 'marketing' of security to employees (including managers)
- provision of adequate education and training
- a sound understanding of security risk analysis, risk management and
security requirements
- an approach to security implementation which is consistent with the
organization's own culture
- a balanced and comprehensive measurement system to evaluate
performance in IS management and feedback suggestions for improvement

These of course are all basic and very sensible measures... but it is
amazing how many organizations fall short on many of them.

How do you measure up?

Disposing of Equipment

Disposing of unwanted equipment brings with it a number of potential
security issues:

- Legacy data from old systems can still remain accessible and thus
compromise the confidentiality of information.
- Old media can still have data in situ unless de-guaged or securely
- The disposal of old equipment can prevent the restoration of its
associated data files on which you may be relying.
- Inadequate planning for the disposal and upgrade of entire systems
can threaten business continuity and result in severe loss.
- Equipment used periodically but infrequently may be disposed of
- During the legitimate disposal of unwanted equipment other items can
be 'lost' or stolen.

Why are we highlighting this issue again at this point? Because we
have just heard of a significant disclosure of sensitive data breach
at a major international corporation. It DOES happen, more frequently
than most realize.

If you haven't got one in place, a high level policy might be
something along the lines of: "Equipment owned and/or used by the
organization should only be disposed of in accordance with approved
procedures including independent verification that the relevant
security risks have been mitigated".

The topic is dealt with largely with ISO 27002 Section 9.

Implementing A COBIT Compliance Initiative

Through its COBIT framework, ISACA is one of the leading
internationally accepted producers of guidance materials for IT
governance. COBIT provides comprehensive controls and guidance
covering each key stage of the IT process, with the Control-IT Toolkit
(CITT) providing invaluable implementation support for these controls
as well as simplifying the process.

The first stage in checking compliance is "scoring" your existing IT
control processes to see how closely they comply with the guidelines
and standards. The Audit Compliance module of the CITT assists with
this task by providing a list of COBIT based control areas which must
be measured for compliance. Each topic can be weighted according to
your management’s views on the relative importance of a particular
control point to your organization's security and overall well being.
As well as providing a "scoring" method for measuring compliance with
each control policy, the module also provides information and
calculations on each control domain and the overall compliance level
for the organization.

The second task is to set a target for the required level of
compliance to be achieved in the future, and consider the resources,
timeframe and costs of achieving that level of compliance. It is not
feasible for all organizations to achieve overall compliance levels of
5 (in a 0 – 5 measurement) as the costs and resources required would
very likely be prohibitive. It is for management to decide on an
acceptable level of security and control commensurate with the risks
and costs of providing additional safeguards.

Each topic is to be "scored" within a range of "0 to 5" to reflect the
level of assessed compliance of the topic and this "scoring" will
result in each section automatically calculating a "score" for that
section including use of the weighting factor for that topic. In
addition, the "score" for each Domain will be automatically updated
using the weighted "scores" for each section. Although implementation
of full COBIT compliance is a fairly complex process, use of the CITT
Templates will make the task significantly more manageable.

More Information:
COBIT CITT - http://citt.privacyresources.org
ISACA - http://www.isaca.org

ISO 27000: The World Wide Phenomenon

Our source list for recent purchases of the standards always proves to
be a popular talking point. The most recent thousand or two is as

Argentina 6
Australia 27
Austria 7
Barbados 2
Belgium 16
Bermuda 1
Bosnia and Herzegovina 1
Brasil 29
Canada 144
Cayman Islands 1
Chile 4
China 25
Colombia 11
Costa Rica 1
Croatia 2
Cyprus 1
Denmark 17
Egypt 1
Estonia 1
France 22
Germany 75
Gibraltar 1
Greece 6
Hong Kong 15
Hungary 4
Iceland 1
India 56
Indonesia 5
Ireland 21
Israel 1
Italy 33
Jamaica 1
Japan 39
Jordan 1
Korea 3
Lebanon 1
Luxembourg 1
Malaysia 27
Malta 1
México 26
Netherlands 63
New Zealand 9
Norway 7
Panama 1
Peru 1
Philippines 11
Poland 10
Portugal 7
R.O.C. 1
Romania 3
Russia 15
Saudi Arabia 22
Singapore 23
Slovak Republic 1
Slovenia 1
South Africa 33
Spain 33
Sultanate of Oman 1
Sweden 19
Switzerland 71
Taiwan 3
Thailand 1
Tunisia 1
Turkey 12
UK 394
United Arab Emirates 21
USA 618
Venezuela 1

The normal health warnings apply: these are sales through an online
credit card store, so those cultures that are less familiar with this
type of commerce will be under represented.

ISO 27001/2: Common Mistakes Part 2

David Watson was one of the earliest exponents of the standards, and
is one of the most well known industry figures. In the second of this
series of articles for the ISO 27000 Newsletter he outlines some of
the most common errors and mistakes he has encountered over the years:


- There are rarely up to date job descriptions. If they do exist, they
seldom have any information security requirements in them for all

- Generally, little advice exists on reporting security incidents;

- Rarely are references checked properly - including for ‘sensitive’

- I have yet to see a Contractor or a Consultants references checked
to prove that they actually hold qualifications claimed. This can
allow all sorts of charlatans and criminals into your organization.
Lying on your CV in the UK is a criminal offence [eg: Shrewsbury and
Telford Hospitals NHS Trust case (up to 5 years in Jail for ‘Pecuniary
Advantage by Deception). S16 of the Theft Act 1968 defines this as
‘Being given an opportunity to earn remuneration or greater
remuneration in an office or employment (e.g. where D lies about his
qualifications and secures a job as a result, the job is the pecuniary
advantage obtained by deception’)]

- There is frequently no process for HR checking of Third Parties or

- Contracts often do not afford adequate protection for the

- Confidentiality agreements are rarely used by the organization and
are not centrally recorded. Staff signing Confidentiality Agreements
or Non Disclosure Agreements (NDAs) often do not understand what they
are signing.


- Often, no-one is tasked with the job of monitoring security
regularly. This is frequently a part-time job for someone in IT who
gets pulled off it to do project work elsewhere;

- Sometimes no security awareness or training is undertaken for staff
or third parties working for the organization. Some HR departments
will not touch anything to do with Consultants, Contractors or other
third parties;

- Too often the Information Security Manager is an IT person who
reports to the IT Department with no ability to go direct to the
board. In effect, they are reporting on the people they are reporting
to. The chances of serious issues getting escalated in this setup are
slim, to say the least, unless it is so catastrophic it cannot be

- Outsource the problem – often with disastrous consequences. There
are numerous scare stories in the press about outsourcing, but few
organizations either monitor or manage outsourced contracts
appropriately. There are some good contractual and outsourcing
controls in A4.2.2 andA.4.3.1. - even if I say so myself – these were
carried forward from the 1999 version;

- Too little outside contact with similar minded professionals or
exchange of views with other security processionals is enabled;

- I sometimes encounter a wholly ineffectual Information Security
Forum that either rarely meets, has the wrong level staff attending,
has whole business areas that do not/will not get involved, does not
have the authority to alert the Board, and maintain no minutes for
meetings to show issues carried forward and resolved.


- There is often claimed to be no development or maintenance – but on
research this it is often found not to be the case;

- Few standards are made available and implemented for development or
change management;

- Testing is often omitted – there is sometimes a ‘fix on fail’
mentality as someone in Marketing (for example) has promised the
delivery without consulting the Development Team. Some cynics would
say that this is why Microsoft has a beta testing program, but I could
not possibly comment;

- Source code is sometimes accessible from live systems;

- Little segregation of duties or development/testing/production

- Often ‘real’ data is used for testing that could divulge either
recent corporate data or personal data in breach of Data Protection
legislation. This is often not properly protected during use or at
disposal. Typically access control is less well implemented on
development or test systems than it is on ‘live’ or ‘production’

- On projects I sometimes find little (or out of date) documentation
and that none of the current staff were present when the project
started. This makes it impossible to determine how security was to be
addressed in the project, if at all.

ISO 27000 Related Definitions and Terms

In this edition of the ISO 27000 Newsletter we look at further
definitions and terms related to ISO 27001 and ISO 27002 that commence
with the letter “B”.

In the same way as this term means ‘made to measure’ in clothing, it
is used generally to describe software which has been written/
developed specifically for one organization. Bespoke differs from
customized in that customization usually refers to modification of
existing software rather than starting from scratch.

Beta Software
Term used to describe software which is almost fully developed but not
yet quite ready for release to the market, or internal users. The
Beta version of the software is preceded by the alpha version. Beta
versions of commercial programs are often made available to consumers
at attractive prices on the basis that there are numerous bugs still
to be sorted out, and the first batches of users to install the
product are, effectively, taking part in an enormous acceptance
testing program. The developer will take note of the findings and
comments made by Beta users to incorporate modifications, fixes,
patches, etc., in the version which is finally released. Beta versions
of software, whether purchased or developed in-house, should not be
installed on live systems and should never be used for mission
critical processes.

Binders are programs that allow hackers to ‘bind’ two or more programs
together to result in a single .EXE file. These may be useful tools
but they easily allow a hacker with malicious intent to insert Trojan
executables into harmless .EXE animations, e-greetings and other .EXEs
that are commonly passed around as e-mail attachments. The only way
to stop an executable from harming your PC is to run it in a proactive
‘sandbox’ environment and monitor its behavior for malicious activity
in real-time.

Biometric Access Controls
Security Access control systems which authenticate (verify the
identity of) users by means of physical characteristics (e.g. face,
fingerprints, voice, or retina pattern.).

BIOS is the Basic input system of a personal computer. The BIOS
contains the code which results in the loading (booting) of a
computer’s operating system e.g. Microsoft Windows®. The BIOS also
controls the flow of data to/from the operating system and peripheral
devices, such as printer, hard disk, keyboard and mouse.

Loss of data bits during a transmission. Such losses are usually self
evident when the incoming file is reviewed, but, occasionally the loss
is such that it goes unnoticed. Bit loss can be counteracted by use
of control totals.

Beam Me Up, Scotty. From the original Star Trek series, now used as a
plea for help by any techie in a tight spot. Also the source of the
term ‘Beam’.

It Couldn't Happen Here, Could It? True Stories:


A security Officer working for one of the biggest corporations in the
world was slightly concerned when he noticed that from time to time
the "Time of last login" to the mainframe system did not always
correlate with his last activity. He was not, however, concerned
enough to do anything about it... until on one day, he could not login
because he was apparently already logged in. Panic ensued. Full
paranoia mode quickly followed.

The last activity warnings suddenly fell into place. He reasoned that
he was being monitored by someone, and working in security, that
'someone' must be a person perpetrating an attack, and making sure
that they were not being detected by him. He had been working on
several sensitive cases recently... this must be serious!

He escalated instantly, to try to catch the perpetrator whilst still
logged in. The management bought his assumptions and invoked emergency
procedures, closing non-critical systems (at cost) and creating a
'bridge' to investigate the actions and location of the perpetrator
'live' (Operations, Security and Audit management were paged to

They traced the perpetrator's precise location: internal... Database
Administration... Terminal c25k2. This was a team with live database
access, and there had been some costly database issues recently. So
off they went, mob handed, to c25k2.

The 'perpetrator' was taken completely by surprise, to say the least.
He did a great job in protesting his bewilderment, claiming he was
logged on as HIMSELF and had no idea what was going on. But looking at
the terminal, he was clearly logged in as the Security Officer.

Then, suddenly, the Auditor spotted his name on the ID block on his
desk. He had the same initials as the Security Officer. It surely
couldn't be... could it?

He asked him for his username and password. Username = cmmjs2, CMM was
the project code, with JS being his initials. The last character was
#2 because on this system JS1 had already been taken (by the Security
Officer of course).

Password? "October2006".

Auditor to Security Officer: "And your password is October2006 too,
isn't it?".

Bingo - case solved. The Database Administrator usually used cmmjs1,
but couldn't on this system, and so used cmmjs2 instead. However, he
sometimes forgot and went into auto-pilot during login, thus finding
himself logging in to someone else's account. When he noticed, he just
logged off.

Apart from everyone's time, the losses from this incident stemmed from
closure of some production systems for a couple of hours. Another loss
was the total loss of credibility of the specific Security Officer in
question, who was also "spoken to by senior management".

The incident did also demonstrate starkly:
- appalling security awareness by staff with respect to password
- a lack of proper procedures for emergency management and escalation
- a culture of "rules only apply to them" within the security area,
and a general sloppiness within.

They were lucky. It could have been much much worse.

Have you got something to say on the standards, or a fresh insight or
some information which might benefit others? If so, please feel free
to submit your contribution to us. Sponsors are also welcome.


We hope that you have found this issue to be informative and useful.
Subscription is entirely free (although 'opt-in' only). Please feel
free to pass this copy on to your friends and colleagues. If your
friends or colleagues wish to receive the newsletter directly, they
should simply send an email to: news@27005.com with a title of

Finally, the publishers accept no liability or responsibility for
errors or omissions in this newsletter. This also applies to any loss
or damage caused, arising directly or indirectly, by the use of or
reliance on the information contained within.

ISO 27001 and 27002 Newsletter