View Full Version : Latest ISO 27001 Security Newsletter (Issue 19) Published Today

Sue Thomas
10-28-08, 09:56 AM
The new issue is copied below in full:



Welcome to issue 19 of The ISO 27000 Newsletter. The information
provided is totally free to our subscribers and offers guidance on
practical issues and commentary on recent developments.

Covered in this edition are the following topics:

1) Obtaining the ISO 27001 and ISO 27002 Standards
2) ISO 17799? Or 27002?
3) Security Risk Management
4) ISMS Based Document Controls via ISO/IEC 27001
5) More ISO 17799/27001 Frequently Asked Questions
6) Trials and Tribulations of an Information Security Officer Part 3
7) Information Security News
8) Information Security within your Business Continuity Process
9) ISO 27000: The World Wide Phenomenon
10) ISO 27001/2: Common Mistakes Part 3
11) Protecting Against Malicious Code Attacks
12) ISO 27000 Related Definitions and Terms

Obtaining ISO 27001 And ISO 27002

The most frequent question we receive is "Where can I obtain a copy of
the standards?" The standards themselves are available from:

This is the web site for the ISO 27000 Toolkit. This download support
package includes both ISO 27001 and ISO 27002, and was created to help
those taking the first steps towards addressing the standards. It
includes both of the standards, audit checklists, a roadmap, a set of
ISO compliant security policies, and a range of other materials.

This is the BSI Online Standards Shop, a vending site for instant
downloadable copies.

17799? OR 27002?

We are still receiving a substantial number of enquiries from those
confused by the re-numbering of ISO 17799 to ISO 27002 last year. So
for clarity: the most recent edition of the core standard was
published in 2005, hence ISO 17799:2005. ISO 27002 is a re-name (a re-
badge) of this standard. The core content has NOT changed. Unless you
have some unique need or fetish, if you have a copy of ISO 17799:2005,
you do not need to replace it.

And for the record, The ISO 27000 Newsletter is in the camp of those
who would have waited until an upgrade of the actual contents of the
standard was necessary before re-naming it.

Security Risk Management

The management of risk is core to the implementation of ISO 27001. It
is a theme covered throughout the standard. But what is security risk
management? What is risk assessment?

A classical definition of Risk Assessment is one which describes it as
a process to ensure that the security controls for a system are fully
commensurate with its risks. This 'process', however, can be complex
in itself. Most methods though employ the following interrelated

These are things that can go wrong or that can 'attack' the system or
business. Examples might include fraud or fire. Threats are ever
present for every business and information system.

These make a system more prone to attack by a threat, or make an
attack more likely to have some 'success’ or undesired impact. For
example, for fire a vulnerability would be the presence of highly
flammable materials (e.g. paper).

These are the countermeasures for vulnerabilities. There are basically
four types:

Preventative controls protect vulnerabilities and make an attack
unsuccessful or reduce its impact
Corrective controls reduce the effect of an attack
Detective controls discover attacks and trigger preventative or
corrective controls.
Deterrent controls reduce the likelihood of a deliberate attack

It is common for all these to be weighed against each other to produce
a set of metrics, which enable business decisions regarding security
to be more easily taken. Hence references to 'risk level', 'risk
score' and so on.

Once risk has been measured, it has to be managed (risk management).
This can involve, for example, treatment, mitigation or transfer of
the residue risks.

Adopting a comprehensive and formal risk management approach requires
a sound understanding of the principles of risk. Fortunately, as with
the standards themselves, a kit has emerged to educate and to assist
with all stages of the exercise. This is documented on its own site:

ISMS Based Document Controls via ISO/IEC 27001

ISO 27001 requires that documents associated with the design and
implementation of the Information Security Management System (ISMS)
are carefully controlled and protected. In order to achieve full
compliance with this section (4.3.2) it is necessary to define and
implement suitable procedures to cover this activity.

These procedures should be practical and effective. Included should
be controls and requirements embracing the following aspects:
• approval of documents to ensure adequacy prior to issue;
• update and review of critical documents and re-approval;
• change management controls and revision status identification;
• correct versions of applicable documents are available to users;
• legibility of information and readily identifiable ownership;
• availability of documents for those who are authorized;
• transfer and storage;
• document disposal controls in accordance with their classification;
• documents of external origin are separately identified;
• control of document distribution;
• protection and destruction of obsolete documents; and
• identification of documents as obsolete if they are retained

Implementation of a well designed and controlled ISMS will result in
fewer information security related incidents, lower organizational
risks, enhance reputation and significantly lower financial risks.

These are fundamental issues, not just theory. Now is a good time to
review your compliance in this area!

More ISO 17799/27001 Frequently Asked Questions

1) Have there been any recent developments with respect to ISO 27000
Yes. A standard specific ro security risk management has been
published, ISO 27005 (www.standards.bz/iso-27005.html). However, it
should be noted that there are a number of other standards also being
developed in this area, including ISO 31000 and BS 31100, and it is
currently unclear how these will relate, if at all.

2) Can I discuss the standards with other people online?
Yes. The two biggest forums are:

3) Who wrote the standards?
Originally a BSI committee, which included representatives from a wide
section of commerce/industry. It was subsequently reviewed by an ISO
committee and emerged through their publication process.

4) Can I republish articles from the ISO 27000 Newsletter internally,
or even on our external internet site?
Yes, subject to a link to our website (www.molemag.net).

5) How do I become a certified auditor?
IRCA, the International Register for Certified Auditors (http://
www.irca.org) operates a certification scheme for ISMS audit.

Trials and tribulations of a Part-time Information Security Officer –
Part 3

For those of you who have been reading in these newsletters the
problems I have been having with my various information security
projects at Whithertech, I can give you a quick update.

After much cajoling of my colleagues and other project team members we
eventually completed the information classification exercise. It is
one of those jobs that takes quite a while to set up retrospectively,
but once you get the hang of it is not too much trouble to keep
running. If you are interested in obtaining more information about how
I got started on this classification project please read Issue 18 of
this Newsletter.

Whithertech hit a new problem during the last week after our systems
went down and the live data became corrupted. This cost us nearly 24
hours in lost production time and the bosses have been complaining
bitterly. Utilizing some of the usual fire fighting practices that
Whithertech seems to be well known for, the techies solved the
problem, but after problem resolution it became clear that we did not
have any workable procedures for protecting the live environment when
emergency amendments needed to be made. In fact the programmers did
not even hesitate to amend the live programs directly in the live
environment. The problem therefore appeared to be solved in about 2
hours but then the untested emergency coding amendments created
additional problems that took another 20 hours to resolve! A bit of a
security nightmare really.

My manager called me in yesterday and said that he had been instructed
by the Board to improve the security procedures in this area and as
the part-time Information Security Officer it was (again) my job to
put it right. He said he would fully support me throughout the
project but then also said he wanted it sorted by the time he got back
from holiday on Friday week. Usual hands-on support then, I thought!

My first task, as always, was to consult my trusty Information
Security Officer’s Manual. This wealth of advice and guidance could
usually be relied upon to provide assistance when I did not know how
to implement information security related solutions. The manual
stated that it was normally forbidden for amendments to be made to
live data. This is to ensure that the integrity of the data is
preserved and that live data files are not accessed by individuals
with malicious intent, or who may corrupt live files accidentally. For
these reasons, access to the live data files is normally prevented
through the application of stringent access control and procedural

Software development and maintenance activities should never take
place using live data. The developers and maintenance engineers should
always work strictly within a development environment, and a
controlled testing program must be applied before software amendments
are incorporated into the live operational environment.

Any emergency data amendments must only be carried out within the
parameters of agreed procedures, and the manual stated that it is
normally the responsibility of the Information Security Officer to
ensure that such procedures are strictly complied with. The manual
further stated that the emergency data amendments should only be
permitted where:
• Organizational standards and procedures exist for amending live
• Such amendments are dealt with under emergency procedures
• Controls are placed over related audit trails
• Management's prior approval is obtained wherever possible
• Dual controls are applied to the changes
• Prints of affected data are taken both before and after the changes
• Files are adequately backed up prior to starting work
• Persons carrying out the amendment are specifically authorized to
undertake such tasks

An important aspect in the control of emergency data amendments is
apparently the recording of the actual amendment process and the
completion of suitable documentation to evidence that the procedures
have been complied with. Fortunately the manual also contained
templates for these forms and also advice on how to fill them in. It
looks on the face of it to be fairly easy to get this project up and
running, and I also seem to have a fighting chance of getting it
sorted before my boss returned from a hard week lying on a beach
somewhere. I will keep you posted.

NOTE: A comprehensive Information Security Officer's Manual is
documented on the following website: http://www.security-manual.com

Information Security News

1. 60% of Businesses Hit by CyberCrime
A recent US Department of Justice (http://www.usdoj.gov) survey (NCSS)
suggests that almost 60 percent of American businesses have suffered
one or more cyberattacks. Almost 75 % of those stated that insiders
were responsible for the crimes. 11 percent of the respondents
reported actual losses.

2. 16,000 Infected Web Pages Discovered Daily
Sophos (http://www.sophos.com) have revealed that “Over 16,000 new
infected web pages are discovered every single day. That's one every
five seconds -- three times faster than the rate during 2007.”

3. Less Phishing Success reported
Recent research by the Association of Payment Clearing Services
(APACS) [http://www.apacs.org.uk] indicates that those who took no
action on phishing emails rose from 75 percent in 2006 to 82 percent
last year. The flip side of this apparent increase is that the same
research indicates that one in three people have no anti-spyware
software installed.

4. Personal Information Loss
Further investigation has revealed that a missing Bank of New York
Mellon backup tape contained the social security numbers, addresses
and birth dates, of far more people than originally estimated. The
figure is now thought to be 12 million, rather than the 4.5 million
initially reported. Meanwhile the personal information of thousands of
criminals in England and Wales, held on a USM drive, have been lost by
private firm PA Consulting.

5. Facebook and MySpace Attacked
Increased sophistication and processing functionality has resulted in
a worm outbreak on both Facebook and Myspace. This has now been
resolved, with both sites now working to prevent future attacks.

6. And Finally...
According to research by Credant Technologies, Over 55,000 mobile
phones have been left in London taxis in the last six months. It also
found that over six thousand other devices (eg; laptops) have been
left. It would therefore appear that a taxi ride is high risk activity
for potential data loss!

Information Security Within Your Business Continuity Process

ISO 27002 includes some useful advice and guidance on how to include
information security controls within your business continuity
process. Business continuity management is covered in more detail
within the BS 25999 standard, but ISO 27002 nevertheless includes
additional structural approaches that will certainly strengthen your
overall business continuity management process.

Section 14.1.1 states that “A managed process should be developed and
maintained for business continuity throughout the organization that
addresses the information security requirements needed for the
organization’s business continuity”.

This requirement, in essence, means that information security
processes must form an integral part of the overall BCM process. The
security standard goes on to provide further information on how to
incorporate key areas of your information security management system.
These are summarized as follows:
• identifying and analyzing the risks following a serious incident
including probability and impact on critical business processes;
• understanding the impact of information security incidents in terms
of interruptions to the business;
• considering risk mitigation options including insurance and risk
• identifying other preventive and mitigating safeguards;
• ensuring availability of resources to address the identified
information security shortfalls;
• ensuring the safety of personnel and the protection of facilities,
assets and processes;
• inclusion within business continuity plans of information security
• implanting regular testing and updating of the plans and processes;
• ensuring that responsibility for business continuity is incorporated
in the organization’s processes and management structure;

The vulnerabilities of the organization to serious business process
interruptions caused by information security shortfalls must be
identified and addressed. Reviewing these vulnerabilities from an
information security perspective should ensure that your business
continuity plans are comprehensive and meet overall information
security strategic objectives.

Further Information: The BCP Generator template: http://www.bcpgenerator.com

ISO 27000: The World Wide Phenomenon

Our source list for recent purchases of the standards always proves to
be a popular talking point. The most recent thousand or two is as

Argentina 5
Australia 28
Austria 8
Barbados 1
Belgium 15
Bermuda 1
Bosnia and Herzegovina 1
Brasil 31
Canada 140
Cayman Islands 1
Chile 3
China 29
Colombia 9
Costa Rica 1
Croatia 2
Cyprus 1
Denmark 14
Egypt 1
Estonia 1
France 29
Germany 81
Gibraltar 1
Greece 6
Hong Kong 16
Hungary 3
Iceland 1
India 60
Indonesia 3
Ireland 24
Israel 1
Italy 34
Jamaica 1
Japan 40
Jordan 1
Korea 3
Lebanon 1
Luxembourg 1
Malaysia 22
Malta 1
México 22
Netherlands 68
New Zealand 10
Norway 9
Panama 1
Peru 1
Philippines 10
Poland 11
Portugal 8
R.O.C. 1
Romania 4
Russia 17
Saudi Arabia 25
Singapore 25
Slovak Republic 1
Slovenia 1
South Africa 36
Spain 38
Sultanate of Oman 1
Sweden 22
Switzerland 61
Taiwan 3
Thailand 1
Tunisia 1
Turkey 14
UK 399
United Arab Emirates 23
USA 633
Venezuela 1

The normal health warnings apply: these are sales through an online
credit card store, so those cultures that are less familiar with this
type of commerce will be under represented.

ISO 27001/2: Common Mistakes Part 3

David Watson was one of the first exponents of the standards, and is
one of the most well known industry figures. In the third of this
series of articles for the ISO 27000 Newsletter he outlines some of
the most common errors and mistakes he has encountered over the years:

Physical & Environmental Security
• Supposedly secure buildings can easily have their physical security
breached by a variety of means (e.g. social engineering, piggybacking,
fire doors left open etc.);
• Power supplies are often unprotected against unauthorized access.
• Critical equipment is not always protected by UPS;
• Generators and UPS are often not regularly tested, or the test
results are not available;
• Equipment maintenance is not always carried out in accordance with
manufacturers instructions – possibly invalidating the manufacturers
• Off premises security of equipment is often overlooked by the
• Secure disposal / removal of equipment is often not recorded or
carried out securely, potentially leading to unauthorized disclosure
of information;
• Clear desk / screen processes are often not carried out, especially
in the IT Department. Usually, but not always, IT forces other users
to have clear screens, but often there is no clear desk process in
place and no lockable cabinets to store securely anything needed to be
locked away due to its classification. This can be exacerbated if
there is no information classification process in place and used
across the organization or if there are no handling procedures based
on the information classifications.

Asset Classification and Control
• There is often little or no concept of data or information
ownership, or of asset classification;
• There is often little control over movement of equipment;
• Security (if implemented) is not based on this process (or
associated risk management processes);
• There is sometimes little, if any, personal accountability by
anyone, especially owners (whether they are aware of their role or
• Owners rarely review their information from a security viewpoint;
• Information (of any sort) is rarely classified consistently and
handled according to the requirements of that classification

Protecting Against Malicious Code Attacks

Malicious code attacks are intended to destroy the integrity of
software and information. They constitute one of the highest risks in
today’s business environment, and despite receiving ongoing attention
within many organizations the risks are considered to be increasing
rather than decreasing.

These attacks are normally categorized into two location based risk
areas: external attacks that emanate from outside the organization,
and internal attacks, originated from within the organization itself.
Most of the emphasis for safeguards is currently directed against the
external attacks through firewalls and virus checkers, for example.
However, of increasing concern is the likelihood of attacks from
internal sources.

ISO 27002 section 10.4.1 provides useful guidance for establishing
controls and safeguards that can help to protect against malicious
code attacks. This advice and guidance can be summarized as follows:
• implement controls preventing use of unauthorized software;
• implement policy to protect against risks of installing software or
files from external sources;
• regularly check for existence of unapproved files or unauthorized
• install suitable malicious code detection and repair software;
• implement security procedures to deal with malicious code attacks;
• develop suitable business continuity plans for recovering from
malicious code attacks;
• instigate procedures to regularly collect information about new
malicious code;
• develop controls to verify information relating to malicious code.

Critical business processes are often extremely vulnerable to
malicious code attacks. Disgruntled employees create a particularly
difficult threat to counteract if access controls and information
security controls are not up to the mark.

This is yet another area which should be regularly reviewed: how do
YOU measure up?

ISO 27000 Related Definitions and Terms

In this edition of the ISO 27000 Newsletter we look at further
definitions and terms related to ISO 27001 and ISO 27002 that commence
with the letter “I”.

Identity Hacking
Posting on the Internet or Bulletin Board(s) anonymously,
pseudonymously, or giving a completely false name/address/telephone
with intent to deceive. This is a controversial activity, generating
much discussion amongst those who maintain the net sites. There are
two cases in which problems can be caused for organizations:-
• a member of staff engages in such practices and is 'found out' by
net users, thereby associating the organization name with the
• a posting by an unrelated third party, pretending to be the
organization, or a representative.
In either case, if such posts are abusive, or otherwise intended to
stir up an argument, a possible result is a Flame Attack, or Mail

Impact Analysis
As part of an Information Security Risk Assessment, you should
identify the threats to your Business Assets and the impact such
threats could have, if the threat resulted in a genuine incident. Such
analysis should quantify the value of the Business Assets being
protected to help determine the appropriate level of safeguards.

Information Asset
An Information Asset is a definable piece of information, stored in
any manner which is recognized as 'valuable' to the organization. The
information which comprises an Information Asset, may be little more
than a prospect name and address file; or it may be the plans for the
release of the latest in a range of products to compete in the
Irrespective of the nature of the information assets themselves, they
all have one or more of the following characteristics:-
• They are recognized to be of value to the organization.
• They are not easily replaceable without cost, skill, time, resources
or a combination.
• They form a part of the organization's corporate identity, without
which, the organization may be threatened.
• Their Data Classification would normally be Proprietary, Highly
Confidential or even Top Secret.
It is the purpose of Information Security to identify the threats
against, the risks and the associated potential damage to, and the
safeguarding of Information Assets.

Information Owner
The person who creates, or initiates the creation or storage of the
information, is the initial owner. In an organization, possibly with
divisions, departments and sections, the owner becomes the unit itself
with the person responsible, being the designated 'head' of that
The Information owner is responsible for ensuring that :-
• A classification hierarchy is agreed and that this is appropriate
for the types of information processed for that business / unit.
• All information is assigned into the agreed types and an inventory
(listing) of each type is created.
• Ensuring that, for each classification type, the appropriate level
of information security safeguards are available e.g. the logon
controls and access permissions applied by the Information Custodian
provide the required levels of confidentiality.
• Periodically, that checks are performed to ensure that information
continues to be classified appropriately and that the safeguards
remain valid and operative.

Information Security Incident
An Information Security incident is an event which appears to be a
breach of the organization's Information Security safeguards. It is
important to respond calmly and to follow a logical procedure, first
to prevent the breach from continuing, if possible, and second, to
inform the appropriate person(s) within the organization; this usually
includes the appointed Security Officer. Where a member of staff fails
to observe Information Security procedures; this is not, of itself, an
Information Security incident. However, depending on the severity of
the incident, disciplinary and/or improved procedures may be

Information Security Policy
Information Security Policy is an organizational document usually
ratified by senior management and distributed throughout an
organization to anyone with access rights to the organization's IT
systems or information resources.
The Information Security Policy aims to reduce the risk of, and
minimize the effect (or cost) of, security incidents. It establishes
the ground rules under which the organization should operate its
information systems. The formation of the Information Security Policy
will be driven by many factors, a key one of which is risk. How much
risk is the organization willing and able to accept? The individual
Information Security Policies should each be observed by personnel and
contractors alike. Some policies will be observed only by persons with
a specific job function, e.g. the System Administrator; other Policies
are to be complied with by all members of staff. Compliance with the
organization's Information Security Policy should be a incorporated
with both the Terms and Conditions of Employment and also an
employee’s Job Description.

It Couldn't Happen Here, Could It? True Stories:

We have highlighted these two before, but we continue to hear horror
stories which fundamentally amount to the same causes.

1) A company in London developed a range of new products mainly by
utilizing the services of one of its employees who was particularly
skilled at these activities. Once these products had been developed,
they were successfully marketed by the firm and a good revenue stream
emanated from this new business area.

Unfortunately, the firm had not considered protecting the intellectual
property rights of work undertaken during the employee’s time with
them and it was subsequently successfully sued by the employee who had
authored the products, and who then claimed ownership over the
intellectual property rights contained within them.

The lesson to be learned here is that employees' contracts should
clearly state the ownership of any work developed for the company
during his/her employment. This intellectual property agreement should
be signed by the employee to signify acceptance of these terms and
conditions prior to undertaking this type of work.

2) A mainframe programmer in a large organization thought it would be
a hoot to collect the passwords of his colleagues and explore what
they actually had filed under their own user-ids.

To achieve this, he wrote a very simple script to emulate the exact
look of the standard welcome screen for logon. The script didn't logon
of course, instead it provided a duplicate of the user-id/password
screen, and then filed the input provided by the user to a common
area. Instead of then logging the user onto the system, it presented
the 'System is not available' message. The user invariably got up and
walked away at this point, enabling him to quickly retrieve the
gathered authentication details.

Unfortunately, armed with a growing number of access details, he just
could resist going further than just being nosey. He began to actively
seek more information, first on himself, then on others. Realizing
that he could do so apparently anonymously, he was soon changing
information. Quickly, he was out of control and was accessing and
changing files almost every day.

He was only caught when someone spotted that the 'last logon' date for
their account was clearly incorrect (they had only just returned
holiday). Their report was taken seriously, and observation and
investigation initiated.

Hardly surprisingly, his excuse that he was "only having fun" was not
enough to save him.

The Manager and The Password (True Story: trivia):
Manager: "Could you come here and check out why my password doesn't
Technical Support: "I'll be over there in a moment"

The technical support employee walked up to the managers keyboard,
pressed the caps lock key and walked out again. Problem solved.

ISO 27001 and 27002 Newsletter