Latest ISO 27001 Security Newsletter (Issue 19) Published Today

Discussion in 'Computer Security' started by Sue Thomas, Oct 28, 2008.

  1. Sue Thomas

    Sue Thomas Guest

    The new issue is copied below in full:



    Welcome to issue 19 of The ISO 27000 Newsletter. The information
    provided is totally free to our subscribers and offers guidance on
    practical issues and commentary on recent developments.

    Covered in this edition are the following topics:

    1) Obtaining the ISO 27001 and ISO 27002 Standards
    2) ISO 17799? Or 27002?
    3) Security Risk Management
    4) ISMS Based Document Controls via ISO/IEC 27001
    5) More ISO 17799/27001 Frequently Asked Questions
    6) Trials and Tribulations of an Information Security Officer Part 3
    7) Information Security News
    8) Information Security within your Business Continuity Process
    9) ISO 27000: The World Wide Phenomenon
    10) ISO 27001/2: Common Mistakes Part 3
    11) Protecting Against Malicious Code Attacks
    12) ISO 27000 Related Definitions and Terms

    Obtaining ISO 27001 And ISO 27002

    The most frequent question we receive is "Where can I obtain a copy of
    the standards?" The standards themselves are available from:
    This is the web site for the ISO 27000 Toolkit. This download support
    package includes both ISO 27001 and ISO 27002, and was created to help
    those taking the first steps towards addressing the standards. It
    includes both of the standards, audit checklists, a roadmap, a set of
    ISO compliant security policies, and a range of other materials.
    This is the BSI Online Standards Shop, a vending site for instant
    downloadable copies.

    17799? OR 27002?

    We are still receiving a substantial number of enquiries from those
    confused by the re-numbering of ISO 17799 to ISO 27002 last year. So
    for clarity: the most recent edition of the core standard was
    published in 2005, hence ISO 17799:2005. ISO 27002 is a re-name (a re-
    badge) of this standard. The core content has NOT changed. Unless you
    have some unique need or fetish, if you have a copy of ISO 17799:2005,
    you do not need to replace it.

    And for the record, The ISO 27000 Newsletter is in the camp of those
    who would have waited until an upgrade of the actual contents of the
    standard was necessary before re-naming it.

    Security Risk Management

    The management of risk is core to the implementation of ISO 27001. It
    is a theme covered throughout the standard. But what is security risk
    management? What is risk assessment?

    A classical definition of Risk Assessment is one which describes it as
    a process to ensure that the security controls for a system are fully
    commensurate with its risks. This 'process', however, can be complex
    in itself. Most methods though employ the following interrelated

    These are things that can go wrong or that can 'attack' the system or
    business. Examples might include fraud or fire. Threats are ever
    present for every business and information system.

    These make a system more prone to attack by a threat, or make an
    attack more likely to have some 'success’ or undesired impact. For
    example, for fire a vulnerability would be the presence of highly
    flammable materials (e.g. paper).

    These are the countermeasures for vulnerabilities. There are basically
    four types:

    Preventative controls protect vulnerabilities and make an attack
    unsuccessful or reduce its impact
    Corrective controls reduce the effect of an attack
    Detective controls discover attacks and trigger preventative or
    corrective controls.
    Deterrent controls reduce the likelihood of a deliberate attack

    It is common for all these to be weighed against each other to produce
    a set of metrics, which enable business decisions regarding security
    to be more easily taken. Hence references to 'risk level', 'risk
    score' and so on.

    Once risk has been measured, it has to be managed (risk management).
    This can involve, for example, treatment, mitigation or transfer of
    the residue risks.

    Adopting a comprehensive and formal risk management approach requires
    a sound understanding of the principles of risk. Fortunately, as with
    the standards themselves, a kit has emerged to educate and to assist
    with all stages of the exercise. This is documented on its own site:

    ISMS Based Document Controls via ISO/IEC 27001

    ISO 27001 requires that documents associated with the design and
    implementation of the Information Security Management System (ISMS)
    are carefully controlled and protected. In order to achieve full
    compliance with this section (4.3.2) it is necessary to define and
    implement suitable procedures to cover this activity.

    These procedures should be practical and effective. Included should
    be controls and requirements embracing the following aspects:
    • approval of documents to ensure adequacy prior to issue;
    • update and review of critical documents and re-approval;
    • change management controls and revision status identification;
    • correct versions of applicable documents are available to users;
    • legibility of information and readily identifiable ownership;
    • availability of documents for those who are authorized;
    • transfer and storage;
    • document disposal controls in accordance with their classification;
    • documents of external origin are separately identified;
    • control of document distribution;
    • protection and destruction of obsolete documents; and
    • identification of documents as obsolete if they are retained

    Implementation of a well designed and controlled ISMS will result in
    fewer information security related incidents, lower organizational
    risks, enhance reputation and significantly lower financial risks.

    These are fundamental issues, not just theory. Now is a good time to
    review your compliance in this area!

    More ISO 17799/27001 Frequently Asked Questions

    1) Have there been any recent developments with respect to ISO 27000
    Yes. A standard specific ro security risk management has been
    published, ISO 27005 ( However, it
    should be noted that there are a number of other standards also being
    developed in this area, including ISO 31000 and BS 31100, and it is
    currently unclear how these will relate, if at all.

    2) Can I discuss the standards with other people online?
    Yes. The two biggest forums are:

    3) Who wrote the standards?
    Originally a BSI committee, which included representatives from a wide
    section of commerce/industry. It was subsequently reviewed by an ISO
    committee and emerged through their publication process.

    4) Can I republish articles from the ISO 27000 Newsletter internally,
    or even on our external internet site?
    Yes, subject to a link to our website (

    5) How do I become a certified auditor?
    IRCA, the International Register for Certified Auditors (http:// operates a certification scheme for ISMS audit.

    Trials and tribulations of a Part-time Information Security Officer –
    Part 3

    For those of you who have been reading in these newsletters the
    problems I have been having with my various information security
    projects at Whithertech, I can give you a quick update.

    After much cajoling of my colleagues and other project team members we
    eventually completed the information classification exercise. It is
    one of those jobs that takes quite a while to set up retrospectively,
    but once you get the hang of it is not too much trouble to keep
    running. If you are interested in obtaining more information about how
    I got started on this classification project please read Issue 18 of
    this Newsletter.

    Whithertech hit a new problem during the last week after our systems
    went down and the live data became corrupted. This cost us nearly 24
    hours in lost production time and the bosses have been complaining
    bitterly. Utilizing some of the usual fire fighting practices that
    Whithertech seems to be well known for, the techies solved the
    problem, but after problem resolution it became clear that we did not
    have any workable procedures for protecting the live environment when
    emergency amendments needed to be made. In fact the programmers did
    not even hesitate to amend the live programs directly in the live
    environment. The problem therefore appeared to be solved in about 2
    hours but then the untested emergency coding amendments created
    additional problems that took another 20 hours to resolve! A bit of a
    security nightmare really.

    My manager called me in yesterday and said that he had been instructed
    by the Board to improve the security procedures in this area and as
    the part-time Information Security Officer it was (again) my job to
    put it right. He said he would fully support me throughout the
    project but then also said he wanted it sorted by the time he got back
    from holiday on Friday week. Usual hands-on support then, I thought!

    My first task, as always, was to consult my trusty Information
    Security Officer’s Manual. This wealth of advice and guidance could
    usually be relied upon to provide assistance when I did not know how
    to implement information security related solutions. The manual
    stated that it was normally forbidden for amendments to be made to
    live data. This is to ensure that the integrity of the data is
    preserved and that live data files are not accessed by individuals
    with malicious intent, or who may corrupt live files accidentally. For
    these reasons, access to the live data files is normally prevented
    through the application of stringent access control and procedural

    Software development and maintenance activities should never take
    place using live data. The developers and maintenance engineers should
    always work strictly within a development environment, and a
    controlled testing program must be applied before software amendments
    are incorporated into the live operational environment.

    Any emergency data amendments must only be carried out within the
    parameters of agreed procedures, and the manual stated that it is
    normally the responsibility of the Information Security Officer to
    ensure that such procedures are strictly complied with. The manual
    further stated that the emergency data amendments should only be
    permitted where:
    • Organizational standards and procedures exist for amending live
    • Such amendments are dealt with under emergency procedures
    • Controls are placed over related audit trails
    • Management's prior approval is obtained wherever possible
    • Dual controls are applied to the changes
    • Prints of affected data are taken both before and after the changes
    • Files are adequately backed up prior to starting work
    • Persons carrying out the amendment are specifically authorized to
    undertake such tasks

    An important aspect in the control of emergency data amendments is
    apparently the recording of the actual amendment process and the
    completion of suitable documentation to evidence that the procedures
    have been complied with. Fortunately the manual also contained
    templates for these forms and also advice on how to fill them in. It
    looks on the face of it to be fairly easy to get this project up and
    running, and I also seem to have a fighting chance of getting it
    sorted before my boss returned from a hard week lying on a beach
    somewhere. I will keep you posted.

    NOTE: A comprehensive Information Security Officer's Manual is
    documented on the following website:

    Information Security News

    1. 60% of Businesses Hit by CyberCrime
    A recent US Department of Justice ( survey (NCSS)
    suggests that almost 60 percent of American businesses have suffered
    one or more cyberattacks. Almost 75 % of those stated that insiders
    were responsible for the crimes. 11 percent of the respondents
    reported actual losses.

    2. 16,000 Infected Web Pages Discovered Daily
    Sophos ( have revealed that “Over 16,000 new
    infected web pages are discovered every single day. That's one every
    five seconds -- three times faster than the rate during 2007.”

    3. Less Phishing Success reported
    Recent research by the Association of Payment Clearing Services
    (APACS) [] indicates that those who took no
    action on phishing emails rose from 75 percent in 2006 to 82 percent
    last year. The flip side of this apparent increase is that the same
    research indicates that one in three people have no anti-spyware
    software installed.

    4. Personal Information Loss
    Further investigation has revealed that a missing Bank of New York
    Mellon backup tape contained the social security numbers, addresses
    and birth dates, of far more people than originally estimated. The
    figure is now thought to be 12 million, rather than the 4.5 million
    initially reported. Meanwhile the personal information of thousands of
    criminals in England and Wales, held on a USM drive, have been lost by
    private firm PA Consulting.

    5. Facebook and MySpace Attacked
    Increased sophistication and processing functionality has resulted in
    a worm outbreak on both Facebook and Myspace. This has now been
    resolved, with both sites now working to prevent future attacks.

    6. And Finally...
    According to research by Credant Technologies, Over 55,000 mobile
    phones have been left in London taxis in the last six months. It also
    found that over six thousand other devices (eg; laptops) have been
    left. It would therefore appear that a taxi ride is high risk activity
    for potential data loss!

    Information Security Within Your Business Continuity Process

    ISO 27002 includes some useful advice and guidance on how to include
    information security controls within your business continuity
    process. Business continuity management is covered in more detail
    within the BS 25999 standard, but ISO 27002 nevertheless includes
    additional structural approaches that will certainly strengthen your
    overall business continuity management process.

    Section 14.1.1 states that “A managed process should be developed and
    maintained for business continuity throughout the organization that
    addresses the information security requirements needed for the
    organization’s business continuity”.

    This requirement, in essence, means that information security
    processes must form an integral part of the overall BCM process. The
    security standard goes on to provide further information on how to
    incorporate key areas of your information security management system.
    These are summarized as follows:
    • identifying and analyzing the risks following a serious incident
    including probability and impact on critical business processes;
    • understanding the impact of information security incidents in terms
    of interruptions to the business;
    • considering risk mitigation options including insurance and risk
    • identifying other preventive and mitigating safeguards;
    • ensuring availability of resources to address the identified
    information security shortfalls;
    • ensuring the safety of personnel and the protection of facilities,
    assets and processes;
    • inclusion within business continuity plans of information security
    • implanting regular testing and updating of the plans and processes;
    • ensuring that responsibility for business continuity is incorporated
    in the organization’s processes and management structure;

    The vulnerabilities of the organization to serious business process
    interruptions caused by information security shortfalls must be
    identified and addressed. Reviewing these vulnerabilities from an
    information security perspective should ensure that your business
    continuity plans are comprehensive and meet overall information
    security strategic objectives.

    Further Information: The BCP Generator template:

    ISO 27000: The World Wide Phenomenon

    Our source list for recent purchases of the standards always proves to
    be a popular talking point. The most recent thousand or two is as

    Argentina 5
    Australia 28
    Austria 8
    Barbados 1
    Belgium 15
    Bermuda 1
    Bosnia and Herzegovina 1
    Brasil 31
    Canada 140
    Cayman Islands 1
    Chile 3
    China 29
    Colombia 9
    Costa Rica 1
    Croatia 2
    Cyprus 1
    Denmark 14
    Egypt 1
    Estonia 1
    France 29
    Germany 81
    Gibraltar 1
    Greece 6
    Hong Kong 16
    Hungary 3
    Iceland 1
    India 60
    Indonesia 3
    Ireland 24
    Israel 1
    Italy 34
    Jamaica 1
    Japan 40
    Jordan 1
    Korea 3
    Lebanon 1
    Luxembourg 1
    Malaysia 22
    Malta 1
    México 22
    Netherlands 68
    New Zealand 10
    Norway 9
    Panama 1
    Peru 1
    Philippines 10
    Poland 11
    Portugal 8
    R.O.C. 1
    Romania 4
    Russia 17
    Saudi Arabia 25
    Singapore 25
    Slovak Republic 1
    Slovenia 1
    South Africa 36
    Spain 38
    Sultanate of Oman 1
    Sweden 22
    Switzerland 61
    Taiwan 3
    Thailand 1
    Tunisia 1
    Turkey 14
    UK 399
    United Arab Emirates 23
    USA 633
    Venezuela 1

    The normal health warnings apply: these are sales through an online
    credit card store, so those cultures that are less familiar with this
    type of commerce will be under represented.

    ISO 27001/2: Common Mistakes Part 3

    David Watson was one of the first exponents of the standards, and is
    one of the most well known industry figures. In the third of this
    series of articles for the ISO 27000 Newsletter he outlines some of
    the most common errors and mistakes he has encountered over the years:

    Physical & Environmental Security
    • Supposedly secure buildings can easily have their physical security
    breached by a variety of means (e.g. social engineering, piggybacking,
    fire doors left open etc.);
    • Power supplies are often unprotected against unauthorized access.
    • Critical equipment is not always protected by UPS;
    • Generators and UPS are often not regularly tested, or the test
    results are not available;
    • Equipment maintenance is not always carried out in accordance with
    manufacturers instructions – possibly invalidating the manufacturers
    • Off premises security of equipment is often overlooked by the
    • Secure disposal / removal of equipment is often not recorded or
    carried out securely, potentially leading to unauthorized disclosure
    of information;
    • Clear desk / screen processes are often not carried out, especially
    in the IT Department. Usually, but not always, IT forces other users
    to have clear screens, but often there is no clear desk process in
    place and no lockable cabinets to store securely anything needed to be
    locked away due to its classification. This can be exacerbated if
    there is no information classification process in place and used
    across the organization or if there are no handling procedures based
    on the information classifications.

    Asset Classification and Control
    • There is often little or no concept of data or information
    ownership, or of asset classification;
    • There is often little control over movement of equipment;
    • Security (if implemented) is not based on this process (or
    associated risk management processes);
    • There is sometimes little, if any, personal accountability by
    anyone, especially owners (whether they are aware of their role or
    • Owners rarely review their information from a security viewpoint;
    • Information (of any sort) is rarely classified consistently and
    handled according to the requirements of that classification

    Protecting Against Malicious Code Attacks

    Malicious code attacks are intended to destroy the integrity of
    software and information. They constitute one of the highest risks in
    today’s business environment, and despite receiving ongoing attention
    within many organizations the risks are considered to be increasing
    rather than decreasing.

    These attacks are normally categorized into two location based risk
    areas: external attacks that emanate from outside the organization,
    and internal attacks, originated from within the organization itself.
    Most of the emphasis for safeguards is currently directed against the
    external attacks through firewalls and virus checkers, for example.
    However, of increasing concern is the likelihood of attacks from
    internal sources.

    ISO 27002 section 10.4.1 provides useful guidance for establishing
    controls and safeguards that can help to protect against malicious
    code attacks. This advice and guidance can be summarized as follows:
    • implement controls preventing use of unauthorized software;
    • implement policy to protect against risks of installing software or
    files from external sources;
    • regularly check for existence of unapproved files or unauthorized
    • install suitable malicious code detection and repair software;
    • implement security procedures to deal with malicious code attacks;
    • develop suitable business continuity plans for recovering from
    malicious code attacks;
    • instigate procedures to regularly collect information about new
    malicious code;
    • develop controls to verify information relating to malicious code.

    Critical business processes are often extremely vulnerable to
    malicious code attacks. Disgruntled employees create a particularly
    difficult threat to counteract if access controls and information
    security controls are not up to the mark.

    This is yet another area which should be regularly reviewed: how do
    YOU measure up?

    ISO 27000 Related Definitions and Terms

    In this edition of the ISO 27000 Newsletter we look at further
    definitions and terms related to ISO 27001 and ISO 27002 that commence
    with the letter “I”.

    Identity Hacking
    Posting on the Internet or Bulletin Board(s) anonymously,
    pseudonymously, or giving a completely false name/address/telephone
    with intent to deceive. This is a controversial activity, generating
    much discussion amongst those who maintain the net sites. There are
    two cases in which problems can be caused for organizations:-
    • a member of staff engages in such practices and is 'found out' by
    net users, thereby associating the organization name with the
    • a posting by an unrelated third party, pretending to be the
    organization, or a representative.
    In either case, if such posts are abusive, or otherwise intended to
    stir up an argument, a possible result is a Flame Attack, or Mail

    Impact Analysis
    As part of an Information Security Risk Assessment, you should
    identify the threats to your Business Assets and the impact such
    threats could have, if the threat resulted in a genuine incident. Such
    analysis should quantify the value of the Business Assets being
    protected to help determine the appropriate level of safeguards.

    Information Asset
    An Information Asset is a definable piece of information, stored in
    any manner which is recognized as 'valuable' to the organization. The
    information which comprises an Information Asset, may be little more
    than a prospect name and address file; or it may be the plans for the
    release of the latest in a range of products to compete in the
    Irrespective of the nature of the information assets themselves, they
    all have one or more of the following characteristics:-
    • They are recognized to be of value to the organization.
    • They are not easily replaceable without cost, skill, time, resources
    or a combination.
    • They form a part of the organization's corporate identity, without
    which, the organization may be threatened.
    • Their Data Classification would normally be Proprietary, Highly
    Confidential or even Top Secret.
    It is the purpose of Information Security to identify the threats
    against, the risks and the associated potential damage to, and the
    safeguarding of Information Assets.

    Information Owner
    The person who creates, or initiates the creation or storage of the
    information, is the initial owner. In an organization, possibly with
    divisions, departments and sections, the owner becomes the unit itself
    with the person responsible, being the designated 'head' of that
    The Information owner is responsible for ensuring that :-
    • A classification hierarchy is agreed and that this is appropriate
    for the types of information processed for that business / unit.
    • All information is assigned into the agreed types and an inventory
    (listing) of each type is created.
    • Ensuring that, for each classification type, the appropriate level
    of information security safeguards are available e.g. the logon
    controls and access permissions applied by the Information Custodian
    provide the required levels of confidentiality.
    • Periodically, that checks are performed to ensure that information
    continues to be classified appropriately and that the safeguards
    remain valid and operative.

    Information Security Incident
    An Information Security incident is an event which appears to be a
    breach of the organization's Information Security safeguards. It is
    important to respond calmly and to follow a logical procedure, first
    to prevent the breach from continuing, if possible, and second, to
    inform the appropriate person(s) within the organization; this usually
    includes the appointed Security Officer. Where a member of staff fails
    to observe Information Security procedures; this is not, of itself, an
    Information Security incident. However, depending on the severity of
    the incident, disciplinary and/or improved procedures may be

    Information Security Policy
    Information Security Policy is an organizational document usually
    ratified by senior management and distributed throughout an
    organization to anyone with access rights to the organization's IT
    systems or information resources.
    The Information Security Policy aims to reduce the risk of, and
    minimize the effect (or cost) of, security incidents. It establishes
    the ground rules under which the organization should operate its
    information systems. The formation of the Information Security Policy
    will be driven by many factors, a key one of which is risk. How much
    risk is the organization willing and able to accept? The individual
    Information Security Policies should each be observed by personnel and
    contractors alike. Some policies will be observed only by persons with
    a specific job function, e.g. the System Administrator; other Policies
    are to be complied with by all members of staff. Compliance with the
    organization's Information Security Policy should be a incorporated
    with both the Terms and Conditions of Employment and also an
    employee’s Job Description.

    It Couldn't Happen Here, Could It? True Stories:

    We have highlighted these two before, but we continue to hear horror
    stories which fundamentally amount to the same causes.

    1) A company in London developed a range of new products mainly by
    utilizing the services of one of its employees who was particularly
    skilled at these activities. Once these products had been developed,
    they were successfully marketed by the firm and a good revenue stream
    emanated from this new business area.

    Unfortunately, the firm had not considered protecting the intellectual
    property rights of work undertaken during the employee’s time with
    them and it was subsequently successfully sued by the employee who had
    authored the products, and who then claimed ownership over the
    intellectual property rights contained within them.

    The lesson to be learned here is that employees' contracts should
    clearly state the ownership of any work developed for the company
    during his/her employment. This intellectual property agreement should
    be signed by the employee to signify acceptance of these terms and
    conditions prior to undertaking this type of work.

    2) A mainframe programmer in a large organization thought it would be
    a hoot to collect the passwords of his colleagues and explore what
    they actually had filed under their own user-ids.

    To achieve this, he wrote a very simple script to emulate the exact
    look of the standard welcome screen for logon. The script didn't logon
    of course, instead it provided a duplicate of the user-id/password
    screen, and then filed the input provided by the user to a common
    area. Instead of then logging the user onto the system, it presented
    the 'System is not available' message. The user invariably got up and
    walked away at this point, enabling him to quickly retrieve the
    gathered authentication details.

    Unfortunately, armed with a growing number of access details, he just
    could resist going further than just being nosey. He began to actively
    seek more information, first on himself, then on others. Realizing
    that he could do so apparently anonymously, he was soon changing
    information. Quickly, he was out of control and was accessing and
    changing files almost every day.

    He was only caught when someone spotted that the 'last logon' date for
    their account was clearly incorrect (they had only just returned
    holiday). Their report was taken seriously, and observation and
    investigation initiated.

    Hardly surprisingly, his excuse that he was "only having fun" was not
    enough to save him.

    The Manager and The Password (True Story: trivia):
    Manager: "Could you come here and check out why my password doesn't
    Technical Support: "I'll be over there in a moment"

    The technical support employee walked up to the managers keyboard,
    pressed the caps lock key and walked out again. Problem solved.

    ISO 27001 and 27002 Newsletter
    Sue Thomas, Oct 28, 2008
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pete Finnigan
    Pete Finnigan
    Nov 18, 2003
  2. Replies:
  3. zillah

    ISO 27001 and how to document ?

    zillah, Nov 21, 2006, in forum: Computer Security
    Nov 21, 2006
  4. Replies:
  5. Sue Thomas

    Issue 18 of The ISO 27000 Newsletter Released

    Sue Thomas, May 15, 2008, in forum: Computer Security
    Sue Thomas
    May 15, 2008

Share This Page