Some organizations implement ISO/IEC Information security INTERNATIONAL

Transcription

1 Some organizations implement ISO/IEC for information security The author reports on global progress in the implementation of the international information security management system standard ISO/IEC 27001:2005, with testimonials from early adopters among the organizations now certified to the standard. by Edward Humphreys The author, Professor Edward Humphreys, is Convenor of ISO/IEC JTC 1/SC 27, Information technology, WG 1. [email protected] Most of us depend more than ever on IT systems, wireless and mobile telephone networks and increasing connectivity in today s business environment. But organizations are challenged with threats to these systems, exposing assets to risk. However, implementing and managing effective information security provides organizations with the means to minimise these risks while maximising business opportunities and investments. In addition to IT dependency, we also face greater government, legislative and regulatory requirements which often have information security consequences that add to our business challenges. International Standard ISO/ IEC 27001:2005, Information technology Security techniques Information security management systems Requirements, was developed as a common business language to help information security management address the needs of small, medium or large organizations from all business sectors. The business case for ISO/IEC Thousands of organizations around the world have already benefited from applying ISO/ IEC based information security management systems (ISMS), especially the to date that have become certified. The business drivers and benefits include : improved business performance from reduced operational risks ; enhanced customer confidence and trust from demonstrating fitness for purpose, by doing business securely ; decrease in negative business impacts and financial losses ; improved market positioning and competitive advantage ; greater protection of business continuity and availability of services. Limitless range The range of ISO/IEC implementers seems limitless, and includes such diverse organizations as tin mines, waxed carton producers, oil and gas suppliers, schools and universities, logistics companies, small businesses, low- to high-tech businesses, healthcare services, on-line banking, multinationals, governments, 20 ISO Management Systems July-August 2008

2 and international institutions such as the World Bank and the UN. Such diversification affects businesses and their customers, consumers and the general public. The following case studies reflect the widespread applicability of the standard. IWF and ISO/IEC The first features the Internet Watch Foundation (IWF), a self-regulatory body and charity operating the United Kingdom s Internet hotline for the public and IT professionals to report their inadvertent exposure to potentially illegal online content, primarily images of child sexual abuse. The IWF works to remove that content from the Internet and facilitates the initiative allowing UK Internet service providers to protect their customers from inadvertently accessing sexually abusive images of children. Fred Langford, IWF Director of Technology and Content, describes the organization s experiences with information security management and ISO/ IEC : The IWF receives significant attention both in the UK and overseas and is often subject to public, media and international scrutiny. As such there is a requirement to demonstrate to stakeholders, including the government, law enforcement, Fred Langford, Director of Technology and Content, IWF. Web charities, the online sector and others, that all possible steps are taken to ensure information security. Recent media attention on data breaches within the public and private sectors serve to underline the importance of this commitment to the highest possible standard in this area. We initially investigated ISO/ IEC certification in 2005 following advice from security advisors, 7Safe. Previously the IWF had internal controls, which were externally audited; however, these were not part of a company-wide system that managed the security of sensitive information and risk. Certification provided the IWF with a valuable framework that is now used to resolve security issues, ensuring that they remain visible and part of a review process. The adoption of an ongoing, robust process such as this also serves to enhance the security awareness of all employees ISO Management Systems July-August

3 and their role within the report and review cycle. Once certification was achieved, internal and external stakeholder confidence in, and perception of, the IWF increased and associated organizations have begun to show an interest in gaining similar accreditation. As the IWF is responsible for extremely sensitive data that must not be released into the public domain under any circumstances, ISO/IEC certification further increased client and associate confidence that risk is managed within exemplary internal security implementation. The process required to gain certification has helped us formalize good practice standards internally, following ISO/IEC principles. Effective information security provides organizations with the means to minimise risks An additional factor in the IWF pursuing certification was its worldwide relevance ; especially considering the global nature of the Internet, the area of criminality with which the IWF deals, and the international arena in which it provides intelligence, evidence and expertise. Security was always paramount to the IWF the high standards of the organization s processes, network and information security is now increased, formal and evident. PCCW and ISO/IEC The second case study features PCCW Limited, the largest communications provider in Hong Kong, and one of Asia s leading technology players in new generation fixedline telephony, broadband, IT, wireless and delivery of home entertainment, enabling organizations to bring their business to Asia and take Asian business to the rest of the world. Dale Johnstone, the company s Chief Security Officer, outlines PCCW s involvement in information security management and ISO/IEC 27001: Dale Johnstone, Chief Security Officer, PCCW Limited. Web PCCW applied international information security management standards prior to 2000 and has always considered the security of stored and communicated information assets a high priority of crucial importance to PCCW in protecting its own, customer, and business partner information assets in accordance with the interests of all stakeholders. In March 2002, PCCW became the first telecom operator in the greater China region to attain ISO/IEC certification, currently maintains four separate certifications in different business units and provides consulting services to other organizations to help them achieve and maintain their own ISO/IEC certifications. The range of ISO/IEC implementers seems limitless PCCW demonstrated a strong public commitment in achieving ISO/IEC certification, enshrining the fundamental principle that PCCW will at all times aim to protect information in its possession, in accordance with the highest levels of international standards a qualification all information and communication technology companies should strive to achieve. The benefits PCCW achieved through ISO/IEC certification include : enhanced cultural awareness of all PCCW stakeholders in understanding the need for information security ; an understanding of the true value of the information assets held in its possession ; an appreciation of the risk management approach to the protection of information assets ; increased PCCW compliance with government regulations, inclusive of privacy controls and how information is secured and protected. ISO/IEC certification has positioned PCCW well in responding effectively to the increasing complexity of government regulations in the countries in which PCCW operates throughout the world. Another major benefit of obtaining and maintaining its ISO/IEC certifications is the knowledge that, in doing so, PCCW is setting a trend for the Asia Pacific information and communication technology industry. GFI and ISO/IEC The final case study illustrates the worldwide influence of legislation and regulation on the implementation of information security, particularly regarding data protection and privacy. Also coming into force are governance regulations such as Sarbanes Oxley (SoX) and Basel II, and cyber laws on hacking and spam. Tokyo-based Global Friendship Inc. (GFI) develops privacy and information security technology to ensure compliance with Japanese regulations, and is itself compliant by virtue of ISO/IEC certification. Yutaka Yasukura, GFI CEO, explains: In 2003, Japan adopted the Protection of Personal Information Act (No. 57), now obligatory, which has led to increased awareness of data 22 ISO Management Systems July-August 2008

4 Regional adoption Yutaka Yashukura, CEO, Global Friendship Inc. Web management among every business and market in the country. GFI introduced an information security solution called GFI E-Tally, to help organizations comply with the Act. Implementation is driven by the need to provide confidence Instead of encryption, our software uses secret sharing technology which processes highly confidential information into meaningless decomposed data. This data is no longer considered to be personal information, as defined in the Act; thus, obligation to protect personal data no longer applies and helps save cost for data storage and management required by law. GFI E-Tally, which fulfils the requirements of CIA confidentiality, integrity and availability was developed primarily to ensure the confidentiality of files created by any entity. Figure 1 ISO/IEC certifications by sector. GFI was audited and certified to ISO/IEC by TÜV Rheinland Japan Ltd. using GFI E-Tally technology applied to our own information security management system. Third party review for ISMS certification gave us a better understanding of the risks related to product development, while achieving certification gives us confidence in the security of services provided by GFI. ISO/IEC certification led to the success of GFI E-Tally as an alternative to encryption, and helps us explain to clients that it is applicable to ISMS and has the potential for world-wide acceptance. Sector adoption The services, telecoms, financial services, manufacturing, healthcare, government and utilities sectors are the most dominant in ISO/IEC adoption. Figure 1 shows the breakdown of the current ISO/IEC certificates by sector, and Table 1 indicates the subdivision of the services, technology and finance and insurance sectors by specialization. Services Advertising Business solutions Consultancy services Consumer services Data collection services Distribution services Entertainment industry ICT services Information services Logistic services Managed data services Marketing services Music industry Outsourcing Postal services Publishing industry Recruitment services Research services Technology Table 1 Specializations of ISO/IEC certified organizations in three main sectors. Generally, implementation is driven by the need to provide customer assurance and confidence, i.e. fit for purpose, outsourcing arrangements, increasing information security risks, and governance, compliance, legislation and regulations. The design, development, manufacturing and selling of ICT such as : Asia represents over 66 % of the total number of ISO/IEC certificates issued to date, followed by Europe with 20 %. There are close similarities between the types of business in Asia and Europe that have pursued certification (see Figure 2, overleaf). Computer hardware Electrical goods Electronic goods Multimedia devices Communications devices Network equipment Scientific instruments Software Finance and Insurance Asset management Banking (wholesale) Banking (retail) Health insurance Insurance brokers Life insurance Medical insurance Mortgage investment Property management Real estate development Savings and loans Stock brokers The ICT sector is most prominent among certified organizations in Hong Kong, Malaysia and Singapore, while Telecoms sector representation is strong in Hong Kong but not yet in Malaysia. Conversely, 26 % of all certifications in ISO Management Systems July-August

5 Malaysia are from the financial services sector, but only 6 % and 8 % respectively in Hong Kong and Singapore. Government departments on the other hand are just starting on the road to ISMS certification (see Table 2). ISMS adoption in important sectors such as healthcare is currently lagging behind that of Japan, Korea and Europe. In addition, representation of professional and information services remains low compared with Europe. Africa and Middle East ISO/IEC/ implementation in Africa and the Middle East is starting to grow, with banks, telecoms, oil and gas companies leading the way. Dr. Angelika Plate, ISMS Consultant for Aexis Security Consultants, comments on progress : Information security is becoming a hot topic in the Middle East, particularly in Bahrain, Oman, Saudi Arabia and the United Arab Emirates as the dependency being placed on information processing and Dr. Angelika Plate, ISMS Consultant, Aexis Security Consultants. Web IT services continues to accelerate. More and more organizations in the region are adopting ISO/IEC to manage their information security and benefit from applying such best practice standards that have already proven useful around the world. Interest in certification continues to grow (the numbers have doubled in the last year) and more are in the pipeline. There is also interest in integrated management systems combining, for example, ISO/ IEC with the service management standard ISO/ IEC Figure 2 ISO/IEC certifications by region. Hong Kong Malaysia Singapore ICT 32 % 50 % 41 % Telecoms 25 % 11 % Financial services 6 % 26 % 8 % Manufacturing 4 % 5 % 8 % Government 4 % 9 % 8 % Professional services 11 % 8 % Information services 4 % 15 % Education 5 % Engineering 6 % 5 % Healthcare 4 % Logistics and transportation 4 % 5 % Table 2 ISO/IEC certifications in Hong Kong, Malaysia and Singapore. 24 ISO Management Systems July-August 2008