ISO 27001 and Information Security Management System
IT professionals in the security space often refer to the frameworks or tools ISO 27001 and Information Security Management System (ISMS). These are important topics to address as the User Guardian as a tool must help support the goals of these common frameworks to have creditability and to be accepted by IT Security professionals.
What is ISO 27001 and an ISMS?
"ISO/IEC 27001 is the default international standard for information security. It formally specifies a management system that is intended to bring information security under explicit management control.
ISO/IEC 27001 requires that management:
"An Information Security Management System (‘ISMS’) is a systematic approach to managing confidential or sensitive company information so that it remains secure (which means available, confidential and uncorrupted). It encompasses people, processes and IT systems.[..] An information security management system helps you coordinate all your security efforts – both electronic and physical – coherently, consistently and cost-effectively" (Oxford Computer Group 2013).
The ISMS makes up the organisation's own policies to address the framework areas set out in ISO 27000's. This is the document auditors would review before accreditation of the organisation.
Where Should the Application Requirements Fit With the Principles of ISO27001?
The main area User Guardian fits with the standard is in section 11. "Section 11 of the Annex to ISO/IEC 27001 deals with access to information. Selected on the basis of a risk assessment, controls within this section deal with user access to information" (Oxford Computer Group 2012).
In the authors personal experience of effective access management controls the ability to provide clear on-demand reporting for checking by the application /data owners is often the most effect method.
Distributing out these type of checks in a transparent way using a web based system often increases the frequency and accuracy of the checks. This tends to be a far more effective approach then the same work undertaken by the operational risk, application or IT Security teams.
There can be additional side-effects of this which can justify investing the time with ISO27001. In the case of 3rd party off-the-shelf systems the type of access and the numbers of users are often licensed. There can be long term savings in controlling these costs, especially if IT budgets are held at the department level.
Risks of Adopting User Guardian as a Tool to Improve IT security or Close Audit Findings
As stated ISMS and ISO27001 are frameworks. User Guardian must be used in the context of a well defined process understood by the business, supported by appropriate risk assessments and on-going checks to highlight potential IT Security issues as they arise.
One way to think of this is User Guardian can only be as effective as the information loaded into it, and the actions taken based on the reports the tool produces.
Simply running User Guardian would be one small piece in the process to achieve better user access controls. In no way should the tool be sold under the premise to achieve ISO27001 alone.
Importance of Security Risk Assessments and why this is a Professional Issue?
The achievement and upkeep of ISO27001 could be important for an organisation if they are contractually obligated to other customers to hold this standard, or for attracting or reassuring 3rd parties on the importance you place on information security.
This area of IT has become an increasing area of focus with the increase of high level/large data breaches such as the Sony PlayStation Network hack in April 2011, and its resultant fine of $396,100 by the ICO (Information Commissioner's Office) for breaching the data protection act through the lack of security controls (BBC 2013).
As an IT professional not being proactive and acting in these areas for a company; a serious data breach could be extremely career limiting, or even result in civil action depending on the country you are working in and if you are shown to be personally negligible to a large preventable financial loss.
Data Protection and Users Account Security
To protect User Guardian as a company, the delivery of the software into a customer's site should be undertaken on server architecture that is controlled and managed under the control of the customer policies.
To avoid data protection issues, access control to any data that could identify an individual must be avoided or protected where it can not be avoided and the customer made aware of this (ICO 2013).
The recommendations would be to encrypt the databases and to use dedicated application accounts to the User Guardian database. This would need to be incorporated in the production software, and would be an application requirement.
The User Guardian tool is not changing data or access within the applications that it is auditing, only reporting and would never aim to do this. This is an intentional decision to both protect the customer and User Guardian interests. This avoids any possibility of an automated decisions or bugs within the software causing loss of business or unintentional financial losses.
References
Oxford Computer Group, 2012. Identity and Access Governance, Oxford UK: Oxford Computer Group.
Oxford Computer Group, October 2013. Implementing an ISMS: Oxford Computer Group.
BBC News, 2013. Sony fined over 'preventable' PlayStation data hack [Online]
Available at: http://www.bbc.co.uk/news/technology-21160818 [Accessed 23 December 2013].
ICO, 2013. Data protection principles. [Online]
Available at: http://www.ico.org.uk/for_organisations/data_protection/the_guide/the_principles [Accessed 23 December 2013].