IT GOVERNANCE; A Manager’s Guide

Alan Calder & Steve Watkins

 to Data Security and ISO27001/ISO 27002

 4th edition

e-books shop
A Manager’s Guide to Data Security and ISO27001/ISO 27002
4th edition

Acknowledgements
While this book primarily reflects our own experience in, and approach to,
information security, it has been immeasurably improved through the contributions
of the following, whom we would like hereby to acknowledge and
thank: our numerous consulting clients (see www.itgovernance.co.uk/
iso27001_consulting.aspx) and the contribution of delegates at our training
classes (see www.itgovernance.co.uk/iso27001_training.aspx); DNV certification,
in the United Kingdom, who have reviewed and commented (from
the perspective of a certification body) on the core chapters on information
security policy, risk assessment and statement of applicability; and Olga
Travlos of Xanthos Internet Consultants for her input into the development of
the online facilitation of this book.


Introduction
This book on IT governance is a key resource for forward-looking executives
and managers in 21st-century organizations of all sizes. There are six reasons
for this:
1. The development of IT governance, which recognizes the ‘information
economy’-driven convergence between business management and IT
management, makes it essential for executives and managers at all levels
in organizations of all sizes to understand how decisions about information
technology in the organization should be made and monitored
and, in particular, how information security risks are best dealt with.
2. Risk management is a big issue. In the United Kingdom, the Turnbull
Report on internal control and risk management gives directors of Stock
Exchange-listed companies a clear responsibility to act on IT governance,
on the effective management of risk in IT projects and on computer
security. The US Sarbanes–Oxley Act places a similar expectation on
directors of all US listed companies. Banks and financial-sector organizations
are subject to the requirements of the Bank of International
Settlements (BIS) and the Basel 2 framework, particularly around operational
risk – which absolutely includes information and IT risk.
Information security and the challenge of delivering IT projects on time,
to specification and to budget also affect private- and public-sector organizations
throughout the world.
3. Information-related legislation and regulation are increasingly important
to all organizations. Data protection, privacy and breach regulations,
computer misuse, and regulations around investigatory powers are part
of a complex and often competing range of requirements to which
directors must respond. There is, increasingly, the need for an overarching
information security framework that can provide context and
coherence to compliance activity worldwide.
4. As the intellectual capital value of ‘information economy’ organizations
increases, their commercial viability and profitability – as well as their
share price – increasingly depend on the security, confidentiality and
integrity of their information and information assets.
5. The dramatic growth and scale of the ‘information economy’ have created
new, global threats and vulnerabilities for all networked organizations.
6. Britain piloted the world’s first standard (BS7799) for information
security management. Both parts of this standard have now been ‘internationalized’
as part of the new series of ISO/IEC 27000 standards on
information security. The key standard in the series, ISO/IEC 27001, has
been updated to contain latest international best practice, with which,
increasingly, businesses are asking their suppliers to conform.
Compliance with the standard should enable company directors to
demonstrate a proper response – to customers as well as to regulatory and
judicial authorities – to all the challenges identified above.

The information economy
Faced with the emergence and speed of growth in the information economy,
organizations have an urgent need to adopt IT governance best practice. The
main drivers of the information economy are:
the globalization of markets, products and resourcing (including ‘offshoring’);
electronic information and knowledge intensity; and
the geometric increase in the level of electronic networking and connectivity.
 The key characteristics of the global information economy, which affect all
organizations, are as follows:
Unlike the industrial economy, information and knowledge are not
depleting resources that have to be rationed and protected.
Protecting knowledge is less obviously beneficial than previously:
sharing knowledge actually drives innovation, and innovation drives competitiveness.
The effect of geographic location is diminished; virtual organizations
operate around the clock in virtual marketplaces that have no geographic boundaries.
As knowledge shifts to low-tax, low-regulation environments, laws and
taxes are increasingly difficult to apply on a solely national basis.
Knowledge-enhanced products command price premiums.
Captured, indexed and accessible knowledge has greater intrinsic value
than knowledge that goes home at the end of every day.
Intellectual capital is an increasingly significant part of shareholder value
in every organization.

The challenges, demands and risks faced by organizations operating in this
information-rich and technologically intensive environment require a proper
response. In the corporate governance climate of the early 21st century, with
its growing demand for shareholder rights, corporate transparency and
board accountability, this response must be a governance one.

What is IT governance?
The Organisation for Economic Co-operation and Development (OECD), in
its Principles of Corporate Governance (1999), defined ‘corporate governance’ as
‘the system by which business corporations are directed and controlled’.
Every country in the OECD is evolving – at a different speed – its own
corporate governance regime, reflecting its own culture and requirements.
Within its overall approach to corporate governance, every organization has
to determine how it will govern the information, information assets and
information technology on which its business model and business strategy
rely. This need has led to the emergence of IT governance as a specific – and
pervasively important – component of an organization’s total governance posture.

We define IT governance as ‘the framework for the leadership, organizational
structures and business processes, standards and compliance to these
 standards, which ensures that the organization’s information systems
support and enable the achievement of its strategies and objectives’.
There are five specific drivers for organizations to adopt IT governance
strategies:
the requirements (in the United Kingdom) of the Combined Code and the
Turnbull Guidance; for US-listed companies, Sarbanes–Oxley; for banks
and financial institutions, BIS and Basel 2; and for businesses everywhere,
the requirements of their national corporate governance regimes;
the increasing intellectual capital value that the organization has at risk;
the need to align technology projects with strategic organizational goals
and to ensure that they deliver planned value;
the proliferation of (increasingly complex) threats to information and
information security, with consequent potential impacts on corporate
reputation, revenue and profitability;
the increase in the compliance requirements of (increasingly conflicting
and punitive) information- and privacy-related regulation.

There are two fundamental components of effective management of risk in
information and information technology. The first relates to an organization’s
strategic deployment of information technology in order to achieve its
business goals. IT projects often represent significant investments of financial
and managerial resources. Shareholders’ interest in the effectiveness of such
deployment should be reflected in the transparency with which they are
planned, managed and measured, and the way in which risks are assessed
and controlled. The second component is the way in which the risks associated
with information assets themselves are managed.

Clearly, well-managed information technology is a business enabler. All
directors, executives and managers, at every level in any organization of any
size, need to understand how to ensure that their investments in information
and information technology enable the business. Every deployment of information
technology brings with it immediate risks to the organization, and
therefore every director or executive who deploys, or manager who makes
any use of, information technology needs to understand these risks and the
steps that should be taken to counter them. This book deals with IT governance
from the perspective of the director or business manager, rather than
from that of the IT specialist. Governance structures, processes and emerging
best practice are all dealt with in Corporate Governance: A manager’s guide, by
Alan Calder (Kogan Page, 2008). This book deals primarily with the strategic
and operational aspects of information security.

Information security
The proliferation of increasingly complex, sophisticated and global threats to
information security, in combination with the compliance requirements of a
flood of computer- and privacy-related regulation around the world, is
driving organizations to take a more strategic view of information security. It
has become clear that hardware-, software- or vendor-driven solutions to
individual information security challenges are, on their own, dangerously inadequate.

While most organizations believe that their information systems are secure,
the brutal reality is that they are not. Not only is it extremely difficult for an
organization to operate in today’s world without effective information
security, but poorly-secured organizations have become threats to their more
responsible associates. The extent and value of electronic data are continuing
to grow exponentially. The exposure of businesses and individuals to data
misappropriation (particularly in electronic format) or destruction is also
growing very quickly. Ultimately, consumer confidence in dealing across the
web depends on how secure consumers believe their personal data are. Data
security, for this reason, matters to any business with any form of web strategy
(and any business without a web strategy is unlikely to be around in the long
term), from simple business-to-consumer (b2c) or business-to-business (b2b)
e-commerce propositions through enterprise resource planning (ERP) systems
to the use of extranets, e-mail, instant messaging and Web 2.0 services. It
matters, too, to any organization that depends on computers for its day-to-day
existence or that may be subject (as are all organizations) to the provisions of
data protection legislation.

Newspapers and business or sector magazines are full of stories about
hackers, viruses, online fraud and loss of personal data. These are just the
public tip of the data insecurity iceberg. Little tends to be heard about businesses
that suffer profit fluctuations through computer failure, or businesses
that fail to survive a major interruption to their data and operating systems.
Even less is heard about organizations whose core operations are compromised
by the theft or loss of key business data, but that somehow survive it.
Many people do, however, experience the frustration of trying to buy
something online, only for the screen to give some variant of the message
‘server not available’. Many more, working with computers in their daily
lives, have experienced (once too) many times a local network failure or
outage that interrupts their work. With the increasing pervasiveness of
computers, and as hardware/software computing packages become ever
more powerful and complex, so the opportunity for data and data systems to
be compromised or corrupted (knowingly or otherwise) will increase.

Information security management systems in the vast majority of organizations
are, in real terms, non-existent, and even where systems have been
designed and implemented, they are usually inadequate. In simple terms,
larger organizations tend to operate their security functions in vertically
segregated silos with little or no coordination. This structural weakness
means that most organizations have significant vulnerabilities that can be
exploited deliberately or that simply open them up to disaster.

For instance, while the corporate lawyers will tackle all the legal issues
(non-disclosure agreements, patents, contracts, etc), they will have little
involvement with the data security issues faced on the organizational
perimeter. On the organizational perimeter, those dealing with physical
security concentrate almost exclusively on physical assets, such as gates or
doors, security guards and burglar alarms. They have little appreciation of, or
impact upon, the ‘cyber’ perimeter. The IT managers, responsible for the
cyber perimeter, may be good at ensuring that everyone has a password and
that there is internet connectivity, that the organization is able to respond to
virus threats, and that key partners, customers and suppliers are able to deal
electronically with the organization, but they almost universally lack the
training, experience or exposure adequately to address the strategic threat to
the information assets of the organization as a whole. There are even organizations
in which the IT managers set and implement security policy for the
organization on the basis of their own risk assessment, past experiences and
interests, with little regard for the real needs or strategic objectives of the organization.

Information security is a complex issue and deals with the confidentiality,
integrity and availability of data. IT governance is even more complex, and in
information security terms one has to think in terms of the whole enterprise,
the entire organization, which includes all the possible combinations of
physical and cyber assets, all the possible combinations of intranets, extranets
and internets, and which might include an extended network of business
partners, vendors, customers and others. This handbook guides the interested
manager through this maze of issues, through the process of implementing
internationally recognized best practice in information security, as
captured in ISO/IEC 27002:2005 (which was, until recently, known as
ISO/IEC 17799), and, finally, achieving certification to ISO/IEC 27001:2005
(the international replacement for BS7799–2:2002), the first formal standard
for effective information security management.

The information security management system (ISMS) standard is not
geographically limited (eg to the United Kingdom, or Japan, or the United
States), nor is it restricted to a specific sector (eg the Ministry of Defence or the
software industry), nor is it restricted to a specific product (such as CLEF – a
government-approved facility for security testing of IT products and
systems). This book covers many aspects of data security, providing sufficient
information for the reader to understand the major data security issues and
what to do about them – and, above all, what steps and systems are necessary
for the achievement of independent certification of the organization’s information
security management system to ISO27001.

This book is of particular benefit to board members, directors, executives,
owners and managers of any business or organization that depends on information,
that uses computers on a regular basis, that is responsible for
personal data or that has an internet aspect to its strategy. It can equally apply
to any organization that relies on the confidentiality, integrity and availability
of its data. It is directed at readers who either have no prior understanding of
data security or whose understanding is limited in interest, scope or depth. It
is not written for technology or security specialists, whose knowledge of
specific issues should always be sought by the concerned owner, director or
manager. While it deals with technology issues, it is not a technological handbook.

Information security is a key component of IT governance. As information
technology and information itself become more and more the strategic
enablers of organizational activity, so the effective management of both IT
and information assets becomes a critical strategic concern for boards of
directors. This book will enable directors and business managers in organizations
and enterprises of all sizes to ensure that their IT security strategies are
coordinated, coherent, comprehensive and cost-effective, and meet their
specific organizational or business needs. While the book is written initially
for UK organizations, its lessons are relevant internationally, as computers
and data threats are internationally similar. Again, while the book is written
primarily with a Microsoft environment in mind (reflecting the penetration of
the Microsoft suite of products into corporate environments), its principles
apply to all hardware and software environments. ISO/IEC 27001 is, itself, system agnostic.

The hard copy of this book provides detailed advice and guidance on the
development and implementation of an ISMS that will meet the ISO27001
specification. The website (www.itgovernance.co.uk) carries a series of
ISO27001 Documentation Toolkits. Use of the templates within these toolkits,
which are not industry or jurisdiction specific but which do integrate
absolutely with the advice in this book, can speed knowledge acquisition and
ensure that your process development is comprehensive and systematic.
Organizations should always ensure that any processes they implement
are appropriate and tailored for their own environment. There are four
reasons for this:
Policies, processes and procedures should always reflect the style, and the
culture, of the organization that is going to use them. This will help their
acceptance within the organization.
The processes and procedures that are adopted should reflect the risk
assessment carried out by the organization’s specialist security adviser.
While some risks are common to many organizations, the approach to
controlling them should be appropriate to, and cost-effective for, the individual
organization and its individual objectives and operating environment.
It is important that the organization understands, in detail, its policies,
processes and procedures. It will have to review them after any significant
security incident and at least once a year. The best way to understand
them thoroughly is through the detailed drafting process.
Most importantly, the threats to an organization’s information security
are evolving as fast as the information technology that supports it. It is
essential that security processes and procedures are completely up to
date, that they reflect current risks and that, in particular, current technological
advice is taken, to build on the substantial groundwork laid in this book.

This book will certainly provide enough information to make the drafting of
detailed procedures quite straightforward. Where it is useful (particularly in
generic areas like e-mail controls, data protection, etc), there are pointers as to
how procedures should be drafted. Information is the very lifeblood of most
organizations today and its security ought to be approached professionally
and thoroughly.

Finally, it should be noted that ISO27001 is a service assurance scheme, not
a product badge or cast-iron guarantee. Achieving ISO27001 certification
does not of itself prove that the organization has a completely secure information
system; it is merely an indicator, particularly to third parties, that the
objective of achieving complete security is being effectively pursued.
Information security is, in the terms of the cliché, a journey, not a destination.

Table of Contents
Acknowledgements xi
Introduction 1
1. Why is information security necessary? 9
The nature of information security threats 10
The prevalence of information security threats 12
Impacts of information security threats 13
Cybercrime 15
Cyberwar 17
Future risks 17
Legislation 21
Benefits of an information security management system 21
2. The Combined Code, the Turnbull Report and Sarbanes–Oxley 23
The Combined Code 23
The Turnbull Report 24
The Revised Combined Code 25
Sarbanes–Oxley 28
IT governance 31
3. ISO27001 33
Benefits of certification 33
The history of ISO27001 and ISO27002 35
The ISO/IEC 27000 series of standards 36
Use of the standard 37
ISO/IEC 27002 37
The Plan–Do–Check–Act and process approach 39
Structured approach to implementation 40
Quality system integration 42
Documentation 43
Continual improvement and metrics 47
4. Organizing information security 49
Internal organization 50
Management review 51
Information security manager 52
The cross-functional management forum 53
The ISO27001 project group 55
Approval process for information processing facilities 60
Product selection and the Common Criteria 61
Specialist information security advice 62
Contact with authorities and special interest groups 67
Independent review of information security 67
Summary 68
5. Information security policy and scope 69
Information security policy 69
Apolicy statement 76
Costs and the monitoring of progress 77
6. The risk assessment and statement of applicability 79
Establishing security requirements 79
Risks, impacts and risk management 79
Selection of controls and statement of applicability 93
Gap analysis 97
Risk assessment tools 97
Risk treatment plan 98
Measures of effectiveness 99
7. External parties 101
Identification of risks related to external parties 101
Types of access 103
Reasons for access 104
Outsourcing 105
On-site contractors 107
Addressing security when dealing with customers 108
Addressing security in third-party agreements 110
8. Asset management 114
Asset owners 114
Inventory 115
Acceptable use of assets 118
Information classification 118
Unified classification markings 121
Information labelling and handling 123
Non-disclosure agreements and trusted partners 128
9. Human resources security 129
Job descriptions and competency requirements 130
Screening 131
Terms and conditions of employment 134
During employment 136
Disciplinary process 142
Termination or change of employment 142
10. Physical and environmental security 145
Secure areas 145
Public access, delivery and loading areas 154
11. Equipment security 156
Equipment siting and protection 156
Supporting utilities 159
Cabling security 161
Equipment maintenance 162
Security of equipment off-premises 163
Secure disposal or reuse of equipment 164
Removal of property 164
12. Communications and operations management 167
Documented operating procedures 167
Change management 169
Segregation of duties 170
Separation of development, test and operational facilities 171
Third-party service delivery management 172
Monitoring and review of third-party services 173
Managing changes to third-party services 174
System planning and acceptance 175
13. Controls against malicious software (malware) and back-ups 180
Viruses, worms and Trojans 181
Spyware 182
Anti-malware software 182
Hoax messages 183
Anti-malware controls 184
Airborne viruses 187
Controls against mobile code 188
Back-up 189
14. Network security management and media handling 193
Network management 193
Media handling 196
15. Exchanges of information 199
Information exchange policies and procedures 199
Exchange agreements 202
Physical media in transit 203
Business information systems 204
16. Electronic commerce services 207
E-commerce issues 207
Security technologies 210
Server security 213
Online transactions 214
Publicly available information 215
17. E-mail and internet use 218
Security risks in e-mail 219
Spam 221
Misuse of the internet 221
Internet acceptable use policy 223
18. Access control 226
Hackers 226
Hacker techniques 227
System configuration 230
Access control policy 231
User access management 233
Clear desk and clear screen policy 242
19. Network access control 244
Networks 244
Network security 248
20. Operating system access control 257
Secure log-on procedures 257
User identification and authentication 259
Password management system 259
Use of system utilities 260
Session time-out 260
Limitation of connection time 261
21. Application access control and teleworking 262
Application and information access control 262
Mobile computing and teleworking 264
22. Systems acquisition, development and maintenance 270
Security requirements analysis and specification 271
Correct processing in applications 271
23. Cryptographic controls 275
Encryption 276
Public key infrastructure 277
Digital signatures 278
Non-repudiation services 279
Key management 280
24. Security in development and support processes 282
System files 282
Access control to program source code 284
Development and support processes 284
Vulnerability management 288
25. Monitoring and information security incident management 290
Monitoring 290
Information security events 295
Management of information security incidents and improvements 300
Legal admissibility 305
26. Business continuity management 306
BS25999 307
The business continuity management process 307
Business continuity and risk assessment 308
Developing and implementing continuity plans 309
Business continuity planning framework 311
Testing, maintaining and reassessing business continuity plans 315
27. Compliance 319
Identification of applicable legislation 320
Intellectual property rights 329
Safeguarding of organizational records 334
Data protection and privacy of personal information 335
Prevention of misuse of information processing facilities 336
Regulation of cryptographic controls 337
Compliance with security policies and standards, and technical
compliance checking 337
Information systems audit considerations 340
28. The ISO27001 audit 342
Selection of auditors 343
Initial audit 344
Preparation for audit 345
Terminology 347
Appendix 1: Useful websites 351
Appendix 2: Further reading 359
Index 363

Screenshot

e-books shop

Purchase Now !
Just with Paypal



Product details
 Price
 Pages
 385 p
 File Size
 1,437 KB
 File Type
 PDF format
 ISBN
 978–0–7494–5271–1
 Copyright
 Alan Calder and Steve Watkins,
 2002, 2003, 2005, 2008
  ●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●

═════ ═════

Previous Post Next Post