The "RISKY BUSINESS" Blog

So the childish side of me wants to say I told you so ... but I'm above that so I won't.

It's been a while that we have been banging the ISO27001 drum. So the recent influx of significant cloud computing organizations like Microsoft and Salesforce.com is only a surprise in that they got on the wagons sooner than we thought they would.

What does this mean to you?

If you work for a company that needs to provide third party attestation -- quite a lot. It means the tipping point on 27001 being the de facto form of attestation is nearer than we thought -- likely less than 18 months. So if you don't yet have an initiative in place - it's probably time to do so.

Where third party attestation is not required its less clear what this means. Best guess is that ISO27001 will become somewhat "de rigueur" in that you will have to rationalize why you chose not to align yourself with the standard to key stakeholders and management (rather than the converse).  I think it's hard to rationalize against leveraging a well vetted framework that simplifies Information Security by providing a method to our madness. Interestingly I had a conversation this week with the CISO of a $5 Billion entity that has no attestation requirements - yet he wants to move to ISO27001 for just that reason.

For an Intro to ISO 27001, download a copy of our CSO presentation.

Or, review a Case Study for ISO 27001 by clicking here.

We are fortunate enough to work extensively with across both government and private sector clients. The two biggest differences we notice are that government entities are much more risk-intolerant and that most government entities employ some form of Security Certification & Accreditation (SC&A) process.

Figuring out why most government entities run SC&A is pretty straight forward. Being risk intolerant, means that you are going to spend whatever dollars are necessary to mitigate the biggest risks. Large projects (e.g., moving your core accounting application off the main-frame to a 3 tier J2EE architecture) that embody significant change embody significant risk, hence, lets ensure that the application is secure before we deploy it (SC&A). Another driver, is the federal government advocating (or mandating) SC&A (e.g., NIST 800-37) for federal entities, which has trickled down to many states and larger cities.

What is not as clear to me is why private sector companies don't have formal SC&A processes. Any information security professional worth their weight in salt knows that change = risk. So why are so many systems deployed without sufficient testing? I wish this was where I came up with a clever answer, but I have none. I'm hopeful that advances like SAMM will change the situation.

Dear X,

At the close of our meeting you asked me to follow up with a proposal on how I think we (jointly) should approach your information security/information assurance requirements relating to (insert your relevant regulatory compliance issues here).  As you already know, I don't yet have enough knowledge of (insert your company name here) to answer that question definitively.  But "I'm not sure yet" is neither confidence inspiring nor all that useful.  So based on the four main ideas I took out of our meeting  (bullets below) I will lay out my best guess as to what our (joint) approach may be. 

PRIMARY CONCERNS:

• You have a growing demand to "prove" that you are compliant with relevant laws and regulations (most notably HIPAA/PII) which is challenging and time consuming.
• You have a relatively good security posture, although it lacks in documentation and formality.  This results in you feeling good about the 95% you "know", and nervous that the 5% you're not sure about is going to come back to bite you.
• The reason you are where you are, is that you have insufficient resources (time/training/manpower) to address security/assurance/attestation at a more "strategic" level.
• You are looking for a roadmap to confirm the 95%, address the 5%, and simplify the process of proving you are compliant with relevant laws and regulations to management and customers.

RISK-DRIVEN APPROACH
Our approach should be risk driven.  Fortunately, it does not seem as though there are any "urgent" risks that need to be addressed immediately,  which gives us greater flexibility in our approach.  Beginning with the end in mind is a fundamental tactic, so determining what the overall "target" is for our control environment is going to be helpful .  For now, I would restrict our efforts to the information security realm to ensure that we don't end up in a "boil the ocean" exercise (later we can look at integrating our information security controls into a larger Information Technology Control Framework like COBIT if it is warranted).   From an information security framework perspective, I'm a fan of ISO 27001 for a couple of reasons:

• It's proven: ~ 7,000 companies are already leveraging it, and ISO 17799 from which it is derived, has been in place over ten years and has been used by tens of thousands of organizations.
• It's an international standard that is "recognized" by everyone and is widely regarded as the de-facto standard by most.
  ISO 27001 has  been  "mapped" to HIPAA/PII and can be easily mapped to any new standard that you may need to comply with.  This simplifies proving compliance.
• It's certifiable (like ISO 9001) meaning that you can get those portions of your environment that are relevant to the handling of client data certified to be compliant with the standard by an independent entity.  This is the best possible form of attestation.

Alternatives include: a roll your own approach, the BITS Shared Assessment program (more financial services oriented) and HITRUST (purely Healthcare-centric).   I'm pretty confident that ISO 27001 would be the optimal approach for you.

PLANNING FOR ISO 27001
Assuming you agree, and you are not under any  short term requirement to be certified,  I would recommend a 1 - 2 year time target for certification.  You can try to do it faster (if necessary), but the controls in a strong control environment are highly interdependent and trying to move too far too fast often results in sub-optimal results.  Further, doing it faster would drive much of the work effort external to your organization and we have found that ensuring  your key folks are true stakeholders, is very important to long term project success.

Gaining Senior Management buy-in is also critical.  A 27001 Gap Assessment is the best way to get a sense of the work effort necessary to get to ISO 27001 certification and communicate the staffing/budget requirements for the same.  So a Gap Assessment would likely be the first activity relating to ISO 27001, and would provide a measure of where we are,  where we need to get to, and what it will take to do so.

MANAGING THE "INTERIM"
One challenge to the approach outlined is "proving" you are secure to customers/business partners in the interim (between now and ISO 27001 certification).  An approach that we usually (successfully) employ is to use a Vulnerability Assessment and Penetration Test (VA/PT) to "substantiate the net-effectiveness" of your current control environment.  In addition to being short term attestation, the VA/PT also provides valuable input into the ISO 27001 Gap Assessment (and longer term, the Risk Assessment that is integral to ISO 27001).  Where attestation requirements are a bit higher, we often supplement the VA/PT results with a Security Data Flow Diagram (SDFD) depicting key security treatments throughout your client's data-lifecycle.  The SDFD is also leveraged during the ISO 27001 Risk Assessment phase.

Please call me on my cell (732) 267-6324 when you have a few minutes to discuss this further.

PS: You might also want to check out our ISO 27001 Case Study and other ISO 27001 resources for further information!