A new version of the ISO 27001 information security standard came out about a year ago. While the new release addresses some of the changes in information security best practices since the previous release in 2005, it may not address one of the biggest challenges in today’s information security landscape—the knowledge that government agencies in the United States and United Kingdom can defeat Internet privacy and security.
The latest ISO 27001 standard establishes the following requirements for determining the context of an organization seeking security certification:
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
- a) interested parties that are relevant to the information security management system; and
- b) the requirements of these interested parties relevant to information security (NOTE: The requirements of interested parties may include legal and regulatory requirements and contractual obligations).
In addition, organizations with high-level security and privacy requirements need to factor a further issue into their risk assessment. A hostile and intrusive government should be included along with cyber-criminals and other hostile outside threats evaluated during a risk assessment.
Another factor to consider when it comes to threat assessments is this: the NSA didn’t develop its capabilities in a vacuum and it didn’t put them into operation in a vacuum, either. There are corporations and contractors (as evidenced by Edward Snowden himself) that developed and implemented the capabilities the NSA has been using. How does that recognition affect risk assessment?
ISO 27001:2013 includes the following requirements for risk assessment:
6.1.2 Information security risk assessment
The organization shall define and apply an information security risk assessment process that:
- d) analyses the information security risks:
1) assess the potential consequences that would result if the risks identified were to materialize;
2) assess the realistic likelihood of the occurrence of the risks identified; and
3) determine the levels of risk;
Will the latest version of ISO 27001 result in companies assessing the likelihood of receiving a national security letter into their risk assessments? Does the likelihood for outside threats compromising the confidentiality of data change with the knowledge that the capability to break encryption exists and you don’t know who does and doesn’t have that capability? Microsoft apparently thinks so.
While ISO 27001:2013 should force companies to identify the new risks posed by the NSA, it’s somewhat less helpful when it comes to providing guidance for selecting controls to mitigate those risks once they’re identified. Security expert Bruce Schneier and others suggest that encryption is one of the best tools that individuals and organizations can use to protect themselves in the current climate.
ISO 27001:2013 includes the following controls for encryption:
A.10.1.1 Policy on the use of cryptographic controls
A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
A.18.1.5 Regulation of cryptographic controls
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
The Acceptable Encryption Policy template from the SANS Institute recommends using “NIST approved cryptographic modules.” Now that we know the NSA has tried to intentionally weaken encryption algorithms, some organizations may need to change their encryption policies or consider which cryptographic algorithms meet their security requirements. Schneier recommends that organizations “be suspicious of commercial encryption software, especially from large vendors” and also suggests that companies “try to use public-domain encryption that has to be compatible with other implementations.”
Some organizations may go with the “security by obscurity” approach and choose to use their own custom cryptography algorithms that the NSA won’t know about, because this gives them a false sense of security. The choice of encryption also has to be balanced with the possibility that strong encryption increases the chances of receiving a national security letter from agents in dark suits. How will that risk impact the selection of controls?
There’s no doubt that cryptography will be an important factor for organizations to consider as they seek certification under the ISO 27001:2013 standard, but I have doubts as to whether the new standard provides adequate implementation guidance for the post-Snowden world.