June 27, 2012

Last Updated on January 13, 2024

Our Ethical Hacker Roundup last week included a blurb on stricter laws to protect patient health information (PHI) in Health Information Exchanges (HIEs).  That led me to download and read the new ISO-27010 Standard (Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications).
ISO-27010 was not at all what I expected it to be. I thought it would provide guidance on an area that we have consistently found to be a challenge: “data interfaces”. Too often organizations focus their security related efforts on the network infrastructure and applications, only to find that we can gain access to the data of concern either before it hits the system or after it leaves it. This approach is akin to investing in a significant alarm system that can thwart mission impossible attacks – but leaving a key under the mat for the maid.
So what is ISO-27010 then? For those of you familiar with TICE (Trusted Information Communication Entity), TLP (Traffic Light Protocols), and WARP (Warning, Advice, and Reporting Protocols) you have a lot to be excited about with regards to ISO 27010. The key concept behind ISO 27010 is that there are often times when organizations need to share sensitive data with a number of other organizations. Examples would include: Healthcare Information Exchanges, Information Sharing and Analysis Centers (ISACs), Law Enforcement, and Critical Infrastructure. In those instances – where by design high-risk data is being “risk managed” across dozens of Information Security Management Systems (ISMSs) – there are some interesting “corner cases” where ISO-27002 lacks a bit that ISO-27010 addresses.
To be clear, ISO-27010 does not replace ISO-27001 or ISO-27002, but rather it complements them. ISO-27010 takes the existing ISO-27002 control set and either provide additional guidance for existing controls, or in some cases add new controls that are specific to this particular use case.
For example:

  • ISO-27010 adds a new control in Clause 7 (Asset Management 7.3 Information exchanges protection) that deals with a number of issues that ISO-27002 does not directly address, including the protection of source anonymity in an information sharing exchange, which is almost contrary to normal requirements relating to non-repudiation.
  • ISO 27010 provides some additional guidance for control 5.1.1 Information security policy document: “The information security policy document should define how the community members will work together to set security management policies and direction for the information sharing community…”

I would argue that there is value to the standard in other less obvious situations as well. For example,

  • We once worked on a secure sharing model for GIS related data across players in the petrochemical industry that including sharing based on “trust ability” (e.g., the demonstrated security posture of the player), which is something that ISO-27010 addresses.
  • ISO27010 might help address the “fiefdom” challenges that are prevalent in law enforcement (local versus state versus federal versus federal). Initiatives like Accelerated Information Sharing for Law Enforcement (AISLE) and Global Justice XML are likely to benefit from the principles of ISO-27010. 

One of the interesting things about ISO27001 is its guidance on managing third-party (or “sixth–party”) risk.  While ISO-27002 covers that pretty well for conventional “vendor” scenarios, 27010 adds some new tools to deal with more complex scenarios. As cloud and web services continue to evolve, I strongly suspect that we will see elements of 27010 creeping into many Information Security Management Systems.