IT Governance Blog on IT governance, risk management, compliance and information security.

When researching risk assessment methodologies for carrying out an information security risk assessment you will no doubt be confronted by two terms – Qualitative and Quantitative. Then you may be wondering ‘what should I do now?’

So which is best? And does it matter? And what is the difference between them?

To answer these questions we should start by defining what they are.

‘Qualitative’ – means “involving distinctions or involving comparisons based on qualities”

‘Quantitative’ – means “that is or may be estimated by quantity”.

So ‘Qualitative’ means based on quality or merit, intrinsic worth or virtue. ‘Quantitative’ means based on quantity or amount, size or number.

Think of ice cream- we might judge various vanilla ice creams as being ‘inedible’, ‘tasty’ or ‘moreish’. That would be a qualitative measure. We could put a number against it and say that inedible=1, tasty=2, moreish=3. Then we ask 100 people to taste our ice creams and rank them either a 1, 2 or 3. Now we have quantity so we have ‘Quantitative’ data.

Does it make any difference?

Well it does if we want to be ‘scientific’ in our approach to risk assessment. We want to be scientific because the more scientific we can be the more reproducible will be our approach. The ISO 27001 standard encourages us to be consistent as “The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results (ISO 27001:2005 sec 4.2.1 (c) 2)”.

So the more scientific our approach is the better it suits the standard and the more comparable and reproducible it is.

Assessing a risk as ‘High’ does not have the impact as saying it is 9 on a scale of 1 to 9 although the meaning might be the same.

Beaufort realised this. He defined a scale for wind conditions which has been refined over the years. This scale extends from ‘Calm’ to ‘Hurricane’. These ‘Qualitative’ measures have been compounded by ‘Quantitative’ numbers 1 to 12 which also have corresponding wind speed values. This turns a subjectively judged scale into an objectively assessed scientific scale. We can thus compare one ‘hurricane force’ storm with another.

When you are thinking about risk methodologies then making them quantitative has many advantages over the simple qualitative approach. It tends to be more reproducible and therefore makes it easier to compare past and present risk assessments. It also tends to give more consistent results by removing an element of subjectivity.

Qualitative assessments are easier to do but as they are more subjective they tend to be less reproducible, certainly over time.

In truth, and pragmatically, we use a mix of both methods.

Very often we use a qualitative approach to identify key risks. We then use a quantitative approach to determine the actual risk with a qualitative view of the risk once it has been mitigated.

Does it matter? As far as ISO 27001 is concerned not really, so long as you define your approach and stick to it – that is all that really matters.

Still confused? Why not contact our experts at Vigilant Software on 0845 003 8228 or via email servicecentre@vigilantsoftware.co.uk.

As a consultant, I am often asked what is good practise on passwords. I am afraid I tend to follow what is considered received wisdom as published in CESG memos 26 and 35 which suggested:-

Password complexity must cover the following criteria:

1. Must contain a minimum of 7 characters

2. Must be alphanumerical with at least 1 numeric

3. Must be changed at least every 90 days

4. Cannot reuse the last 20 passwords

5. Cannot use any part of the users assigned account name

6. Must not be shared or written down

Most organisations use a variation on this theme. Usually 8 characters with complexity and changed regularly, every 90 days being common. Indeed some customers demand password rules along these lines to be implemented as part of contractual obligations.

The trouble with passwords like these though are that they are difficult to remember. Not only that but their ‘strength’ is not always as high as you’d think. Password crackers can crack these passwords in many cases quite quickly.

A client and I were having this very debate and he sent me a link to a cartoon which you can see here: http://xkcd.org/936/.

This got me thinking and having looked around the web I have to say that having a passphrase rather than a password seems a better way to go.

Cracking passwords is about two aspects:- guessing the password or brute force cracking. If the hacker that wants to get into your account knows you and you use a common name or variation on a name such as eldest child’s name such as J0hn123! then cracking the password is actually quite easy for a computer programme.  

Brute force hacking is more time consuming – programmes will throw combinations of letters, numbers and characters at the log on until they find the right one. This is then merely a function of time – how long it takes a computer to throw the right characters until it ‘guesses’ the right values. The longer the password, the more complex the calculation, the longer it takes a computer.

The trouble though is that in making passwords harder for computer programmes to crack also intrinsically makes it harder for users to remember their password. They are thus tempted to write them down especially if they have multiple systems to log in to. Of course writing them down introduces potential insecurity which tends to undermine the rationale for having passwords as a security device.

Some people of course can handle passwords easily but the truth is they may be in the minority.

To preserve security banks providing on-line banking are introducing a token approach. For this you have a keypad device into which you insert your bank card. You enter your PIN and the device provides you with a rolling pass key which is then entered into the website. This provides lots of security- you need the device, your card and your PIN as a minimum.

However introducing such a system into most organisations is very expensive.

So what about using pass phrases? These are easy to remember. Passphrases such as “I went to Zanzibar for 12 coconuts!” or “My eldest child is John and he is 12 years old!” can be used. Easy to remember- hard for computer programmes to crack.

Or use four randomly chosen words “Orange Haystack Tomato Garden”. You can always include special characters or numbers “Orange Haystack Tomato 24 Garden!” to make it even more complex.

So why is this not common practise? Well a number of issues arise from use of pass phrases.

One, as the characters are masked at log in (usually) it is easy to incorrectly enter the pass phrase (after all when you are typing a dot appears and you may forget where you are).

Secondly, not everyone knows this is possible and there is reluctance to move away from the password=8 characters school.

To overcome the former some ‘experts’ suggest that passwords should not be masked when entering them in.

There is no one answer. What might be more appropriate is to allow pass phrases and offer some examples of both password generation and pass phrase generation coupled with user education and a password ‘strength’ meter such as http://www.passwordmeter.com/ or https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx

So some suggestions:-

• If you just use passwords then – absolute 8 characters minimum, use at least one capital letter and special characters and numbers
• Consider pass phrases as well as passwords
• Educate users on password generation, provide examples
• Provide a password check meter
• Allow users to un-mask password characters
• Provide a password safe such as http://passwordsafe.sourceforge.net/ or http://keepass.info/ for users to store their passwords in

Most security systems including Windows(TM) allow up to 127 characters in the password – the longer the passkey, the better.

We all know that Business Continuity is something that should be put in place. Everyone knows that there ought to be contingency plans in the event of a disaster overtaking our business. Anyone knows that, whilst unlikely, a disaster could happen at any moment. No one is better placed to understand this than the board, chief executive and senior management. Someone ought to have these contingency plans ready just in case.

So if this is self evident, why are you reading this? Do you not have such contingency plans? Or are you like many other organisations hoping that nothing disastrous happens, yet are convinced that if it does you will cope adequately?

Business continuity is a planned process identifying what might go wrong, evaluating the risk from that event and then defining plans to address such risks.

Risk assessment helps to identify the range of threats to the organisation, the vulnerabilities your organisation has if those threats arise, assessing the impact of loss upon the organisation of such events and the likelihood of them occurring.

The threats the organisation may face need to be identified. This may be obvious ones such as flood, fire, bomb threat, terrorist activities, storms and environmental effects (e.g. heavy snow). There may well be others to consider. What if key staff are in a syndicate and they won Euromillions lottery- would they still be at work on Monday? What if a key customer filed for bankruptcy or a key supplier suffered an earthquake? These are all threats to be considered.

What impact would these threats have on your organisation should they occur? Key to this is understanding the crucial activities and processes within the organisation. In order to conduct a full and proper business continuity planning process it is fundamental to understanding how the organisation works. This analysis can then be used to determine ‘what if’ that key process was to disappear? What would we do? How long could we cope without that activity? How do we get it back?

As an example, how long could the business survive if the credit control function vanished? Without someone collecting money do we have deep enough pockets to pay our people and our suppliers for very long?

Once the key activities have been identified then it is prudent to figure out how long the organisation could survive without that function. Thus the impact over time can be determined – this is Business Impact Analysis (BIA for short). From this we can determine the MTPD or Maximum Tolerable Period of Disruption. MTPD is the maximum time we can do without that service or activity before our business is irrevocably threatened. For some processes this might be a matter of minutes or hours, for others it may be weeks or months. We should set a Recovery Time Objective (RTO) for these activities. This is less than the MTPD and is the time we expect to recover the activity. If the RTO is longer than the MTPD it means that our business is in jeopardy.

To prioritise which activities are recovered and in which order it is advisable to identify the critical activities. This then gives us a recovery plan identifying which activities are recovered in which order and hence which require what resources at what time.

Armed with this information we can carry out a risk assessment and hence identify the risks to our business and determine the action plans we need to put in place to counter the potential threats to continue the organisation’s activities with disruption kept within our tolerable levels.

This process does take time and effort to implement properly. However it does take away guess work and supplants hope with a pre-determined programme. After all, this is all about protecting the organisation and those stakeholders within it from the vagaries of chance.

The Business Continuity standard BS 25999-2 (soon to be replaced by ISO 22301) provides a management system framework for not just establishing appropriate Business Continuity plans, but also making sure they stay up to date, tested, maintained, owned by relevant individuals and stay appropriate to your challenging and changing business requirements. We can help you understand your environment, undertake these planning activities, produce relevant and appropriate plans, and more importantly put in a system that ensures their ongoing testing, maintenance and improvement.

In the 1920’s a new theory was developed heavily influenced by the work of Niels Bohr and his colleagues at the Institute of Theoretical Physics in Copenhagen Denmark. This was the theory of Quantum Mechanics which is still very much with us today and provides the foundations of much of modern technological innovations including micro-chips and lasers. As physicists looked closer at the sub-atomic world of the electron they found that matter behaved chaotically. The well ordered worldview that governs the orbits of the planets and trajectories of bullets fell away to be replaced by a world where particles appeared to be in several places all at once.

One of the scientists heavily influenced by Bohr’s theories was the German physicist Werner Heisenberg. Following a meeting with Bohr in 1922, Heisenberg started work on a series of papers and concepts which culminated in 1927 when he published his famous Uncertainty Principle. This states that you can never know for certain both the position and momentum of a particle. You can measure one but not the other with any degree of certainty.

Does the uncertainty principle apply to your information? Do you know precisely who has access to that information? How that information is being safeguarded? Whether indeed it is accurate and up to date? Do those who need access to that up to date information have it accessible when they need it? In other words is the confidentiality, availability and integrity of information assets fully protected and secured?

If you cannot be certain then maybe you should look into developing and implementing an information security management system. Such a system, if properly realised, can safeguard your information assets, ensure you comply with applicable legislation and improve your organisation.

A key standard for information security is ISO 27001:2005 which is a specification for information security management systems. A good overview document which gives an introduction to information security is ISO 27000 “Information technology — Security techniques — Information security management systems — Overview and vocabulary”. These and other related standards are available from the Vigilant website including ISO 27005 Information Security Risk Management.

So there you are … someone has mentioned ISO 27001 and that you ought to be certified or ‘have ISO 27001’, as it might be “good for business”. You have heard of ISO 27001, but have always dismissed it as being something to think about. Now, however, maybe it’s time to look into it a bit more seriously.

Quick search on the Internet – blimey there’s loads of stuff. Mostly from consultants and others trying to sell you stuff.

Resort to Wikipedia … it at least gives you an idea.

Aha – ISO 27001 is an international standard.

Next step then – get hold of the Standard.

Online order—wait a while until download completed … and … ’Open’ … and … oh! This looks so … ah! Exciting!

Read the opening bits … International Standard … Foreward … Introduction … Process Approach … Scope … Definitions … Ah! Here we are … Information Security Management System: General requirements…

…Scope … yes, Policy … ahem … ’Define a risk assessment approach’ … uh?

Our risk assessment approach is based on what I or the IT Manager thinks. What do they mean?

Read a bit more … ’identify the risks’ … ’analyse and evaluate the risk’ … ’identify and evaluate options for the treatment of risk’…

This ‘risk’ thing keeps coming up.

Then you spot a note “Risk assessment methodologies are discussed in ISO/IEC TR 13335-3”.

So a search on “ISO/IEC TR 13335-3”

This time you find that “ISO 27005:2011 supersedes ISO/IEC TR 13335-3” (can’t they ever get these standards sorted?)

Maybe purchase ISO 27005:2011?

Not sure – purchasing all these standards might get pricey. Plus what does it mean?

Perhaps a search for “ISO 27001 risk assessment”? Might that help?

That’s better. Now here’s something actually helpful. It is a page about “ISO 27001 Risk Assessments”. It’s written in plain English and it suggests that a tool might help, and there is even a free demo so I can try it out for myself.

I click on the links on this page, and it shows me a whole wealth of information telling me in a clear manner exactly what I need. Want to know where I went? Right here.

As for ISO 27005? I’ll bear it in mind, but that tool is way cool for risk assessments.

Whenever any information security system is being implemented or improved there are three basic tenets to take into account:

• People
• Technology
• Processes

 You can spend all the money you like on technology or tighten the processes up to the n^th degree, but unless people are considered the security will not be watertight.

It is people who make or break security systems. Some will cause issues due to making mistakes, others may be tempted through some nefarious activity, or because they are disgruntled for some reason. A classic case of this is the case with T-Mobile’s employees, who unlawfully sold customers’ personal data to third parties. Most employees, however, compromise security through oversights.

Holding open doors for people we don’t know, letting them have access to buildings, choosing easily guessed passwords, leaving confidential papers on desks and printers, not keeping laptop screens away from prying eyes, discussing sensitive items on a mobile in public places. Who hasn’t heard someone on a train ordering stuff using a mobile where they give their name, address, card number and CVV code?

 If people can do that with their sensitive personal data, what might they be doing inadvertently with your data?

Getting people on board is vital for a comprehensive security system. Yes, you do have to have the right processes for them to follow and the technology has to be secure in itself. There are things you can do to inhibit people’s behaviour or to prevent breaches. The sort of technology might be encryption techniques for mobile devices (data sticks, laptops, mobile phones). It might be some form of endpoint protection. All of these help, but they do not in themselves afford full security.

So, how to bring people on board? Mostly, it is about communication. Share with your staff what you want to achieve, ask them to help you. Above all, provide them with training on what you consider acceptable and unacceptable behaviour. In particular, raise their awareness of how they can improve or compromise security. Point out what bad things can happen and what good practices they can employ.

This type of training can be dull, some of you will think. However, you can make it entertaining or even interactive – that is always a plus. You might consider introducing an e-learning course to your staff, or installing animated graphic reminders on their computers, or hanging information security awareness posters on the wall, or presenting them with a book on the subject. Whichever of these options you chose (why not all of them?), one is sure, you won’t be wrong.

You arrive home after an enjoyable evening out. As you approach your house, you hear a noise that appears to come from around the back. Quietly, you step around the back and, in the gloom, you see someone at your back door who seems to be engaged in an attempt to gain entry. “Who’s there?” you call. The man turns; his face is covered. “Don’t worry, my friend,” he says cheerily. “I’m an ethical burglar just checking the security of your house.” He scoops up a bag lying next to his feet and scurries past you. As he passes, he turns and says, “By the way, all seems pretty good”; and with that he vanishes into the night.

What would you think? Is it ‘ethical’ for someone to try and break into your house without your knowledge?

There are some people out there who seem to think that, morally and ethically, it is fine to break into other people’s systems to ‘test’ their security. Recently, the NHS apparently suffered such an assault http://www.telegraph.co.uk/technology/news/8567008/Fears-for-patients-data-after-hackers-hit-NHS.html#disqus_thread. The ‘hackers’ even suggested, “We mean you no harm and only want to help you fix your tech issues”.

Other recent data breaches (Sony Playstation, Nintendo) have shown that all types of organisation are prone to attack, although it is probably the larger more well-known ones that will suffer most. Even the IMF has been targeted http://www.telegraph.co.uk/technology/news/8570957/IMF-computer-system-targeted-by-hackers.html.

Are these kinds of attacks ethical? Is it right for a group, or groups, of self-styled ‘security’ experts to brazenly try and exploit an organisation’s defences? The moral and ethical questions are probably pointless. These sorts of attacks will occur, so long as we have the Internet and clever people that use it.

So what should be done? Well, each organisation must protect itself so far as it can. Data should be assessed to determine the risk to that data. If the risk of attack is high, then it needs to be protected. One such method is to encrypt the data. Handling and classification of data should be unambiguous, and there should be clear rules for staff to follow. Perimeter defences for the network should be checked. One very effective way of testing such defences is to use Penetration Testing. One such example is http://www.itgovernance.co.uk/penetration-testing.aspx.

Ideally, Caesar’s maxim should be exercised (“the best form of defence is attack”). However, the spread both geographically and numerically of such hackers probably makes this very difficult for most organisations to contemplate. Thus, the only way to protect yourself and your vital data is to make sure your defences are watertight.

Make sure your staff are trained to spot potential attacks. Make sure they know what to do if anything suspicious happens (e.g. a suspicious e-mail is received). Make sure they know of, and follow, the rules you have set for them to protect data.

Most of this is common sense; however, when did common sense stop a hacking?
If you would like to discuss any aspect of this article, then please contact IT Governance on +44 (0) 845 070 1750 or e-mail servicecentre@itgovernance.co.uk. The website is http://www.itgovernance.co.uk.

Coming to a standards office near you is ISO 50001. Due to be published in early 2011, this will be the definitive Energy Management Standard. Currently, the de facto standard for energy management is EN 16001:2009 ‘Energy management systems. Requirements with guidance for use’. This standard is intended to help all organisations irrespective of their size, geographical location, products, services or marketplace to establish the processes and systems necessary for managing and improving energy efficiency. In turn, this helps reduce emissions and green house gases.

Having an EN16001 Energy Management System will enable any organisation to:

• Improve energy use performance in a systematic way
• Establish an energy management system
• Ensure energy management conforms with stated policy
• Demonstrate to stakeholders and others the organisation’s commitment to energy use improvement
• Allow certification of the Energy Management System by an accredited third party.

EN 16001 is currently a European standard (the EN designator indicating it is a ‘European Norm’). However, the International Standards Organisation (ISO) has taken up this standard and is planning to publish the international version as ISO 50001 and, surprise, surprise, will also be called “Energy management systems — Requirements with guidance for use”. Currently, the international standard version is in the voting stage as a Draft International Standard. If all goes well expected publication will be in early 2011. Thus, certainly for a while EN 16001 and ISO 50001 will sit alongside one another. Those of you who have already started on EN 16001 programmes fear not: one of the prime aims in writing the international version has been to retain compatibility between EN 16001 and ISO 50001 thus ensuring early adopters of the former standard will not lose out. It is anticipated that those certifying to EN16001 should have only minimal transitional requirements to achieve ISO 50001 status.

Confused? You certainly should be. Well after reading this hopefully it will clarify the situation and remove doubt. If you still are in need of succour why not call IT Governance (+44(0)845 070 1570) and talk it through.

The contents of EN 16001 are:

(more…)

Strategic approach to energy management: EN 16001

In today’s highly volatile and competitive market place energy costs have assumed a greater significance. With rising fuel costs, open markets in gas and electricity and new government climate change policies, no organisation can afford to be complacent in managing its energy efficiently.

Evidence shows that adopting structured management techniques to energy management can result in significant savings.

There has never been a better time for any organisation large or small to move forward and adopt a strategic formal approach to managing its energy system.

  (more…)