IT Governance Blog on IT governance, risk management, compliance and information security.

With the US Senate giving priority to the new cybersecurity bill, a comprehensive piece of legislation that is ‘designed to fortify the nation’s public and private IT systems,’ cliches such as ‘digital pearl harbour’ and ‘cyber 9/11’ that have been used extensively throughout the media for the last decade no longer seem tired and have taken on a much more sinister, serious and real nature.

 Janet Napolitano, secretary of the Department of Homeland Security, said that the USA’s infrastructure is currently vulnerable to a targeted cyber attack:

Napolitano is picking up the baton, saying that better cybersecurity legislation is needed and that the United States’ critical infrastructure–utilities, air traffic control, financial systems–are vulnerable to major attacks.

We shouldn’t wait – what can YOU do, NOW?

The legislation, once passed, will strengthen existing cybersecurity laws. But we shouldn’t wait according to Napolitano.  “We shouldn’t wait until there is a 9/11 in the cyber world. There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage,” said Napolitano in a cybersecurity discussion.

So what can you do, now, to protect your organisation from the threat of serious attack?

Penetration Testing

Penetration testing of networks and web applications can highlight vulnerabilities before they are exploited and controls can then be put in place. A penetration test involves attacking a network or specific device to discover vulnerabilities. The typical pen test is conducted by an experienced ‘ethical hacker’. A company such as IT Governance can help you with this crucial test of your organisation’s vulnerability – visit their website for penetration testing help and resources.

Cybersecurity Risk Management

A thorough review of the threats and vulnerabilities of your organisation’s assets – compliant to the international standard ISO27001 – is now within easy reach, without the manual hassle and spread sheets from hell, using modern software tools. For example, vsRisk™ can help you set up an ISO27001 information security management system (ISMS), by identifying the threats and vulnerabilities to your organisation’s assets and then applying controls to bring the level of risk down to acceptable levels. Find out more information on vsRisk, including a free 15 day trial.

If you’re just at a stage where you require more information, download our Free Cybersecurity White Paper here, which includes a 7 step Cybersecurity strategy every organisation should adopt.

There’s no question that the UK has led the world in pioneering information security standards. For example, BS 7799 was originally published way back in 1995. However, as the recent ISO Survey demonstrated, adoption of the ISO/IEC 27001 standard overseas has far surpassed local adoption. This surprised us as the risks associated with a lack of an information security management system are evident to us and our ISO 27001 clients. As a result, we thought it was time to host a dedicated workshop on the information security standard.

On 26th February 2013, IT Governance Ltd will bring you a one-day workshop with global independent certification body, DNV. Event details are available here.

Why now? Because the online world is rife with activism, protests, retaliation and pranks. These activities encompass more than data breaches and include such phenomena as large-scale DDoS attacks. The theft of corporate and personal information has certainly proved to be a core tactic that it’s been difficult to ignore recently. Last year, the spectre of “hacktivism” rose to haunt organisations around the world, with the emphasis on embarrassing its victims by inflicting damage on their corporate reputation.

Doubly concerning for many organisations and executives was the fact that the target selection by these groups didn’t follow the logical lines of who has the most money and/or valuable information to protect. Enemies are more frightening when you can’t predict their behaviour – as is the case with cyber-crime!

Against this background of high profile hacking, the mainstream cybercriminals in 2012 were finding that business was good, and prospects even better. They continued to automate and streamline their method du jour of high-volume, low-risk attacks. Much less frequent but arguably more damaging, attacks that targeted trade secrets and classified information alarmed enterprises and governments.

The one thing that you can be certain of is that cyber-crime is not going away, and your organisation needs effective information security. The workshop will include presentations by both partners, case study examples and a surgery where delegates will have an opportunity to ask questions one-on-one. They will walk away knowing more about the standard, how it works in practice, what is involved in the preparation phase, and secure contacts to implement ISO 27001. There is limited seating so sign up now. Registrations are accepted on the IT Governance website or by telephone on 0845 070 1750.

How do you use social media in your organisation?

Do you use social media as part of your marketing strategy?

How do you ensure you are getting the best response from your efforts in social media? Are you even aware of the do’s and don’ts? And if you aren’t, are your staff?

Facebook, LinkedIn, Twitter, Blogging, Instant Messaging … the list goes on, how does it play a part in your organisation and are you aware of how it is being used?

Given the turmoil caused by social media sites in recent months surely organisations have prepared themselves against any shortcomings.

Creating awareness is what this blog is all about. Creating awareness and providing services that can help is what IT Governance is all about. In this blog I am combining the two by discussing the Social Media Governance Toolkit.

Social Media is rapidly receiving negative press, and it doesn’t have to, if only it was used properly and sensibly.

Privately – you may think you can say what you want, but that is not the case. If you are linked to your job, Alexandra Thurman works at IT Governance Ltd, via your social networking page, you have to be conscious about how your behavior might reflect on the company you work for.

If you are like me (mouth engages before the brain) then social networking does require some thought – especially when you consider how things can be misinterpreted, sarcasm, irony, etc – and it probably isn’t a good tool to use too regularly.

In recent events, high profile cases have drawn particular attention to the misuse of social media. Do we, as employers or employees, think of the implications that lay beneath our retweets or status posts?

Firstly, make yourself aware of the legal requirements of using social media during office hours and representing the company you work for. If this seems like an endless and sole-destroying task, work backwards – think of ways that are obvious to you to be deemed damaging and then, simply, think. Count the times that you published a controversial blog, or retweeted a news story, or updated your private account status during office hours.

Secondly, think of those third-party individuals or companies your organisation uses to outsource PR work, blogging, event and marketing collateral.

Within the Social Media Toolkit you are provided with social media policy, guidelines on branding and styles; blogging, Facebook, Linkedin, etc. etiquette procedures, as well as proposal records for management. If you have an information security management system, this toolkit can be integrated into the relevant specifications with prewritten privacy procedures, controls against malware, etc. Even if you don’t have an information security management system it complies with the information security requirements of ISO27001 through the means of social media.

Visit our website here to take a free demo of this Social Media Governance Toolkit http://www.itgovernance.co.uk/products/2974

Our No3 Comprehensive ISMS ISO27001 Documentation Toolkit is the tool of 2012 that will help you to accelerate your ISO27001 project and develop an ISO27001 compliant Information Security Management System (ISMS).

With the rapid advances of technology businesses find themselves in an ever more competitive and crowded marketplace. What everyone is looking for is the edge.

So you have already considered all angles of marketing promotions, had the board increase your budget because this time you are sure that this is the right pitch; thrown money into social media, fad device giveaways, competitions … and have you seen an increase in traffic?

Now I am not knocking the ability of you or your marketing team’s expertise, but instead approaching you to consider a different avenue that is not so obvious and mainstream, but a clever, factual and hugely obvious stance in the technological industry we live.

ISO27001 compliance.

ISO27001 is the best practice specification that helps businesses and organisations throughout the world to develop a best-in-class Information Security Management System (ISMS). The Standard was published jointly by the International Security Office (ISO) and the International Electrotechnical Commission (IEC). Protect the most valuable asset your company has use your commitment to data protection to gain new business.

Customers.

Feel their paranoia when it comes to purchasing goods online ‘No – no – no. I am not giving my details to a computer. No. What happened to just going in-store and talking to someone?’ – I mean, I still question payments and data I feed through the internet myself.

But, if you could capture a fraction of that market of customers who fear the technology surge, you would be standing out amongst the biggest of players. You have captured a market that perceives to be seemingly impossible. It is a simple principle of trust and reassurance with their data, regardless of the type of data.

We always here such negative stories of breaches and how companies have let the individual down, but what about the good news? We read the same stories as our customers – so can we really blame them?

Well – there is some good news …

For those of you reading this that are aware of the opportunities that ISO27001 compliance creates for you, that don’t want to spend the year’s budget on consultancy, our No 3 Comprehensive ISMS ISO27001 Documentation Toolkit is for you!

It includes the documentation required by ISO27001 to deploy an Information Security Management System, a risk assessment software tool, vsRisk, that assesses the risks facing your organisation with minimal manual input – calculating the types of threats and risks specific to your organisation, once you enter your credentials – the three information security standards that provide the backbone and structure to information security compliance, plus books that can guide you to implementing your own ISMS.

One recent client of ours says:

“The IT Governance toolkit which I found on the web looked, as it indeed was, a bargain to help create our document set and enhance our existing policies; but I also bought the ISO27001 Standard and began to read up on the concepts and ideals of the standard, which meant a page or two digested a day to fit in with my other commitments.”

We have taken this feedback and incorporated both these products and more to create the No3 Comprehensive ISMS ISO27001 Documentation. At IT Governance we take your feedback very seriously and to ensure the ease of compliance, use your feedback to produce a higher quality product.

It all matters.

If you purchase the No3 Comprehensive ISMS ISO27001 Documentation Toolkit before the end of November you will get half a days’ worth of LiveOnline Consultancy with one of our ISO27001 Consultants, free of charge.

As well as, the inbuilt annual support service that comes free – and unlimited for the year – if you purchase the Network Enabled variant of vsRisk.

http://www.itgovernance.co.uk/products/718

So at the beginning of the month we blogged about the first fine to be handed out by the ICO for inaccurate use of personal data. In this blog we spoke about Prudential’s bill of £50,000 for a consistent error in identity.

Heading towards the middle of the month it has emerged that an NHS trust is to be the first public sector organisation to challenge the monetary penalty notice issued by the ICO.

The fine was issued by the ICO after the NHS trust voluntarily reported the breach. The dispute has occurred because of organisations with a weak data protection structure are offered a consensual assessment by the ICO – if the ICO find any data breaches in this assessment they cannot give the organisation a monetary fine. The NHS trust’s lawyers are going to be arguing on the 3 December that organisations that voluntarily report data breaches and cooperate with the ICO during its investigations should receive the same immunity from a monetary penalty as those organisations that receive consensual assessments.

What are your views on this?

Do you think by admitting a breach you should be immune from the monetary penalty?

Let us have a guess of how November intends to end…’with a hey and a hee and a ICO!’

Prudent: cautious, discreet and sensible.

Prudential: involving or showing care and forethought, typically in business.

Ironically, given the meaning of their name, Prudential have recently been fined £50,000 by the Information Commissioner.

Usually we hear stories of how companies have lost data. However, Prudential is setting the mark for future organisations being the first to be fined for not losing data but not using it correctly.

It has recently been reported that two customers have been confused with one another for 3 years, resulting in one receiving the other’s retirement savings.

In this case the concern lies with the consistency in this error. In 3 years, even though it had been brought to Prudential’s attention by the ICO, the issue was not resolved until recently which consequently draws my attention to the level of internal error. The lack of:

• communication
• effective processes
• telecommunications
• protection of customer files
• access to the customer files
• …

“Inaccurate information in a customer’s record can have a significant impact on someone’s life” Stephen Eckersley, ICO is absolutely correct.

Now, whilst this has been resolved and Prudential have graciously accepted the fine and found the root of the cause was with an external financial advisor, this is a case for other organisations to learn from. Human error can occur regardless of your job position, your level of experience or expertise, but it is important to ensure that those providing third party services to you and your organisation, that their services or work check’s out with the policies of your organisation.

 Adopting an information security management system and aligning it to the international best practice standard, ISO27001, will help an organisation to maintain the Confidentiality, Integrity and Availability (CIA), of its information assets. The INTEGRITY of Prudential’s data being the weak link in this example.

 IT Governance can help you and all of your compliance needs for a fraction of the cost of £50,000. Hindsight is a wonderful thing, and we have all said it – ‘Ahhhh if only I’d known what I know now…’ thing is WE ARE NO SECRET. We exist and can most definitely help you to avoid such a costly ‘d’oh!’ 

It costs nothing to drop us an email and ask away.

Email servicecentre@itgovernance.co.uk or call 0845 070 1750 today.

These 3 factors have been identified by the ISC (Intelligence and Security Committee), as the fundamental components to protect yourself and your organization from cyber attacks and minimize cyber threats.

By putting in place appropriate firewall and anti-virus software, organizations can protect their networks, but the appropriate software won’t help to educate your staff and statistics suggest that most errors and information breaches can be traced back to people.

How aware are you of the risks facing your organization?

How aware is your CEO of these risks?

An Information Security Management System is a hands on approach to understand the threats and risks your company faces. No one risk can be applicable to every single organization, they are all different. I mean – ok, yes – there are some common risks that larger organizations face. However, like everything you have worked hard towards achieving; uniqueness, innovative ideas, building a business in today’s market – fighting for the top spot amongst your competition. All of these attributes are individual to your organization. The risks will be too.

It is in your best interest to protect the assets of your organisation, from staff vetting and training through to customer orders, pay-roll, and the inevitable ‘the system is down. We will try and get this resumed ASAP!’.

Quite realistically, in that time you could be robbed of all the information that you need for your organisation to survive, and the fact that it has been taken will become criminal – in some instances prosecutable.

Just think, the years of hard work to build and develop a business, maybe you have seen two recessions, maybe this is your first – but you are surviving right? Don’t throw it away because you haven’t protected yourself effectively because you thought it could wait another year, grab the bull by its horns and InfoSec it up!!!

We are all doing it.

If you are a CEO reading this – do it. If you are a CIO reading this – do it. If you are a teleworker reading this – do it. Ask questions and research. This is important.

Stand-up to CyberCrime!

http://www.itgovernance.co.uk/iso27001.aspx

Hackers have created a type of malware infecting Windows PCs, using Skype as its vehicle. The malware is downloaded by the unsuspecting user when they click on instant messages created to look genuine with the use of “lol”.

The networking worm lives on social media platforms and feeds on the ‘click-through’ actioned by the user. The user has no knowledge of the malware downloaded, although the hacker is already busy hijacking the PC, which in some instances leads to users being locked out of their computers.

Creating awareness of this is important. Facebook users, for example, are likely to be more familiar with strangely formatted messages or Facebook SPAM. However, the common occurrence of this attack through Skype is less heard of.

It is so important to stay aware of all the new tactics that hackers employ to keep yourself safe. On this blog we’ll continually post about the latest developments and what to look out for. If you don’t stay aware, you could be putting yourself at risk and hackers could be lol’ing with your lolly.

So, October is Cybersecurity Month in America. Three years ago Barrack Obama declared that ‘cyber threat is one of the most serious economic and national security challenges we face as a nation’ and that ‘America’s economic prosperity in the 21st century will depend on cybersecurity.’  Three years on, are we any wiser to cyber attacks? How do organisations protect information against persistent cyber threats?

By definition ‘Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access’ according to techtarget.com. 

Just think for a moment: how much data does your organisation store on external parties or clients?

In addition, how many (personal) online purchases you have made, or, how many social networking sites do you log on to daily?

This information, whether it is personal, client based or that of a supplier, is in the hands of others or organisations – how can you be sure that they are storing it in a secure manor and ensuring your rights under the data protection act? What assurances can they offer?

As a minimum they should have regular penetration test completed on their network to reduce the risk of hackers accessing your personal information as well as putting controls in place to mitigate any vulnerabilities.

This book on penetration testing tells you more…

Hackers linked to the Chinese Government hacked into the White House Military Office, according to a report published by the Washington Free Beacon on Sunday. The White House commented that it had been targeted by a spear fishing attack however these attacks were not infrequent and that mitigation measures were in place.

An unnamed official stated that the hackers breached a system used by the White House Military Office, which is used for sensitive communications and nuclear commands. An official spokesman commented “In this instance the attack was identified, the system was isolated, and there is no indication whatsoever that any exfiltration of data took place.”

Whilst publically America must tread a careful line when it comes to accusing foreign governments of cyber espionage, it is no secret that hacking at state level is increasing.

Former McAffee cyber threat researcher Dmitri Alperovitch is less democratic than the politicians when he recently said “I can tell you that the Chinese have an aggressive goal to infiltrate all levels of U.S. government and private sector networks.” “The White House network would be the crown jewel of that campaign so it is hardly surprising that they would try their hardest to compromise it.”

One man who has more knowledge than most on Chinese cyber activities is Lieutenant Colonel Hagestad. A renowned expert on China’s People’s Liberation Army and Government Information Warfare, Colonel Hagstad has recently published 21st Century Chinese Cyberwarfare, a book that presents and discusses all the salient information regarding the use of cyber warfare doctrine by the People’s Republic of China.

Colonel Hagestad see’s Chinese Cyberwarfare as a very clear and present danger.

Read more about his book 21st Chinese Cyber Warfare here >>>