In today’s high technology environment, organizations are becoming increasingly dependent upon their information systems. Information is widely regarded as the life blood of the modern enterprise. And, consequently, the security controls surrounding these systems are becoming the differentiating factor in customer choice. With data being held on many of the most sensitive aspects of the business, including key third party stakeholders, information security integrity has become a focal point of all business initiative. The protection of information assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility.
Organizations are facing a flood of threats to their information, with new challenges emerging almost daily. Any breach to security can have a severe effect on the operational running, reputation, or legal compliance of the organization. Damage to any one of these areas can be measured by its impact on the bottom line, in both the short and long term. It is self-evident that organizations should, therefore, take appropriate steps to secure and protect their information assets. This is now particularly relevant with the web of legislation and regulation to conform too, making firms criminally liable, and in some instances making directors personally accountable for implementing and maintaining appropriate risk control and information security measures. No longer is it enough to find and fix vulnerabilities on an ad-hoc basis. Only a comprehensive, systematic approach will deliver the level of security that any organization really needs.
Today, security processes need to be well documented and substantiated. So it’s no longer good enough to be secure; organizations have to be able to prove they are secure. If done correctly, this additional layer of regulatory scrutiny and reporting can help enterprises combine their security and compliance programs better to streamline efforts, control costs and keep networks secure and compliant.
With the key corporate governance objective being to ensure that the organization has an appropriate balance of risk and reward in its business operations, information security requirements should be identified by a methodical assessment of security risks, with expenditure on risk controls needing to be balanced against the business harm likely to result from security failures.
The most practical and effective way for policy makers to handle their information security risks and obligations, is to adopt and implement an information security policy and information security management system (ISMS) that is capable of being independently certified as complying with ISO/IEC 27001:2005. The standard provides the only independently developed framework for the management of information security. While compliance with the standard does not of itself confer immunity from legal obligations, it does point clearly to management’s implementation of best practice, of effective IT governance. Security risks managed in this systematic and comprehensive manner help to garner competitive advantage in the organization through the adherence to an international best practice standard. Certification to ISO27001 can also aid in forming part of any potential legal defense required after a security breach.
ISO27001 compliance ensures a company will meet the regulatory guidelines and standards such as the following:
o Sarbanes Oxley (SOX) requires companies to disclose information regarding finances and accounting. SOX helps prevent financial malpractice and accounting disclosures. All US-listed companies must adhere to SOX regulations.
o Gramm-Leach Bliley Act (GLBA) requires financial institutions to protect customer data and provide privacy notices. Banks and financial institutions must follow GLBA.
o Health Insurance Portability and Accountability Act (HIPAA) requires health care organizations to ensure the privacy of personal health information. Hospitals, medical centers and any business dealing with patient medical records must comply with HIPAA.
o Payment Card Industry (PCI) specifies how to secure information systems and media containing cardholder account information to prevent access by or disclosure to any unauthorized party. PCI also covers effective deletion of unnecessary data. Companies that store, process or transmit credit card holder data must follow PCI.
o COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
ISO27001 provides a single coherent and over-arching framework for compliance with all the regulations and standards laid out above, while also actually providing a risk assessment-based approach to information security. Nonetheless, in order to achieve a risk assessment that is completed methodically, systematically and comprehensively an appropriate software tool is a must. It is practically impossible to carry out and maintain a useful risk assessment for an organization that has more than about four workstations without using such a tool that contains fit-for-purpose databases of risk threats and vulnerabilities. This is because the risk assessment is a complex and data-rich process. And for an organization of any size, the only practical way to effectively undertake the project is to create a database that contains details of all assets within the scope of the ISMS, and then to link, to each asset, the details of its (multiple) threats and (multiple) vulnerabilities, and their likelihood and resulting impacts, together with details of the asset ownership and its confidentiality classification.
The risk assessment process is made enormously simpler if ready-made databases of threats and vulnerabilities are used. The database should also contain details of the control decisions made as a result of the risk assessment, so at a glance, it easy to see what controls are in place for each asset within the ISMS. To one extent or another, the software tool chosen to perform the ISMS should automate the risk assessment process and generate a Statement of Applicability. It should also encourage the user to perform a thorough and comprehensive security audit on the organization’s information system, while not generating too much paperwork. The chosen software should produce risk assessment results that are easily comparable and reproducible.
One such tool on the market developed to help organizations quickly and easily carry out an ISO27001-compliant risk assessment is the ISMS tool vsRisk(TM)- the Definitive ISO27001: 2005-Compliant Information Security Risk Assessment Tool. Equipped with a wizard-based approach to simplify and accelerate the process for undertaking risk assessments; asset by asset identification of threats and vulnerabilities; the tool easily imports additional controls to deal with risks, and an integrated threats and vulnerability databases, which are continually updated to ensure that they are the most up-to-date available. vsRisk(TM), in terms of functionality, ease of use and value for money, and alignment with the requirements of ISO27001 is the most complete ISMS software tool on the market.
Effective risk management is a continuous Plan-Do-Check-Act-Cycle which means that the risk assessment must be regularly revisited at planned intervals and take into account changes in the business environment, regulatory bodies, and a review of the residual risks. However, following the initial resource intensive phase of the ISMS implementation the organization should find subsequent reviews of the ISMS are much less labour intensive and relatively easily maintained with the aid of the right software tool.