We have been getting quite a number of calls in the office from ‘Claims Companies’ despite being registered with the TPS (telephone preference service).  We have put the numbers into an automatic rejection list which advises that “this phone does not accept calls from this number”.  Clearly they are not stupid and now call without giving a caller ID.  We have been just putting the phone down on these callers.

On Saturday morning I received a telephone call from a man with a very strong Indian accent; he told me that his name was Mark and he was calling from Microsoft windows technical team. They had become aware that my computer had a very nasty virus.  He went on to say that there were some very nasty people around and to show that he was genuine he was able to give me the windows licence key.   He would be able to fix my computer remotely if I entered a web-site and gave him access to my machine.  The service would be completely free of charge. 

We have had this type of call before so we were not fooled.

I mentioned that we were involved in Computer Security, particularly ISO 27001 Information Security and we wouldn’t give anyone access to our systems let alone someone pretending to be from Microsoft windows technical team.  He seemed unperturbed and kept to his script.  I told him to s – –  off several times before he put the phone down.

Don’t give any details including your name, make of computer, operating system, etc., as this information will be used next time.

Don’t be fooled into giving unauthorised access to your systems under any circumstances.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

I have been spending a fair amount of time in the north of England and recently the weather conditions have been atrocious.  At one stage I wondered  if a boat would have been a better mode of transport.

One of my car journeys was particularly memorable, It was just getting dark when a car coming towards me began flashing his headlights;  possibly a police speed trap?  I rounded a bend in the road and realised the true meaning of the flashing.  The road was more of a lake than a road,  should I risk it and drive through or find an alternative route.  I decided that it might be better to follow the locals and turn around.  The flood could have been very deep in the middle and being marooned was not my idea of fun.

I mention this situation as I found out later that two of my clients had been flooded out of their premises.  Their server rooms were on the ground floor and although the servers were in racks, the cabling and connections were not sufficiently high to escape the deluge.

Fortunately both clients have robust business continuity and disaster recovery plans.  It took one client two days and the other three days to have a temporary home and get systems up and running, thus proving the benefit of this type of disaster planning.

The Met Office said that these were the worst storms for 30 years.  Our business continuity systems were written to cope with most emergencies   and I am glad that  my Clients were able to ‘weather the storm’,  literally in these cases.

ISO27001 specifies a business continuity procedure should be in place and  BS ISO 22301:2012 Societal security  business continuity management system (which replaces BS 25999) also requires a robust business continuity and disaster recovery plan to be in place.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

It is generally accepted that information is the greatest asset any organisation has under its control.   Managing Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations

Today more and more organisations are realising that information security is a critical business function.  It is not just an IT function but covers:

  1. Governance;
  2. Risk Management;
  3. Physical Security;
  4. Business Continuity;
  5. Regulatory and Legislative Compliance.

With increasing reliance on data, it is clear that only organisations able to control and protect this data are going to meet the challenges of the 21st century.

ISO27001:2005 which was formally BS7799 is the International Standard for Information Security Management (ISMS) and provides a definitive reference to developing an information security strategy.  Moreover a successful certification to this standard is the confirmation that the system employed by the organisation meets internationally recognised standards.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems.  It encompasses knowledge retained by people,  paper documents as well as traditional records  held in a variety of media.   A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries.  It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.

C     I     A
1.    Confidentiality
2.    Integrity
3.    Availability

These are the three requirements for any ISMS.

Managing Directors’ Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives.  Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector.  This is being driven by adoption of the standard as part of their legal and regulatory obligations.  In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/ client confidence and win new business.  With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value.  The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making.  This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area.  This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

CFO Scrutiny

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management.  It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital.  Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making.

Business Continuity

How well would you cope if a disaster affected your business? 

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest.  The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business. 

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered.  Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail.
ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001 Elements

  • Risk assessment and treatment – Assessing the risks to the company’s assets, devising a risk treatment plan and finally accepting those risks that cannot be mitigated.
  • Security policy – This provides management direction and support for information security.
  • Organisation of information security – To help manage information security within the organisation.
  • Asset management – To help identify assets and protect them appropriately.
  • Human resources security – To reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security – To prevent unauthorised access, damage and interference to business premises and information.
  • Communications and operations management – To ensure the correct and secure operation of information processing facilities.
  • Access control – To control access to information
  • Information systems acquisition, development and maintenance – To ensure that security is built into information systems.
  • Information security incident management –  To deal effectively with any identified security incident.
  • Business continuity management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
  • Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

Last week while travelling by train I witnessed a severe breach of security by one of my fellow passengers.

He was obviously angry as he spoke on his mobile phone. He seemed to be speaking to one of his colleagues who was having a problem with one of their computer servers and wasn’t sure what to do.

The conversation went something like this…

“You need to log in as an administrator to gain access to the xxxxxxx operating system config file”.
“What do you mean you can’t remember the administrator password”…. For God’s sake it is $%^mGGtss76”.
“Now you are in the system you should run the yyyyy utility. did that work?”
“Ok now go into the ttttttttt company server called ryytruuuuuuuuy enter the high level administrator password … letmeinagain8! and run the backup exec file and all should be well. …If not Barry call me again”.

The chap clearly ignored the rest of us and assumed that we were not listening to his conversation.

I asked him if he realised what he had done and that I had sufficient information to hack into his company server. He looked shocked, he hadn’t given it a thought.

He used his mobile again.

“Barry, you will need to reset the passwords on both systems now as I seemed to have broadcast them to the entire carriage on this train”
“Yes *********** all right….. I know, see you later. Don’t mention any of this to Harry”.

The morale here is to ensure that you don’t give away sensitive information and certainly not disclose passwords.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

 Last week I travelled to one of my clients in Kent; then traffic was awful and my sat nav took me on a slightly different route.  There was still a good deal of delay and at one point we sat in a queue for some ten minutes, then lorry in front of me suddenly reversed striking my car on the bonnet.  He lorry driver apologised and gave me details of his insurance, registration number etc.  Now I had a damaged car and was very late for my appointment. I was also very irritated that this unnecessary incident had happened.

Could I have prevented it? I don’t think so.  Should I have ignored my sat nav and used my usual route?  Again I don’t think it would have been sensible. 

I was going to my client to initiate some risk assessments for their emerging Information Security Management System ISO27001 and it struck me that the data I had concerning the other driver, the accident, his vehicle, his employer and insurance company details were governed by the Data Protection Act and this information would be held by me temporarily but then dealt with by his insurers, my insurers, the repair garage and if there had been any injuries, which fortunately there were none, by Solicitors.  All this information would be held on databases and would be available to a great many organisations.  No wonder I thought about a risk assessment covering all of this, albeit in retrospect.

I  hope to get my car back soon.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

Once again there have been cases where sensitive data has been left on trains or in restaurants and most of these are either laptops, or memory devices.  The sheer volume of data loss is reaching epidemic proportions.
  
ISO27001 is a good system to have in place but it must be enforced vigorously, otherwise it is just too easy to allow data to be lost or removed.

The prime method for theft of data remains the USB stick and this seems to be the method of choice for those wishing to steal data from systems.

There are a couple of things you can do to protect your data:

  • Set up computers and laptops to exclude USB devices and CD/DVD writers.  It may seem harsh for laptop users not to be able to use the USB port, apart from a mouse but if the data you hold is sensitive then this level of protection is justifiable. 
  • Using group policy to prevent the export of data by email or other attachment. 
  • Enforce the encryption policy to make sure that any data stored on a laptop is secure; password protection alone is not enough.
  • You could also set up your laptop systems to be ‘thin client’, that is to have all data stored on a server and using the laptop to connect to the server.  No data can be stored on the laptop,  so the laptop cannot be compromised.
  • And finally ensure that paper documents are protectively marked if they are sensitive and enforce security protocols for restricted, confidential and secret documents.

Let us all make sure that 2010 is not going to be a year when we lose data.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

I visit a fair number of businesses each year and I am often surprised by the real lack of security for computer systems. Many businesses either don’t know about security or think that a security incident won’t affect them.

Here are 10 basic security precautions for Windows machines :

  1. Always set the option to force a user to press CTL-ALT-DEL before logging on
  2. Passwords should be at least six characters long and contain letters and numbers
  3. Don’t use your name, your partners name or the name of a pet as a password
  4. Don’t write the password on a post-it note and stick it to the screen or under the keyboard
  5. Passwords should be changed regularly
  6. Don’t share your password with anyone
  7. Use ant-ivirus software and keep it up to date
  8. Use an anti-spyware programme regularly
  9. Turn on the inbuilt firewall (Windows XP and later machines)
  10. When leaving the desktop or laptop unattended, lock the system by pressing the windows button and L

Simple steps can save real problems

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

Each year, just before the INFOSEC (Information Security Exhibition) a test is carried out to asses the level of security placed upon workplace passwords.

This year your password could be exchanged for a chocolate bar. It is still shocking that some 64% of people challenged outside Liverpool Street railway station in Central London, were prepared to give their passwords away for a paltry chocolate bar. The findings were further segmented when the split of sexes was added into the equation; more of those giving away their passwords were women.

Where the questions were extended to ask for telephone numbers, place of work and dates of birth in exchange for the chance to win a holiday then results were down but still more women than men gave their details but only just.

The only crumb of consolation is that the total numbers prepared to compromise their personal or work security is down on last year by about 20%.

Government and big business continues to exhibit a less than satisfactory level of care with our security; indeed another case where there had been a problem with email attachments resulted in a disc being sent by normal post. The disc contained important information but was only protected by a basic password, which the company admitted, could be broken in a matter of minutes. The disc did not arrive.

It is not known how many of the security details given away at Liverpool Street Station were genuine and how many were simply wrong, but working on the 70:30 principle a good number were genuine. It is fortunate that details obtained were not used for any unauthorised use…. but they could have been.

Vigilance is required to ensure security of all our systems

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

What is encryption?

Encryption is a method of scrambling a message or other data so that is cannot be read by an unauthorised person. Sadly it has become too easy to intercept messages and use them for illegal purposes. Encryption protects that data.

A simple encryption might be to use the alphabet In reverse:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Z Y X W V U T S R Q P O N M L K J I H G F E D C B A

‘Please reply to this message’ becomes KOVZHV IVKOB GL NVHHZV
Unfortunately this code would be broken very easily. A more secure system would use the shift method where the table is used but each letter is shifted to the right by 3 boxes.

‘Please reply to this message’ Now becomes SOSWVS FSHLE DI DPOE KSEEWQS. This is better but relies on the person receiving the message knowing the key (what method was used). This type of encryption would be broken in second by an experienced cracker.

Modern computers rely on even more secure methods:

The first of these is the SYMMETRIC KEY where the sender and the receiver know the key and the message is decrypted. Anyone else will see a jumble of letters.
The second method is known as PUBLIC KEY, a typical system uses PGP (pretty good privacy) and relies on a public key which is available in the message and a private key which is know to only to the sender and the receiver. Again anyone else will see gibberish.

The third method is known as DIGITAL CERTIFICATE where the certificate acts as a middleman, checking the identity of both the sender and the receiver; if both are genuine the certificate allows the message to be decrypted.

Additionally financial transactions use a secure system know as SSL (Secure Sockets Layer) the user will notice that the usual http:// is replaced by https:// and a small padlock is normally present on the web-site to show that SSL is in use. Credit Card transactions use this very secure method of encryption.

The Information Security Standard ISO27001 recommends the user of encryption to protect data.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

Data security, or lack of it is in the news almost daily and the news is pretty alarming. Report after report reveals, the often casual way, the shortfalls in care of our data.

Every cloud has a silver lining however; we have seen a huge increase in enquiries for consultancy in setting up ISO27001 systems. It seems that industry and commerce are taking data security very seriously, unlike the Revenue.

ISO27001 sets up a number of steps that protect data and other information from unauthorised access and release. It also ensures compliance with the Data Protection Act and ensures that companies are protected from litigation concerning data.

Surely it cannot be long before the Information Commissioner takes action or failing that litigation against those who loose or act in a cavalier manner with data under their care.

Every organisation employing ISO27001 can claim that they have used best practice and have taken all reasonable steps to ensure that the elements of Data Security have been employed. This is a valid defence in a Court of Law (if it should go that far).

C. I. A. are the main requirements:

Confidentiality

  • To ensure that data is not compromised or released

Integrity

  • To ensure that data is protected from unauthorised alteration

Availability

  • To ensure that data is available when and where required

If we all carry this out then there is hope for us yet.

At the moment, I for one, am unwilling to trust my valuable data to any organisation not complying fully with ISO27001.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.