Security standards let management push back against over-enthusiastic IT security fans, says governance expert Alan Calder
Alan Calder, chief executive of IT Governance Ltd, started out as a business manager. When he led the first successful accreditation to the ISO 27001 security management standard (formerly BS7799), he co-wrote a book on the subject – because there wasn’t one. That book, IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799, is available with other materials, from IT Governance.
We met him at Infosec in London, and found out why governance paperwork is actually exciting – and why the Data Protection Act needs to be a whole lot tougher.
Why are security good practices and standards like ISO 27001worth more than the paper they are printed on?
Information security standards are only only worthwhile if management implements them. An information security standard is just a specification that management can use to design an information security system that meets best practice. If management Isn’t interested, then it isn’t going to do anything, no matter how good the standard is.
If management wants to corrupt process – if it wants to pretend to implement a management system that meets the ISO 27001 standard and can bluff the external auditor (which isn’t easy given that audits usually take place over more than a few hours) – then it is really wasting its own time and energy, because the primary beneficiary of security management is management.
Frankly, if management wants to lie to itself, well it’s entitled to do that. But what the hell for?
Our general experience is that if an organisation wants to implement a security management system, whether the institgator is a client or a regulator, it usually gets to grips with the idea that it’s about their management system and how well it can do the job.
ISO 27001 allows you to select the controls you put in place, on the basis of a risk assessment that is germane to your own organisation, that makes it somewhat different to a standard like PCI [for secure retail systems] which simply lists a set of requirements.
ISO 27001, for managements that want to controll information security, is a brilliant bloody standard. I originally got excited by it, when I discovered that, for the first time in my life, I would be able to say to the head of information security, “Actually, no, we don’t need that control!” It’s the management’s assessment of risk which determines the selection of controls. Brilliant!
So it builds in the idea of risk?
It says that technology should only be applied on the basis of clearly identified risk. And that’s not someone saying “I’m worried about x or y happening. It’s about the combination of likelihood and impact. If something is highly unlikely to happen, it doesn’t make much sense to spend an awful lot of money on a control. If the impact of something happening is minor, you shouldn’t spend more than a minor amount of money on preventing it.
If my CISO says he is really worried about application security problems in in-house developed software, I can say I understand that, but we don’t develop much software, and if we did we’d outsource to somebody with security policies, so w don’t need those controls – sorry, mate.