We are in the age of renaissance as far as information security is concerned. In the ages past, akin to iron and middle ages, we worked by protecting information with basic user logins, access control systems, firewalls, perimeter security technology, etc. In today’s scenario however, we are shifting focus on to what is key, the information itself, and slowly moving towards a data or information-centric world where we are beginning to associate access and privilege of users within or around the information itself.
Like in the age of renaissance, numerous changes are also taking place, both good (big data, mobility, cloud, etc.) and bad (risks). We are encountering geo-political ‘hacktivism’, organized cyber-crime, data theft/leakage, plethora of laws, regulations, and market demands to use/support the latest potentially unstable and insecure technologies. Technology is simply an enabler and enforcer; it speeds up and automates tasks, but the vision and direction comes from a governance framework.
ISO27001 based information security management system (ISMS) is a standard that helps establish a holistic framework for managing information security programs and for managing risks. But many people may dismiss the ISO27001 recommendations as a thing of the past, as it struggles to address some of the newer risks to information. The proposed governance aspects of the standard are still valid, the controls objectives are dated; there is hardly any coverage on cloud services, BYOD, social networks, privacy principles, data leakage and the list goes on.
A typical implementation pattern followed by ISO27001 practitioners is to get the management buy-in, establish the scope, identify information assets, perform risk assessment and treatment, complete the mandatory documentation, undergo an audit and improvement exercise, and go through a certification audit. While the approach seems simple enough, the scenario today is lot more complex, for example: (a) the information security management in organizations today is split across CSO, CRO, CPO and their offices; (b) the assets are a whole lot complicated with peta-bytes of structured and unstructured information on fixed, mobile and virtual devices and storage systems; (c) risk assessment has to address threats, vulnerabilities of new platforms, technologies and systems.
The approach then has to be modified at each stage to bring it into the future. If we look at each stage individually here are some of the things that can help:
- Include all the senior executives in committee that have a direct stake in information security such as IT, Privacy, Risk, Legal & Compliance, HR, key business unit heads;
- Expand the repository of information assets such that they include physical & virtual devices, cloud services/systems, mobility, people, vendors, service providers, applications, structured data sources, categories of unstructured data.
- Capture their classification, retention (as applicable) and business hierarchy so that the assets can be associated.
- Expand the risk assessment methodology to cover threats & vulnerabilities arising from new technology paradigms such as legal/regulatory, mobility, BYOD, cloud services, vendor/service provider risks, structured & unstructured data theft/leakage, etc.
- Address risk treatment by designing enterprise architecture (of sorts) and policies that will govern the direction of control decisions, for example, deciding on what kind of data & applications can be moved to the cloud and under what circumstances. Another example could be the use of a standard access & privilege management layer for all new/upgrades of business applications. Many of the risk treatments may have to be run as individual projects.
- Update policy, process & procedure documentation to cover the risk treatments and direction.
- Ensure that internal audit goes beyond the standard ISO27001 controls and not only assesses the control effectiveness but also the control design across the implementation.
- Ensure that the management committee keeps reviewing and expanding the boundaries so that ISMS continues to address latest threats and risks
Updated ISMS implementation will continue to provide the required level of assurance and the ability to handle newer threats and risks.