Flying a kite for computer security
Post on 05-Jul-2016
Embed Size (px)
Editor: Stephen Hinde; Elsevier Editor: Paul Spencer
Editorial Board: David Bentley, Institute of Internal Auditors, UK; Clive Blatchford, Panacea Consultancy, UK; P.J. Corum, PJ Corum Enterprises, USA; Gary Hardy, Information Systems Audit and Control Association (formerly the EDPAA), UK; Chris tlutford, Audit Commission, UK: Alistair Kelman. Barrister, UK; Charles La Grand, IIA Research Foundation, USA; Ken Lindup, SRI International, UK; Willie List, British Computer Society Computer Audi Specialist Group; PBter M&y&s, Kerssksdslmi Bank, Hungary: Hugh Parke& National Australia Bank Ltd, Australia; Paul Williams, Binder Hamlyn, UK.
Flying a kite for computer security
In February 1995 the British Standards Institute published A Code of Practice for informafion Secufify Management (BS7799).
The Standard is substantially the Code of Practice published by the UKs Department of Trade and Industry (DTI) in September 1993. The objectives of the underlying report were to provide a common basis for companies to develop, implement and measure effective security management practice and to provide confidence in inter-company trading and for subcontracting or procurement of information technology services or products. The Code of Practice is based upon the best practices developed by ten leading British and international companies. The Code describes about 100 individual security controls under ten major security headings:
l Security policy;
l Security organization:
l Assets classification and control;
l Personnel security;
l Physical and environmental security;
l Computer and network management;
l Systems access control;
l System development and maintenance;
l Business continuity planning; and
1996 Elsevier Bcience Ltd. E Y?
and/QS/S7.00 No part of thts pubticatiots may
per Item. e reproduced. stored ln a retrieval svstem. or transmitted bv at-w form or bv anv means.
electronic, mechanical. photoCopyin& recording or othcrwtse. withotit the prior pcrmlssion 01 th6publlshers. (Readers in the LISA, please see spcclal regulations listed on back cover.)
Computer Audit Update October 1995
The Department of Trade and industry now wish to promote an accredited certification scheme to provide the assurance that organizations have complied with those parts of the Code of Practice that are relevant to their business process at a minimum cost and with negligible bureaucracy. To this end a draft consultation paper has been formulated by a DTI appointed committee of industry representatives which raises a number of questions.
Scope of accreditation
The consultative paper suggests that organizations seeking certification should have considerable flexibility to state which parts of the organization are covered by it, subject only to the requirement that the statement must be unambiguous and meaningful to third parties. The scope could vary from the entire organization, to a division or business unit, or even a self-contained business application or service. Whatever unit of the organization is chosen for accreditation there is a further scope limitation question. This is how many of the over 100 security controls contained within A Code of Practice For information Security Management are reviewed in the accreditation. There is a scale from not many to all.
A fundamental principle of the proposed scheme is that organizations seeking certification will consider their business activities to identify which of the security controls in BS7799 are relevant. It is envisaged that each organization will produce a brochure (imaginatively called the BS7799 Brochure), explaining which security controls they propose to adopt, and where appropriate, justifying their decision by reference to the information to be protected in their business processes - the all important because statement.
With some security controls, objective decisions can be made on whether or not the control is effectively implemented, but in most cases the decision is more subjective.
But what about BS5750/IS09000?
Where does this leave BS575O/ISO9000? In itself, all the 885750 kitemark tells us is that the procedures and documentation within a kitemarked software house/in-house IT Department are being adhered to and that management have procedures to ensure this. It does not tell us whether those procedures are leading edge or just adequate. And it certainly does not tell us anything about the software product produced - only something about the environment in which it was produced. So we would need to review those procedures before we could take any comfort from the kitemark. Let me illustrate this with the example of an electrical plug. In the UK, all plugs bear the kitemark BS1363. Does this mean that the plug meets certain electrical and safety standards? No. It means that the plug has three prongs which are of a certain size in certain positions with relation to each other. We need to be certain what kitemarks mean before we can take any comfort from them. This is where BS7799 is superior to BS5750 - it does specify best practice with a baseline of ten controls, which is suggested should be considered a de minimis level. The difficult question is how many of the hundred odd controls should or need to be accredited.
Certified for life?
Should computer systems be certified for life? Most definitely not. The consultation paper recognizes that the information security requirements of organizations are not static. They change as organizations re-engineer to evolve. Certification applies to a snapshot of the information security management on a particular date. Three alternative scenarios are suggested on the intervals between re-certification:
l at fixed intervals;
l on a date fixed by the certifier;
l following major changes to process, systems or IT infrastructure.
2 01995 Elsevier Science Ltd
October 1995 Computer Audit Update
I favour an annual statement by the Directors published alongside their Cadbury statement on the effectiveness of the Companys system of internal controls. I appreciate that Cadbury relates to Public Companies but such a statement is good practice for any organization. There should be an initial full certification of all major applications and the IT infrastructure followed by full reviews when there are significant changes to systems. A review of change control procedures and activity should suffice for the annual statement where there have been no major changes during the year.
But who should certify?
But who should accredit or certify conformance with the Standard? The right people to review the adequacy of computer security for all computer systems are auditors who hold an IT qualification such as the Institute of Internal Auditors - UKs Qualification in Computer Auditing @CA), ISACAs Certified Information Systems Auditor (CISA), or the Institute of Chartered Accountants in England & Wales proposed Fellowship via the IT route.
There is an arguable case that the Institute of Internal Auditors -- United Kingdom and Irelands MIIA qualification is an adequate IT qualification for simple computer systems.
In the case of internal auditors it is essential that their independence is demonstrated by their reporting lines. Audit Departments who report to a Finance Director, who is also responsible for MIS would not be acceptable. Internal auditors who report to an independent Audit Committee of nonexecutive directors as recommended in the Cadbury report on corporate governance would be acceptable. Indeed, there is an argument for restricting internal auditors who can certify to those who report to the Chairman or Board Audit Committee and hold the appropriate computer qualification.
CONTROL CONCEPTS -WHOS BUYING?
Many organizations are not satisfied with the results of their IT security awareness programmes. The target is to achieve a major change in attitudes and behaviour throughout the organization. This article discusses how some marketing concepts can be used in designing and structuring an Information Security Awareness Programme.
1. Objectives and requirements for information security awareness
1 .l Introduction - the objectives for the controlled use of IT
The fundamental objectives of IT security management are to achieve low risk IT systems, and low incidence of security breaches. Since this requires the willing cooperation of system users and technicians, it involves telling people what to do through standards, guidelines and other instructions, and motivating them to perform in the interests of good security. A Policy statement is (or should be) a strong starting position but it will not usually stimulate the required responses from people as it will not contain sufficient detail of what to do, or be sufficiently motivating to obtain the required changes of behaviour.
1.2 Learning good behaviour
People often know what they are doing is wrong or inappropriate, but nevertheless continue in their behaviour despite this knowledge.
If the term awareness is taken to mean only the imparting of information, then awareness alone is unlikely to achieve any significant change of behaviour. What is really required is security learning. In common use the term learning is often used to refer to the acquisition of knowledge or skill, often through the deliberate
01995 Elsevier Science Ltd 3