IT security management

Information Security Management System ISMS

New version of ISO 27001:2013 was published. Transition requirements.

IAF has issued a resolution concerning transition: “The General Assembly, acting on the recommendation of the Technical Committee, resolved to endorse ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems – Requirements, as a normative document. The General Assembly further agreed that the deadline for conformance to ISO/IEC 27001:2013 will be two years from the date of publication. One year after publication of ISO/IEC 27001:2013, all new accredited certifications issued shall be to ISO/IEC 27001:2013. Note: As the date of publication was 1 October 2013, the deadline for Certification Bodies to conform will be 1 October 2015.” LL-C (Certification) is already accreditted for new ISO/IEC 27001:2013 standard.

Risks identification

Obtaining secret data from competitors.

Information today is one of the most important "assets" of a firm. What does loss of data, leaking of trade secrets or just a breakdown in the information system mean to your firm? If these risks are important to you from the point of view of the threat of the running and development of your company, look for a solution via the introduction of a system of management of information security. By its certification you can demonstrate trustworthiness to your partners for access to their information systems or for mutual sharing of data and information. Competitors can use the database of contacts for your clients, can gain information about your prices, secret production technology or instructions, and also information about your key employees.

Data loss.

The loss of the database can mean a threat or slowing down in the activities of the company, considerable expenses for their reconstruction and a large loss of orders or claims from clients. In the case of a threat to accounts or secret personal databases there could be sanctions from the state.

Interruption in the running of the company.

An uncommonly frequent maintenance of the system, removing faults and glitches, incompatibility; these all mean that the company employees devote their time to different activities than directed towards the company. Clients understand temporary problems only if they do not occur frequently and repeatedly, especially when you are running sales outlets or warehouses.

Threats (selection)

•Misuse of administrator rights • Data management negligence and laxity • Data deletion • Ta pping to the important negotiations • System hacking • Adverse and hostile SW installation • System nonfunctionality • Data theft •Errors and omissions of the users • Incorrect routing • System accidents • Natural disaster • Clients compensations

Where can security risks come about ?

The human factor.

Risk arises wherever the information system is administered externally. However good the technical solution might be, it cannot prevent the intention or negligence of a person with the rights of administrator, or even users. ISO 27001 introduces a system of management participation in the checking of the information system management. At the same time the participation of members of the management isn’t too burdening and demanding for the specialisation in the region of information systems.

Location of the servers and other information carriers.

It is said that secure data is in equipment which is not connected by cable. One forgets that someone can also connect or simply take away this equipment. ISO 27001 introduces measures so that such equipment is not physically accessible to unauthorised personnel and is also protected against damage or even destruction.

Maintenance.

Information systems require regular checks, maintenance and software upgrades in order that a sudden malfunction to the system does not come about. By introducing system control to maintenance you lower the risk of sudden malfunction and bring down costs by way of hardware and software not being affected by chance events.

Basic analysis

Threats (selection):

• Misuse of administrator’s rights
• Negligence in data administration
• Deleting data
• Tapping important negotiations
• System hacking
• Installation of enemy program
• Non-functional system
• Thefts
• Users’ mistakes and omissions
• Incorrect routing
• System failure
• Natural disasters
• Clients’ compensation

Weaknesses (selection)

• Access to the server room
• Insufficient security of local stations
• Insufficient control tools
• Password and access policy
• Third party access (subcontractors)
• Non-conceptual HW and SW development
• Underestimated tapping
• Unprofessional program installation
• Consolidation of powers
• Insufficient risk analysis
• Insufficient control in data administration and access to clients’ information

Data carriers

When applying the standard ISO 27001, it is necessary to keep in mind that data carriers we wish to protect are not IT systems and local computers only, but also printed documents and the information shared by people over the phone or in person. This matter is often neglected in today’s contemporary time.