Post Safe Harbor ... Next Steps for EU Organisations

Over the last few weeks, you’ve probably seen ongoing discussions about the European
Court of Justice (ECJ) declaring that the US “Safe Harbor” agreement used by more than 4,000 companies is now invalid.

If you are based in the EU, why might this be relevant to you and your Information Security Management System? In the increasingly “cloudy” world which we work within, many companies are likely to have at least some exposure to software or a solution provided by a US-based provider, whether for financial, data storage, telecoms, HR or some other purpose. This also includes most of the common social media platforms, including Facebook, Twitter and LinkedIn, which may be used for marketing or customer service activities. Such providers self-certify themselves against the US Safe Harbor agreement, which was designed to provide reassurance about data transfers between the European Union and the USA.

But not anymore. The ECJ highlighted a number of concerns in its judgement, including the lack of an acceptable complaints mechanism for EU citizens, and the potential interference in EU citizen data by the US intelligence services.

Now is a timely moment for EU organisations to review and understand where their data is. Once you understand the suppliers involved, seek to identify where their physical data centres and support locations are, and from there understand the data protection frameworks. It may be that your data is non-personal or of low sensitivity in which case you may not be too concerned about understanding these characteristics, but if it does include personal, financial or commercially confidential information then your organisation should take an informed decision on where this data should reside.

We expect that the number of US Corporations opening up EU-based data centres in the near future is likely to increase as a direct result of this judgement.

If you have (or are working towards) ISO27001 certification for information security, this news should have you reaching for your risk assessments to ensure that they remain an accurate representation of your post-Safe Harbor decisions. The recently introduced ISO27018 risk framework for personal data in the cloud presents organisations with a sensible means to understand and record the relevant outputs of this discussion, from the location of physical data centres and support locations to the data protection framework and legislative frameworks that apply. 

The InfoSaaS IT risk management solution is already aligned to ISO27001:2013 and additionally includes relevant threats and controls from the cloud personal data framework ISO27018:2014. If you’re seeking a more effective method to keep your organisation’s valuable data assets safe – including ensuring that they are not being unwittingly exposed to unacceptable international data protection or surveillance – take a look at our software demo at www.infosaas.uk.

And, before anyone asks, we’re a UK-registered company using UK-based data centres!
For our international customers, they can choose between our UK solutions or request an in-territory installation which may better align with the specific regulatory requirements of the countries in which they operate.

Perfect Password Practice

Using strong passwords is one of the most effective ways to increase your online security
and protect your data. It’s also very straightforward, so you’d expect it to be something that
almost everyone does. Unfortunately this is not the case … it is less convenient than using
weak and easily remembered passwords, and people are just too busy.

However, if you imagine the potential repercussions of an information security breach it
very quickly becomes evident that it is worth the effort to use strong passwords. Also, it
doesn’t have to be inconvenient – once you have a system in place to manage your
passwords it can actually save you a lot of time.

What is a Strong Password?

A strong password should be:

• unique – never use the same password for multiple websites or accounts. If one website is compromised then attackers will quickly and easily have access to all your on-line accounts using the same password.
• mixed – a strong password should contain a mix of letters, numbers and special characters.
• long - the longer the password the harder it is to crack using brute force and computing power. The exact length that is ‘safe’ changes with time as computing power improves but at present a password of at least 12 characters length can be considered an absolute minimum.
• random – passwords shouldn’t contain dictionary words, names, birthdays or other personal information. They also shouldn’t be made up of patterns on the keyboard such as ‘qwerty’ or ‘12345’. ‘Dictionary attacks’ render even very long passwords weak if they contain easily identifiable dictionary words and phrases.
• secret – it’s obviously a bad idea to write a password on a post-it note and pin it to your computer (yes we have seen it!). Avoid sharing login details too – these days most websites allow for separate login details to be used by different users of the same account.
• changed – regularly changing passwords is very good practice. Change important passwords every 3 months, making sure not to re-use your old passwords. If you suspect that one or more of your accounts has been compromised change the password immediately; this simple step will often be enough to deny access to an attacker.

Whilst many individuals struggle with choosing and remembering complex passwords, there are several tried and tested means of achieving an acceptable level of protection. Consider the nursery rhyme ‘Old MacDonald had a farm ….’ and you should be able to
work out how that could help you to generate (and remember) the strong password
‘OMDhafe!e!o’ – there are many other rhymes, phrases and saying for you to choose from.

Managing Passwords

It is near impossible to memorise a selection of random, 12-character passwords and
recall them every time you need to log in to a web app.

The old-school method of writing all your passwords in a little black book is inconvenient:
its also easily compromised if you lose your little black book.

The modern solution to this modern problem is a dedicated password manager. These
usually work by letting you use one very strong password to access the manager where all
your passwords are stored. There are now a good range of password managers available
with a variety of convenient features such as random password generators and
automatically log in to websites.

However, before you sign up for a password manager, take a moment to understand that if
your password manager becomes compromised then all your web apps and accounts will
be vulnerable. For this reason it is very important to think carefully when choosing a
password manager.

A good password manager should be:

• zero knowledge - ‘zero knowledge’ also known as ‘TNO’ (trust no one) means that no-one has access to your passwords or data... not even the software developers or cloud storage managers can see your passwords. The down side of this is that if you forget your ‘master password’ there is no-one to help you retrieve it – but that is the price to be paid for the highest possible levels of security.
• open source – ‘open source’ means that the code that the software is written in can
  be viewed by anyone. This means that the software is less likely to have
  weaknesses built into it and that it can be scrutinised to check that it does what is
  claimed. It’s important not to assume that because software is open source that is it
  bug free – there are many cases of open source software containing vulnerabilities.
  However, software where the code is freely available is a strong positive for
  security.
• user friendly – a good password manager should be convenient and easy to use. If it isn’t you probably won’t want to use it.
• reputable – look for a widely used password manager with a good reputation that is up-to-date and with a team currently working on it.
• two-factor authentication enabled – ‘two factor authentication’ means that you’ll need more than just a ‘master password’ to access your passwords. It markedly improves the security of the password manager – we’ll talk more on 2-factor authentication in the next post.

Users & Roles - an Introduction

Users are treated separately from Roles in InfoSaaS. A User is simply a person, usually a member of your company or organisation. A Role can be thought of as a job title or brief job description. Keeping Users and Roles separate means that when a person moves position within your organisation it is very easy to manage. For more information and to view the software in action see this 3 minute video...

Protecting Personal Data in Cloud Environments

Data security continues to attract the attention of organisations worldwide, at least if the uptake of the Information Security Management System standard ISO27001 is anything to go by. The proper identification of information assets (and the supporting assets such as premises, hardware, software, etc. upon which they rely) is essential if a proper assessment of vulnerabilities and threats is to be undertaken, and appropriate actions taken to manage identified risks. 

Whilst ISO27001 provides a framework of 114 controls to help manage, reduce or remove risks, until recently these needed to be carefully implemented to provide specific protection to data in cloud environments. An additional standard, ISO27018:2014, is being widely welcomed by the risk community as it provides an extended control set specifically designed to highlight and address a range of risks and issues associated with personally identifiable information (PII) in the cloud.

Commercial and public sector ICT cloud systems seek to take advantage of the removal of dedicated infrastructure, reduction in operational costs and increase in flexibility and scalability, but must also remain focussed on managing data risks. Media reported issues about iCloud, Snapchat and Dropbox have not gone unnoticed by the public, and ongoing debates around off-shoring and the relevance of country-specific data protection legislation do little to build their confidence.

So how can ISO27018 help? Responsible cloud providers and application developers should be studying its contents and working out how they can implement the additional controls and provide the associated assurance that consumers seek. Whether it’s understanding the geographic location of PII data, having processes for reporting PII breaches and disclosures, or managing the printing or copying of PII data by a provider, there’s a family of more than 20 focused controls to choose from.

InfoSaaS already provides cloud based IT risk management software which helps organisations to establish an effective Information Security Management System, from which many proceed to successfully gain formal ISO27001 certification. The next InfoSaaS update in early June will include “PII Data in the Cloud” as a risk assessment type, presenting organisations with a relevant range of cloud security risks and summaries of the ISO27018 controls which may address them.

For those organisations which manage cloud environments or develop cloud applications, being proactive in managing associated risks not only protects their business from significant issues (data loss, legislative fines, brand damage etc.) but also builds customer confidence which in turn will increase the pace of cloud adoption. InfoSaaS can help - providing one of the most effective toolsets for managing today’s ICT risks. Visit www.infosaas.uk for more information.

Martin Poole
Head of Security Practice
InfoSaaS Limited

T: 0203 474 1290
E: mpoole@infosaas.uk

What Makes a Good Security Policy?

We recently launched the InfoSaaS set of information security documentation, to help our customers design, implement and operate an appropriate set of policies, procedures and related content which helps to deliver an effective Information Security Management System.

The ISO27001 standard specifies a range of documentation and records needed to demonstrate compliance with specific clauses and requirements within the standard, but it does not provide a comprehensive list of ALL the documentation you may need to address YOUR organisation's specific security needs. As an aside, that's where our documentation content helps by providing an appropriate range of clear and concise content - all suitable for adapting to the individual needs of your Company and the sector it operates within.

As information security consultants, we are regularly asked to assess an organisation's documentation for suitability - normally a week or two before the external auditor with the clipboard arrives and starts to ask questions! This brings us to the burning issue of the week - is it better to have one information security policy that covers everything, or a framework of separate, focused content? Let's pause a moment to look at some of the characteristics of a "good" security policy:

• Is the information security policy usable by your organisation - are its requirements able to be properly identified and are they achievable?
• Does it address the specific requirements detailed within the ISO27001 standard, as applicable to your organisation?
• Is it written in a clear, readable format, that can be understood by all levels of personnel?
• Is it version controlled, identifiable, and properly approved before being issued?
• Does it ensure your employees are delivering the right information security activities?
• Does it provide a suitable framework to protect your company and its data?

We have seen some fantastic all-in-one information security policies, many of which are galloping merrily north of 50+ pages (!) which attempt to cover every aspect of information security in one go. Whilst this format may work for some organisations, we would  observe the following challenges:

• How many of your employees would actually read a document of this length?
• For such large amounts of policy statements, are they expected to remember them all?
• If in-life changes are needed to just one small section, the whole document would then need to be re-issued to the whole of your organisation.
• Is this really the best format for rapid employee access, when they are looking for specific guidance?

It's not too hard to spot that the InfoSaaS preferred and recommended approach is a high level information security policy, which includes the following:

• The policy objectives - why has it been written, what is it designed to achieve?
• The policy scope - what activities/functions/assets are in and out of scope of the policy?
• The policy statements - initially a commitment to information security and to follow the requirements specified within the current ISO27001 standard
• A set of of focused statements, declaring the high level intention on a specific security matter, and then linking to a separate, specific policy document on each subject ...
• Clear ISMS roles and responsibilities - who is responsible for delivering each activity
• Formal document control, with reviewer and approval sign off, version history etc.

This approach goes a long way to help address the four challenges noted above. Specifically, we will be looking to implement a number of "second tier" security documents for, as an example:

• access control policy
• acceptable use policy
• business continuity policy
• anti-virus policy
• asset management policy
• supply chain management policy
• social media usage policy
• information security training policy
• security incident management policy
• data erasure/deletion policy
• etc etc.

Documentation doesn't need to be daunting. Take a look at our documentation packs, which have been written drawing upon more than 20+ years' experience, and which allow for organisations of all types to edit and customise content to meet their own specific needs. And all within a much more time efficient window than creating your own security documentation from scratch.

As always, feel free to get in touch with InfoSaaS if you have any questions on 0203 474 1290. 

The Importance of ISO27001 in 2015

Analysts and commentators seem to be giving over more column inches to the subject of information security this year than ever before, and the international information security standard ISO27001 is being frequently cited as the most effective approach for an organisation to demonstrate to its customers that data security is well and truly under control.

So why the increase in attention this year? We have identified two areas which we believe can explain much of this renewed interest.

The first of these is the mass media's frequent reports on the rise of cyber terrorism, espionage, ransomware and other similar nasties all looking for the next ill-prepared casualty. Each week we learn of all scales of attack, from suggestions of state-sponsored hacks through to opportunistic students seeking out the mistakes made by inexperienced website and application developers. Of course there is no guarantee that ISO27001 will make an organisation bulletproof, but a structured approach to the identification, classification and risk assessment of data and related supporting assets would provide a significant reduction in opportunities for external threat actors to attack. In its simplest form, risks need to be identified and understood before appropriate controls can be implemented to address them. Simples, as the meerkat says.

The continued adoption of cloud computing has also focused interest on the need to have an effective system to manage risks. The UK Government is leading the way with its Digital Marketplace, which provides a framework for suppliers to provide a range of cloud services to the UK public sector. Previous versions of the framework provided for centralised accreditation of services by CESG, but the 2015 flavour instead requires cloud service providers to assert their information security capabilities against "14 Cloud Security Principles" - encompassing everything from premises security to data protection legislation and data erasure standards to employee security screening.

The seasoned ISO27001 organisation will readily be able to map this framework of cloud security controls onto their existing risk assessment and documentation capabilities, and indeed ISO27001 is recorded by the Government as being one way that credible evidence of capability can be demonstrated to customers. Clearly there are other ways, and an ISO27001 certificate may need to be enhanced by technical security checks of the cloud service offered, but it's been widely accepted that suppliers in the Digital Marketplace are being expected to demonstrate an effective Information Security Management System. It's not only the public sector - other industries such as pharmaceuticals and financial services are taking note of these cloud security principles and adapting them to meet their own needs. Cloud is very much with us for the long term.

So there has never been a more appropriate time for an organisation to sort out its data security, and that's where InfoSaaS can help. For those making their first foray into this important area, our carefully designed risk management solution (securely hosted in a UK cloud environment) helps deliver an effective means of identifying and classifying assets, and assessing the vulnerabilities and threats that could cause a breach of confidentiality, integrity or availability. Our helpful library of template documentation provides a matured starting point for the policies, procedures, training material etc. that are needed to make information security a genuine cultural differentiator, ensuring that all of your team are on message and at all times acting in the best interests of your company.

For those who already have an ISMS in place, or an existing ISO27001 certification, InfoSaaS provides an opportunity to increase the effectiveness of your systems whilst reducing the resources needed to maintain them. We provide a free 30 day trial, so you can see for yourself, and includes a pre-populated demo system if you simply need to see an InfoSaaS system in action.

So 2015 is very much the year of ISO27001, and here at InfoSaaS we look forward to helping our customers realise their information security ambitions - whether as a differentiator from your competitors, as a means to demonstrate cyber security competencies in bid or tender responses, or most importantly to defend your organisation from the cyber unknown - ensuring that we're not reading about you are not on the front page of tomorrow's newspapers.

Find our more at the InfoSaaS website, or telephone us on +44 (0) 203 474 1290,