Search in ISMS Guides


Saturday, August 4, 2007

Information Security in Unbounded Environments

Felix Mohan, CEO - SecureSynergy

Today, bounded environments ensconced within clearly demarcated perimeters are giving way to a milieu where gateways are obsolete. In this environment, the distinction between insiders and outsiders is blurred, and organisations neither have central administrative control over their information systems nor do they have access to global view of events occurring therein. In such an environment, it is almost impossible to thwart cyber attacks. Traditional models of information security fail to deal with the security problems associated with open-ended environments.

Given the fact that no system is totally immune to attacks in an unbounded environment, there is now an intense focus on ensuring survivability of mission critical systems and essential services, despite the presence of cyber-attacks. Emerging technologies such as grid computing and web services, make unbounded environments even more vulnerable, mandating the need to build capabilities into systems such that they have the resilience to survive an attack and continue to fulfill their mission in a timely manner. The 'survive' philosophy of modern information security is a big departure from the 'prevent' viewpoint of traditional security models.

Traditional Network Security
When organisations began deploying firewalls as security tools a decade ago, they could easily define the network perimeter. Most people who had access to corporate networks worked on desktop computers in the main office; and external connectivity was virtually non-existent. A simple firewall-based demilitarized zone between the private and public network could provide adequate protection. In this traditional network security, the whole aim was to put into place firewalls and create an environment to keep people out - much the same way as a fortress was meant to keep attackers out. For centuries, rulers built castles with moats and stone walls as protection from invaders. These obstacles provided an effective first line of defence against enemy attacks. In the traditional fortress model of network security, firewalls and intrusion-detection systems were meant to serve the same function as walls and moats.

Fortress security model
A major lacuna of the fortress model was its dependence on trust for its success. Anyone outside the gate is suspect; anyone inside is trusted. If someone got inside, they could pretty much do what they wanted. In unbounded environment, trust becomes an extremely complex concept. Trust is especially difficult to establish in the presence of unknown users from unknown sources outside one's own administrative control. In unbounded networks where everyone is an insider and often unknown, there are always numerous untrustworthy insiders. A fortress model is only as strong as its weakest component. If a trusted insider abuses his or her authority, or an intruder finds an exploitable vulnerability in a security perimeter, the entire system can be compromised.

Airport security model
The airport security model is based on the environment that prevails in a typical airport. There are two significant characteristics in an airport. Firstly, there is no differentiation between insiders and outsiders. Everyone - airport staff, security staff, and passengers - go through the same security scrutiny. Secondly, there are many logical layers of security. Passengers authenticate themselves at various zones, starting at the entry into the airport terminal, right up to the point where they enter the aircraft. The security check at these places is typically done by a 'different' security agency to eliminate any collusion. The airport security, therefore, employs an efficient system of 'layered defence'.

On similar lines, the airport security model (which has replaced the traditional fortress model as the preferred model in emerging unbounded environments) is robust, flexible and situational, with multiple zones (or layers) of security based on role. 'Gates' to zones can employ multiple overlapping technologies for identification, authentication and access control, depending on the individual's role and the purpose of the zone. Even if one zone is breached, the system remains safe. The result is a series of fortresses within the fortress.

Point-to-point security model
Point-to-point 'dynamic trust' is the future model for a highly networked world. It requires point-to-point authentication and trust, from any user on the network to any other user. It uses multiple overlapping or alternative technologies and assumes that all parties to transactions must identify and authenticate themselves and prove their right to participate. This model corresponds most closely to a world heavily populated with intelligent wireless devices.

All three models are responses to specific risks and eras. The fortress worked in the mainframe era. The airport model works for most enterprises now. The point-to-point model is required for a world where high levels of transactions are conducted wirelessly, anywhere, anytime.

Virtual Enterprise Networks
In the prevailing unbounded environment, organisations have to work with an ever-changing list of 'external' people and organisations. In these relationships there is a need to share information with someone (or something) physically located outside of the traditional enterprise security perimeter guarded by the firewall. As boundaries between internal and external environments are becoming irrelevant for enterprise networks, it is giving rise to a new identity and access management infrastructure for providing security services - the Virtual Enterprise Network (VEN).

The VEN (based on the airport security model) is an alternative to traditional security with demilitarized zones, providing robust 'layered defence' so that even if someone got inside one layer, there would be other layers to protect the organisation's information resources. The upshot is a model that builds on the existing infrastructure, but plans for a distributed perimeter. The VEN defines four logical layers -

(a) The resource layer. This layer houses clients, servers, applications and data, and is the innermost layer.

(b) The control layer. This is a new layer, not found in traditional security models. In this layer authentication services reside as do controls for security policies across layers

(c) The perimeter layer. This layer contains firewalls, proxies and gateways that enforce physical and/or virtual boundaries between intranets and the Internet, or other security domains.

(d) The extended perimeter. This is the outermost layer. Here organisations engage technologies or services to secure resources physically located outside the perimeter.

Security Models


A security model is a mathematical, or logical, expression of a set of security policies. It is a diagrammatic, schematic, or tabular construct of the rules derived from security policies that deals with security levels (of information, of people, and of processes), and the interplay between the various types of security levels. The interplay takes place in accordance with well defined rules, which determine whether information should be allowed to flow, or be restricted, whenever a person or a process tries to access the information.

A security model takes security policies as input, and develops mathematical formulae and relationships between the objects. These formulae and relationships are built into data structures and mapped according to the policy requirements. After the security policies have been written, and the security models are ready as part of the Enterprise Security Architecture (ESA), the process of writing program code or procuring vendor solutions, can begin.

A system can be secure only if its security model is based on logically sound premises as the security features are built into operating systems, database systems, applications, etc, on the basis of their security models. Further, the user has to ensure that the system is appropriately configured to get the full benefit of its security model, since default settings usually constitute a 'low security' version of the model.

There are several well-known security models, such as the Bell-LaPadula model and the Biba model. These models represent certain standard concepts for controlling accessibility, integrity, etc, of information systems.

The Bell-LaPadula model is meant for information systems, where secrecy is of prime importance. On the other hand, the Biba model is suitable where integrity is more important. For example, if a timetable for passenger trains is to be made available online, then thousands of people should be able to access the database, often simultaneously. There would be no need for confidentiality, but there would be the highest possible need for integrity in the system.

In the above example, the data should never get corrupted (intentionally or accidentally), either at its primary storage location, or at the terminals where it is displayed, or even during intermediate stages of processing or transit through networks. Stringent requirements of integrity have to be met, despite the huge volumes of public network access at high speeds and in various processed formats. Evidently, an integrity model, rather than an access control model, will be used for building and operating this railway timetable.

An ESA usually has different security models co-operating within the system. For example, an enterprise may have several databases, built on different security models.

Security models have many benefits. Principally, they establish benchmarks, and ensure optimum utilisation of resources, by incorporating the right kinds of security for different bodies of information. This happens at the machine level, network level, and enterprise level.

Since there is never a single model that can meet all kinds of security requirements, 'best fit' solutions have to be designed, based on organisational requirements.

The Concept
All information security models use the terminologies of 'subject' and 'object.'

A 'subject' is an entity, such as a person, process, or device, which accesses or uses information from the system. An 'object' is the information, or a piece of a larger body of information, which is accessed by a 'subject.' An 'object' may be a 'subject' in another situation or context, and vice versa.

Types of Security Models
The important types of information security models are Access control models, Integrity models, State machine models, Information flow models and Non-interference models.

Different types of information security models use different philosophies for looking at subjects and objects, and also for grouping and classifying them, and for controlling their interactions.

A specific model, which may be a well-known model or a model designed for a particular organisational environment, usually has features from different types of information models. For example, the Bell-LaPadula model is largely an access control model, but it is also based on the state machine model.

Access control models
Access control models use sets of rules, which permit or deny access for a subject to an object. This ensures that information does not fall into wrong hands. The process involves a subject requesting for an object. The permission or denial of access to the object depends upon the 'right' that the subject possesses.

Access control models can be broadly classified into Mandatory access control (MAC) and Discretionary access control (DAC).

Mandatory access control models use the concept of 'labels,' which describe the confidentiality level (or security clearance) of a subject or an object. Access is then controlled as per the labels (or confidentiality levels/security clearances).

Discretionary access control models enable the owners of system resources to specify the subjects, and the rights of the subjects to objects. 'Discretionary access control' enables rights to be assigned as per the discretion (or choice) of the owner of the resource. It provides the owner with a degree of flexibility in exercising access control.

For example, Windows 2000 provides discretionary access control though Active Directory (AD) and Access Control Lists (ACLs). Similarly, Linux also provides discretionary access control.

The important access control models are Access matrix model, Take-Grant model and Bell-LaPadula model.

Integrity models
Integrity models focus on reliability, consistency, and correctness of data. This is achieved by protecting data from modification by unauthorised users, protecting data from unauthorised modification by authorised users, and maintaining consistency of data.

Integrity models ensure that data remains in the same state. In other words, the desired state of data should not undergo any change; either with malicious intent, or by mistake or due to events beyond the control of a user.

Integrity models classify data into integrity levels, and provide appropriate integrity protection between and within the different levels.

The important integrity models are Biba integrity model and Clark-Wilson integrity model

State machine model
The state machine model captures the current state of a system, and compares it with the state at a later time, to determine if there has been a security violation in the interregnum. It looks at users, states, state commands, and outputs. It depicts a transition from one state to another, as a state variable.

A state machine model considers a system to be in a secure state, when there is not a single instance of security breach at the time of state transition. In other words, a state transition should occur only by intent, otherwise it is a security breach.

Information flow models
Information flow models deal with controlling the flow of information, so as to ensure that there are no leakages during the movement of data.

Leakages need to be prevented, whether information is flowing within a security level, or between different levels. Usually this is done by permitting flows only in specified directions, since a leakage is nothing but a flow in an unwanted direction.

The components of information flow models are objects (class, value), state transitions (modifications from current state), lattice (flow policy)

An example of an information flow model is the Sutherland model.

Non-interference model
Developed by Goguen and Meseguer in 1982, the non-interference model keeps activities at different security levels separated from each other, instead of permitting restricted flows between them. This model minimises leakages that may occur through covert channels, by maintaining complete separation (non-interference) between security levels.

A user at a higher security level cannot interfere, in any way, with the activities at a lower level. As a result, the lower level cannot possibly get any information from the higher level.

One of the major limitations of the non-interference model is the premise that a lower-level input cannot, by itself, generate a higher-level output. This assumption is often incorrect. For example, a cryptographic process can transform a low-security data into high-security data.

Defining Information Threats

Felix Mohan, CEO - SecureSynergy

Enterprise Information Infrastructures have become critical 'centres of gravity'. A collapse of the information infrastructure can lead to collapse of the enterprise. This makes them attractive targets for potential adversaries.

Potential adversaries could either be malicious or non-malicious. Among the malicious adversaries are nation states, hackers (including phreakers, crackers, trashers, and pirates), terrorists/cyber-terrorists, organized crime, other criminal elements, industrial competitors, and disgruntled employees. On the other hand, careless or poorly trained employees are non-malicious adversaries, who, either through lack of training, lack of concern, or lack of attentiveness pose a threat to information systems.

Adversaries employ attack techniques that could be classified under passive, active, insider, close-in or distribution attacks. Passive attacks involve passive monitoring of communications sent over public media, and include monitoring plaintext, decrypting weakly encrypted traffic, password sniffing, and traffic analysis. Countermeasures against these attacks include the use of VPNs, cryptographically protected networks, and use of protected distribution networks (e.g. physically protected/alarmed wire-line distribution network).

Active attacks include attempts to:
:: Circumvent or break security features
:: Introduce malicious code (such as computer viruses)
:: Subvert data or system integrity
:: Modify data in transit
:: Replay (insertion of data)
:: Hijack sessions
:: Masquerade as authorised user
:: Exploit vulnerabilities in software that runs with system privileges
:: Exploit network trust
:: Insert and exploit malicious code (Trojans, backdoors, virus, worms etc)
:: Set in denial of service
Typical countermeasures include:
:: Strong enclave boundary protection (e.g., firewalls and guards)
:: Access control based on authenticated identities for network management interactions
:: Protected remote access
:: Quality security administration
:: Automated virus detection tools
:: Audit
:: Intrusion detection

In close-in attacks an unauthorized individual gains close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to, information. Gaining such proximity is accomplished through surreptitious entry, open access, or both. Close-in attacks include modification of data, information gathering, system tampering, and physical destruction of the local system.

A person who either is authorized to be within the physical boundaries of the information security processing system or has direct access to the information security processing system performs insider attacks. Insider attacks can be malicious, and non-malicious (caused due to carelessness or ignorance of the user). The non-malicious case is considered an attack because of the security consequences of the user's action.

Insider attacks are often the most difficult to detect and to defend against. Sources of insider attacks can include maintenance staff working during after-working hours, authorized (privileged to login) system users, and system administrators with malicious intent. Often it is difficult to prevent individuals who have legitimate access to a system from transgressing into more private areas where they have no authorization. Insider attacks may focus on compromise of data or access and can include modification of system protection measures. A malicious insider may use covert channels to signal private information outside of an otherwise protected network.

Distribution attacks maliciously modify hardware or software between the time of its production by a developer and its installation, or when it is in transit from one site to another. These attacks, that include chipping, are usually complex requiring industry-government collusion, and are used as information warfare initiatives by nation states.

Considering the myriad of techniques that potential adversaries have at their disposal to cause harm; and considering the inexorable increase in the dependency of business processes on information systems, implementing robust information security controls in the enterprise is no longer a matter of choice!

Information Security: A New Approach


Information Technology is pervasive — it moves your business; very often aspects of your personal life, it facilitates transactions, creates a responsive organisation, enables customer- and partner-interactions, and creates competitive advantage for the corporation. As fundamental as IT is to business, information security is equally critical to survivability of businesses in today's Digital economy.

The role of information security has changed across the past few years. Traditional definition of protecting networks and the Datacenter has undergone a shift in focus resulting in enablement of businesses with security solutions actually moving your business forward or even to the next step. Security is now lifestyle. A must-do for survivability of businesses. Wherever the network goes, security goes. Improving customer acquisition, extending businesses, growing mobility of the workforce and a global workplace are all facilitated by Security frameworks, processes and solutions.

No longer can security be an afterthought. Increased need for efficiency and productivity, reducing costs, reaching multiple markets and faster time-to-market are few of the business benefits which are driving organisations to make security a part of the organisational DNA.

The opportunities thrown up by Security to CEOs and functional heads bring in enormous challenge to IT administrators. And, the Achilles heel to such an internetworked Enterprise becomes Information Security or rather the lack of it. Cyberspace is no place for the unwary especially in an increasingly competitive world. This challenge confronts both large enterprises as well as Small Medium Enterprises. As a variety of security threats, new vulnerabilities, new technologies, convergence, market focused processes threaten to swamp traditional IT, you need stability amidst change — you need a new way of doing security which accelerates the organisational extensions and growth. A new way of implementing, managing and doing security which has the flexibility to accommodate change and to adopt emerging technologies.

While the Internet offers tremendous value by opening up new levels of integration with partners, suppliers and customers, it also exposes business systems to new forms of malicious attacks. In the era of unbounded networks, Security boundaries have blurred where data flows across the information Value Chain. In addition to that, new threats have emerged as also the quantity and virulence of attacks. As long as technology continues to evolve, malicious code will be right behind. The nature of viruses, Trojans and worms makes it virtually impossible to stop infiltration completely, though there are ways to reduce, if not eliminate it.

However, most companies do not have sufficient IT staff to keep patch levels up to date, therefore allowing even known vulnerabilities to remain exposed. Security is a moving target — it is physically impossible for any organisation to monitor, analyse threats, manage and act upon them on a 24x7x365 basis. Signatures, Patches, and DAT files must be updated regularly to eliminate false positives, eliminate vulnerabilities and to ensure detection of the latest intrusions and exploits. These tasks are not just time consuming but also require highly skilled security analysts who must stay apprised of any new threats and techniques. In addition to being expensive and often ineffective, providing constant vigilance in-house is management intensive and can distract an organisation from its core business.

A resilient and future-proofed IT infrastructure is mandatory for organisations for which predictability is the most critical component. Predictability is an amalgamation of Reliability, Availability, Manageability and Scalability backed by performance management.

The progression from data to information to knowledge to intellectual is tough to accomplish. While security threats are increasing in leaps and bounds, security professionals are far and few between. In fact, the biggest missing link in security is the absence of trained and certified professionals in most geography. Security encompasses not just systems but people as well. And, education, does not stop at the IT manager alone, but also needs to extend to all users as they use Networked services to transact, as also the policy maker who needs to discuss and decide on business extensions.

Well designed IS security policies and professionally implemented security architectures cannot by themselves assure the security of your information assets. People are at once the weakest links and the strongest defence to secure the information assets of any organisation. While information security touches every major aspect of operations, insufficient awareness and understanding of security amongst people is a major cause that undermines security.

No single product or service can comprehensively address the possible security threats to your IT infrastructure. Maintaining effective security is a continuous process that identifies assets, analyses threats, and defines acceptable levels of risk. Strong, enterprise-wide security demands solution and technologies that bring in a combination of online technologies, processes, practices and trained people.

Manage your Information Security

Felix Mohan, CEO - SecureSynergy

A comprehensive information security strategy provides the vision to deliver a secure information environment. It enables organisations to integrate information security with business strategy and planning, and defines the framework through which organisational information risks can be securely managed.

A well-designed security strategy aims at leveraging best information security practices to improve business performance. People, processes and technology are the core elements of the strategy. The security strategy aligns these elements with one another and with the business needs in a manner that can assure a secure information environment and provide competitive advantages.

To manage your Information Security:

Understand clearly that information security is first and foremost a business problem, which requires being resolved like any other business uncertainty - in terms of risk management.

Know that information security cannot be achieved through technology alone; and though security solutions have a technological component, the larger part (almost 80%) relates to managing people and process uncertainties.

Understand clearly that information security is largely a people issue and that people are the weakest link in the security chain - their awareness can make or break the organisation's investment in security technology and processes.

Understand that information security, like any other business process, is effective only when based on reliable information and a sound strategic plan. The plan has to be developed using the right standards, policies and technologies and communicated to each person in the enterprise.

Make sure that you have an ongoing monitoring process to see that the security plan and solutions evolve to meet changing business needs.

Acknowledge that security threats and breaches can seriously undermine share price and stakeholder confidence, and can result in significant financial losses.

Effectively demonstrate the value of information security in business terms to the Board and top management, and communicate a clear business case for investments in security.

Know that the key element of governance is monitoring performance, and a prerequisite to monitoring is measurement of security goals, policies, compliance, spending, and ROI.

Be fully aware of the powerful effect of information security on business strategy, and take an enterprise-wide view by collaborating with other business heads in planning and devising security budgets, plans, and strategies that can benefit the company as a whole.

Keep your security strategy in step with your business strategy and changing security environment.

Look beyond your immediate organisational boundaries to the extended enterprise, and understand its contribution to achieving effective and enabling information security.

Measuring the Effectiveness of Security Using ISO 27001

A white paper by Steve Wright,
Siemens Insight Consulting

Whilst the intentions and objectives behind
ISO/IEC 27001:2005 (ISO 27001) aren’t
dramatically different to those in BS 7799-
2:2002, one of the changes with the
biggest potential impact to organisations is
the requirement to measure the
effectiveness of selected controls - or
groups of controls - within the new
standard (for more details see ISO 27001
Clause 4.2.2 d).

This new requirement not only demands
that businesses specify how these
measurements are to be used to assess
‘control’ effectiveness (there are now 133
Controls in the new standard), but also how
to measure the selected controls’
effectiveness. In addition to this, the new
standard requires that these
measurements are comparable and
reproducible, e.g. so they can be used
time and time again, and compared on a year by year basis to gain a
better understanding on trends, etc.

So why do organisations need to measure security effectiveness in
the first place? Well, it would be easy to say we’re secure, but how
can you demonstrate that an organisation’s security controls are
working effectively, and equally importantly - how can you
• Ongoing improvement?

• That your organisation has met legal, regulatory and compliance
with standards, contractual requirements such as Sarbanes-Oxley -
SOX, BASEL II, Payment Card Industry Data Security Standard – PCI
DSS, etc.?

• That any future expenditure is based on sound and reasoned
security solutions, (software, hardware, training, etc.) that is
appropriate and effective within your organisation?

• That your organisation is compliant with ISO 27001 (including other
Management Systems such as ISO 9001, Infrastructure Technology
Information Library - ITIL, COSO, CoBIT, ISO 20000)?

• Where implemented controls are not
effective in meeting their primary
objectives - to reduce risk?

• Assurance to auditors, senior
management and stakeholders that risk
justified implemented controls are
working effectively (i.e. they have
invested their money wisely for a good
return on investment - ROI)?

• Where implemented controls are not
effective in meeting their primary
objectives - to reduce risk?

You could be forgiven for thinking this
should be a reasonably straightforward
task. After all, most IT departments
throughout the world have been working
within some kind of measurement
infrastructure (e.g. sometimes measured
within contractual Key Performance
Indicators - KPI, Service Level Agreements -
SLA, Operational Level Agreements - OLA)
since the mid-1990s and should, by rights,
be used to considering how to measure
their IT effectiveness (most IT departments
I’ve known usually have very stringent
methods for providing value for money).

The challenge is, the whole area of what
constitutes good and effective security and
how to implement it is subjective and
therefore difficult to quantify, let alone
provide statistics. In fact, within most
organisations there is often plenty of
evidence that good security practices and
controls are in place, especially those
organisations that have already
implemented management frameworks
such as CoBIT, ITIL or COSO.

So what are the benefits of measuring
your organisation’s security effectiveness?

• Provides tangible evidence of cost
reduction - through better risk
management and reduction of impact
caused by exploitation of threats
• Provides better cost / benefit analysis and
therefore helps ensure ROI decisions
going forward
• Actually eases process of monitoring the
effectiveness of the ISMS (e.g. less labour
intensive, for example, if using tools, and
provides a means of self checking)

• Using proactive tools to measure can
prevent problems arising at a later date
(e.g. network bottlenecks, disk clutter,
development of poor human practices)

• Reduction of incidents and better
understanding of root cause

• Motivates staff when senior
management set targets

• Tangible evidence to auditors and
assurance to senior management that
you are in control - i.e. Corporate
Information Assurance (Corporate
Governance), and top-down approach to
Information Assurance.

Whatever the organisational drivers for measuring
the effectiveness of security, it should no longer be
just about identifying the controls to be
implemented (based on the risk assessment), but
also about how each control will be measured
against its original objective (to reduce the chances
of the risk being exposed). After all, if you can’t
measure it, how do you know it’s working

Before deciding which control should be used to
measure effectiveness, your organisation should first
undertake to ensure the following activities:

• Confirm relevance of selected controls through risk
assessment (Mandatory requirement for both ISO
27001 compliance and certification projects)

• Define objectives, ensuring they map back to the
business objectives

• Use existing Indicators wherever possible, e.g. in
ITIL terms, KPIs

• A KPI helps a business define and measure
progress towards a particular goal

• KPIs are quantifiable measurements of the
improvement in performing the activity that is
critical to the success of the business

• Within the Information Security Management
System (ISMS) audit framework, identify controls
which can be continuously monitored, using a
chosen technique

• Establish a baseline, (e.g. security awareness
trained x amount of people in y timeframe) against
which all future measurements can be contrasted /

• Provide periodic reports to appropriate
management forum / ISMS owners (illustrate with
graphs - pictures paint a thousand words)

• Identify Review Input - agreed recommendations,
corrective actions, etc.

• Implement improvements in line with any existing
Management Systems, e.g. ISOs 9001, 14000,
27001, 20000, 18000

• Establish / agree new baseline, review the output,
apply the PDCA approach (i.e. Plan - Do - Check -

Hopefully, each business may have its own
measurements already in place (e.g. SLAs, OLAs, KPIs).
The challenge is to set a ‘measurement’, which is
realistic based on a previous known figure, and ensure
the future figure is measurable and reproducible.

Senior management and possibly auditors,
are more likely to want to see the big picture,
therefore, consider monitoring the
effectiveness of a group of controls, e.g.
Section 13 of ISO 27001 - Security Incident
Management, plus others. Try to encourage
senior managers to buy into realistic ‘firsttime’
goals, such as measuring how well you
coped with the latest security incident, in
what time frames you held the lessons learnt
meeting and at what point the improvements
to the existing system became operational.

When selecting controls to be measured for
their effectiveness, it is worth bearing in
mind that you could group them into four

1. Management Controls
Security Policy, IT Policies, Security
Procedures, Business Continuity Plans,
Security Improvement Plans, Business
Objectives, Management Reviews.

2. Business Processes
Risk Assessment & Risk Treatment
Management Process, Human Resource
Process, SOA Selection Process, Media
Handling Process.

3. Operational Controls
Operational Procedures, Change Control,
Problem Management, Capacity
Management, Release Management,
Back-up, Secure Disposal, Equipment

4. Technical Controls
Patch Management, Anti-Virus Controls,
IDS, Firewall, Content Filtering.

In a changing environment, new baselines
will need to be set each time a major
change or incident occurs within the ISMS,
so this is just the beginning. Try to
establish regular review cycles of your
security effectiveness measurements and
consider how this might improve, how
your organisation can become more
effective in the management of its

that security and risk management is a
black art and that it is un-measurable. In
fact, we should start to see tangible
benefits from measuring and improving
our ISMSs and Security Management
solutions globally. For more information,
the new ISO 27004 will soon be published,
which will help those organisations who
are unclear about this and the new
standard should help any organisation get
a grip on measuring the effectiveness of

Author’s biography
Steve Wright is the Senior Consultant
providing professional advice in
relation to Information Security/
Technology/ Management to meet
BS 7799, ISO 27001, ITIL, ISO 20000,
PAS 56, PAS 99, PCI DSS, ISO 13335
and works within legal and regulatory
frameworks such as Basel II, SOX and
Combined Code requirements. In
addition, he is accustomed to
implementing risk best practices such
as Enterprise Risk Management
frameworks and conducting risk
assessments, using tools such as
Steve is currently project managing
many implementations of ISO 27001
ISMS systems, both virtually and
physically, from initiation through to
final delivery, to meet certification
requirements of ISO 27001, ISO 9001
and ISO 20000 in both financial,
private and public service sectors,
three of which have recently achieved
certification to ISO/IEC 27001:2005 in
late 2006 alone.
Steve heads up the Security
Management service line within
Siemens Insight Consulting managing
the team of six highly qualified and
experienced consultants.

Insight Consulting is the specialist Security,
Compliance, Continuity and Identity Management
unit of Siemens Enterprise Communications
Limited and offers a complete, end-to-end portfolio
• Security • Compliance
• Continuity • Identity Management
• Managed Services • Training
Siemens Insight Consulting subscribes to the CESG
Listed Advisor Scheme (CLAS) and CHECK services.
We’re also certified against ISO 27001 and are a
preferred supplier of services to the UK
Government and an accredited Catalist supplier.
If you’d like to find out more about how we can
help you manage risk in your organisation, visit our
web site at
Siemens Insight Consulting
Tel: +44 (0)1932 241000
Fax: +44 (0)1932 236868

Policy Monitor and its relationship with ISO 27001:2005

A White Paper by Steve Wright, Siemens Insight Consulting

So how can Policy Monitor help an
organisation demonstrate best practice and
compliance with ISO 27001:2005?

Back to basics
Information security (InfoSec) covers a far
more complex and broad area than just IT.
InfoSec interweaves in and out of an entire
business function and its supporting process.
It spans and affects every part of the
organisation (and its trusted partners) and
business. It can change the way an entire
department is operated, whilst providing
assurance to stakeholders and shareholders
that appropriate controls are in place, or being
managed. It can also provide the necessary
risk management controls mandated under
legislation and regulatory requirements.

Whatever your business or contractual requirements to demonstrate and
manage InfoSec are, an organisation needs to think about how it can
manage and disseminate relevant InfoSec policies (e.g. IT User
Acceptance, HR Vetting, Building Access, IT & Network Access, Mobile
Devices Usage) to all its employees. This may sound straightforward, but
ensuring these policies have the correct version, are assigned to relevant
owners for regular updates (following the latest vulnerability alert, a
significant change or an updated risk review) and making sure the ‘end
users’ have read and understood them, can be a real headache for any
organisation (depending upon the size and geographical layout).

Policy Monitor has been designed and developed with this requirement in
mind. In addition, Policy Monitor also fulfils the best practice
requirements of ISO 27001.

What is Best Practice - ISO 27001?
ISO 27001:2005 was established by the International Organisation for
Standardization (ISO). It is based on, and replaces, the internationally
recognised British Standard BS 7799. ISO 27001 has been aligned with
other international standards, including the OECD guidelines for
implementing information security and the Code of Practice standard,
ISO 17799.

ISO 27001 defines the requirements for an
Information Security Management System
(ISMS). The standard is designed to ensure the
selection of adequate and proportionate
security controls such as a security policy and its
supporting IT policies and procedures. This
helps to protect organisations’ information
assets and provides confidence to interested
parties including an organisation’s customers
and third parties.

The standard adopts a process approach for
establishing, implementing, operating,
monitoring, reviewing, maintaining, and
improving an organisation’s ISMS. ISO 27001 is
by no means an IT only standard; information is
an organisational asset. The standard has no
technology requirements; although there are IT
related controls as the majority of information is
held on IT systems.

ISO 27001 is the only internationally accepted
auditable standard for information security

The standard goes further to re-emphasise the
importance of having a security policy endorsed
by the highest level of authority within an
organisation. This way, employees can
recognise the importance of security to that
organisation and ensure they comply with best
practice. ISO 27001 requires that “an
information security policy document should be
approved by management, and published and
communicated to all employees and relevant
external parties.”

Clause 4.2.2 (e) requires any organisation
wishing to be compliant (or certified) with
ISO 27001 to implement training and
awareness programmes. Clause 5.2.2 requires
that the organisation is responsible for ensuring
all personnel who are assigned responsibilities
defined in the Information Security
Management System (ISMS) are aware of their
responsibilities and have access to appropriate
policies at all times.

In addition to this, ISO 27001 describes the
context of risk and how risk, policies and
corporate standards can work together (within a
framework of an Information Security
Management System – ISMS / ISO 27001)
through a systematic and layered approach to
InfoSec Management.

Control reference Appendix 8.2.2 goes even
further – it requires any organisation claiming
to be compliant with ISO 27001 to ensure “All
employees of the organisation and, where
relevant, contractors and third party users shall
receive appropriate awareness training and
regular updates in organisational policies and
procedures, as relevant for their job function.”
This effectively means that an organisation is
responsible for not only ensuring all its staff and
contractors should have appropriate access to
the security policy, but they are required to
demonstrate the relevant people have read and
understood the policy.

Well, it all originates from one very simple
principle – good and effective policy and
content management. Without knowing what
and where your policies are, how current they
are, how they are accessed and by whom, then
the organisation increases the risks of
employees not adhering to policies within the
organisation. Nobody can be expected to
adhere to security policy rules, nor be
disciplined for breaching them, unless the
organisation can categorically prove the end
user was aware of the security policy

This presents most organisations with a similar
dilemma – how to ensure the relevant
information is disseminated appropriately and
that evidence can be provided should the need
arise (e.g. civil or criminal prosecution). Policy
Monitor has the answer, it uses an Integrated
Content Management System to allow author
and approver control (a requirement of
ISO 27001 – see Clause 4.3.2 & 4.3.3 Control of
documents and records and a requirement of a
Quality Management System – ISO 9001),
policy version control and monitors employee
usage and acceptance.

With the focus being placed on perimeter
security, firewalls, intrusion prevention software
and ID card access it becomes easy to forget the
simple rule, that you are only as good as the
people you employ.

Making sure they are equipped with the
knowledge and tools to ensure the correct
policy is applied – should be an
organisation’s first and last line of defence.

So, whatever your drivers are for ensuring
security policies are disseminated, adhered
to, or communicated effectively,
complementary use of Policy Monitor will
help your organisation with all kinds of
invaluable and available information about

I hope this paper will help you when
considering Siemens Insight Consulting as your
partner in helping you or your organisation
become fluent in the world of InfoSec.

Author’s biography
Steve Wright is a Senior Consultant
providing professional advice in relation to
information security/technology
management to meet BS 7799, ISO 27001,
ITIL, ISO 20000, PAS 56, PAS 99, PCI DSS,
ISO 13335 and works within legal and
regulatory frameworks such as Basel II, SOX
and Combined Code requirements. In
addition, he is accustomed to
implementing risk best practices such as
enterprise risk management frameworks
and conducting risk assessments, using
tools such as CRAMM.
He is currently project managing many
implementations of ISO 27001 ISMS
systems, both virtually and physically, from
initiation through to final delivery, to meet
certification requirements of ISO 27001,
ISO 9001 and ISO 20000 in both financial,
private and public service sectors, three of
which have recently achieved certification
to ISO/IEC 27001:2005 in late 2006 alone.