• No results found

Specialist information security advice

ISO27001:2005 dropped the specific requirement for an organization to deploy a specialist information security adviser. It does, however, recognize that an organization needs to have specialist advice available, and what was a separate control prior to this revision has now been rolled up into control A.6.1.1, discussed above. The organization may need advice from in-house or specialist external security advisers. While ISO27002 no longer provides detailed guidance on this issue, our view is that, while not all organizations will wish to employ their own specialist internal adviser and may prefer that a non-specialist internal adviser is given the security management responsi- bility, this person should have access to external advice (perhaps through a mentoring scheme) that provides specialist input covering any areas in which the in-house person is deficient. It is particularly important in the areas of security technology and information technology generally that specialist advice is retained and is easily available. Technology, vulnerabilities, threats and defences are evolving so fast that it is difficult for any single individual to keep completely on top of them all.

While there is a discussion in Chapter 9 of this book about information security education and training, particularly for the users of information security facilities, it is at this point appropriate to look at the qualifications that might be appropriate for an in-house specialist adviser or that one might expect to be evidenced by an external specialist.

One option is for the organization to employ someone who appears to be qualified by experience to provide the required specialist information and

security advice. It can be difficult for an inexperienced recruiter to identify someone who is really adequately experienced for this role. As correct selection of this person is critical to the early success of the ISO27001 project, it is worth taking a structured approach to resolving the issue.

It is recommended that any organization pursuing ISO27001 specifies from the outset that its information security adviser be appropriately qualified and that if someone who does not have a formal qualification but claims to be qualified through experience is recruited for the role, he or she be required (as a condition of continuing in employment beyond the initial probationary period) to demonstrate this competence by acquiring an appropriate qualifi- cation.

It is now possible to obtain a postgraduate qualification in information security management from the United Kingdom’s Open University. This course, numbered M886, is designed to help employees understand, create and manage both strategic and operational aspects of information security and it uses this book as its core textbook. We believe that this course is unique. The British Computer Society (BCS), based in Swindon (tel: 01793 417424; fax: 01793 480270; website: www.bcs.org) is another key link for any organi- zation pursuing ISO27001. The BCS website describes a range of training programmes and regimes that are applicable to information professionals. Most importantly, it describes the Information Systems Examination Board (ISEB) qualifications. The most important of these, from the ISO27001 point of view, is the Certificate in Information Security Management Principles. This certificate is designed to provide the foundation of knowledge necessary for individuals who have security responsibility as part of their day-to-day role or who are likely to move into a security or security-related function. BCS claims that the certificate provides an opportunity for those already within such roles to enhance or refresh their knowledge and, in the process, to gain a qualification, recognized by industry, that demonstrates the level of knowledge gained.

The qualification is said by BCS to prove that the holder has a good knowledge and basic understanding of the wide range of subject areas that make up information security management. It is possible for someone who has experience in computer support or management to attend this course and to become qualified in information security. Someone who has little or no practical exposure to information technology is unlikely to benefit from the course.

Candidates who have achieved the certificate, which requires a one-week study course followed by a written examination, should be able to understand:

ᔢ information security management concepts (confidentiality, integrity, availability, vulnerability, threats, risks and countermeasures, etc);

ᔢ current legislation and regulations that impact information security management in the United Kingdom;

ᔢ current national and international standards, frameworks and organiza- tions that facilitate the management of information security;

ᔢ the current business and technical environments in which information security management takes place (security products, malicious software (‘malware’), relevant technology, etc); and

ᔢ the categorization, operation and effectiveness of a variety of safeguards. The contact details of those organizations that are accredited to deliver training that leads to the ISEB certificate, as well as current details about examination fees and dates, are all to be found on the BCS website. Current training costs and course availability can obviously be ascertained by contacting the training providers identified on the website. Those who believe that they are qualified by experience do not need to take any of the training courses offered; it is recommended, though, that their initial employment package requires them to refund the cost of a failed exami- nation. This tends to focus the mind of the recruit on the importance of obtaining the certificate. There are about 150 candidates per year for the ISEB certificate examinations and the pass rates are high.

The BCS also maintains a Register of Information Security Specialists. It believes that good practice requires competent, experienced practitioners and that there is a real need for an approved listing of those society members and others particularly qualified in information systems security. The individuals on this register are, the BCS claims, experienced in their specialisms, and this experience has been tested by interview with their peers.

The BCS wants its security register to be the prime source of information for all those seeking professional advice based on proven experience in the security field. It is published free of charge and updated regularly. While there are a number of other specialists available, this register does provide an externally and objectively assessed database of possible experts. It is a good starting point for a search either for someone to help recruit an in-house infor- mation security adviser or to provide specialist advice to an existing in-house adviser.

This book is also the textbook for a specialist ISO27001 ISMS Implementation Master Class that covers, in three days, the practical realities of creating and implementing an ISMS to ISO27001. More information is available from www.itgovernance.co.uk/products/291.

Globally, there are now about 30 different vendor-neutral information security certificates, including those sponsored by the International Information Systems Security Certification Consortium [(ISC)2]. There is a further discussion of

training in Chapter 9, and information about current information security certifi- cates is available from www.itgovernance.co.uk/infosec_qualifications.aspx.

The organization should, in appointing its information security adviser, pay as much attention to the quality of the individual as to his or her qualifi- cations and formal experience. The nature of information security threats is always changing, and the technology and context within which an organi- zation is maintaining its information are in constant flux. The information security adviser needs to be able to respond to new threats and find and protect vulnerabilities in new technologies that the organization wants to deploy to improve its competitive advantage. This requires a flexibility of thought allied to a depth of experience and a structured, balanced – and open- minded – approach to all the information security issues that the organization will encounter. Of course, high-quality people need appropriate compen- sation packages; this will be money well spent.

As a practical matter, even where the organization recruits or appoints and trains a specialist security adviser, it is imperative that this person has access to specialist advice that covers the entire spectrum of information security. The BCS is a sensible starting point for identifying appropriate specialists, and through the pages of this book other specialists will be identified, some of whom may be appropriate for particular situations.

It is equally imperative that there is a method of remaining current with changing issues in the information security environment. The environment and the threats within it change so rapidly that an organization systematically has to keep on top of them. The most important site for a Microsoft network is, of course, www.microsoft.com. This carries a host of critical and relevant information, as well as updates and downloads, and should be consulted on a regular basis. The two most critical parts of the Microsoft site, from a security perspective, are the security (www.microsoft.com/securitydefault.mspx) and technet (www.microsoft.com/technet/default.asp) sections. Microsoft publishes the Microsoft Security Toolkit CD, which includes best-practice guides and information on securing the system. Every information security adviser should ensure that the best practice from this pack is integrated (where appropriate) into the organization’s ISMS.

There are a number of sources of regular information on information security issues. One is the information service available from this book’s website; it has a governance bias and is designed to be complementary to this book and to the range of information and support services provided by IT

Governance Ltd. There are three other specific information security maga- zines worth investigating, whose subscription cost offers (we believe) clear value for money. These are:

SC Magazine– available online and offline, with editions for the United Kingdom, the United States and Asia Pacific, with a website at www.scmagazine.com;

Infosecurity Today– published in the United Kingdom, with a UK bias, by Elsevier; the website is www.compseconline.com;

Information Security – published in the United States (but available worldwide), with a US bias, by TruSecure Corporation, whose website is www.infosecuritymag.com.

There are also online services and information security websites. One online service worth exploring is Security Wire Digest, published twice a week by TruSecure’s Information Security magazine and distributed by e-mail. Their contact details are as above and there is an online registration process to receive this e-mail.

Another critical website for the information security adviser is the site of the Computer Security Resource Clearinghouse (US National Institute of Standards and Technology), whose address is www.csrc.nist.gov. This site is an excellent information centre resource for information security profes- sionals; in particular, it carries substantial quantities of technical and security information on most issues that will be of interest in setting up a certifiable ISMS.

Attendance at industry exhibitions should also be a standard part of the role. The major annual UK exhibition is Infosec, and details of exhibitions can be obtained through www.infosec.co.uk. These shows have a wide range of current products available for review, as well as a series of seminars and addresses on current and upcoming security issues.

Each of these sources of information should supplement regular visits to the Microsoft website as well as those of providers of any other chosen and installed corporate software, including particularly the providers of the chosen firewall and antivirus software. These sites will usually be the first places that identify specific threats to their software and propose solutions. The information security specialist should follow all these information sources on a regular basis and act immediately a new threat or vulnerability is identified. Sometimes the newspapers can identify threats as fast as any other organization; no source of information should be ignored!