Lessons learned from
WikiLeaks:
What is exactly
information security?
Dejan Kosutic
The ISO 27001 &
ISO 22301 Blog
Nowadays WikiLeaks is a hot story for a good reason – it is not
very common for confidential documents of the world’s most powerful government
to be published on the Internet. And some of these documents are, to put it
mildly, embarrassing.
Here I am not going to write about whether it was legal for
WikiLeaks to publish such information or not, whether the information should
have been made public because of the public interest or not, what is going to
happen to its founder (at the time of writing this article Julian Assange was
in custody) etc.
The problem is – if WikiLeaks is going to be shut down, a new
WikiLeaks will appear. In other words, the threat of leaking information to the
public is constantly increasing. (By the way, before he was jailed, Julian Assange
had announced he would publish incriminating information about a major U.S.
bank and its malpractice.)
I want to touch here on the corporate point of view – what if we
are the next target of WikiLeaks or its clone? How to ensure the security of
our information and prevent the damage of such a large incident?
Simple example
But how does information security look like in practice? Let’s
take a simple example – for instance, you leave your laptop frequently in your
car, on the back seat. Chances are, sooner or later it will get stolen.
What can you do to decrease that risk? First of all, you can make a rule (by writing a procedure or a
policy) that laptops cannot be left in a car unattended, or that you have to
park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong
password and encrypting your data. Further, you can require your employees to
sign a statement by which they are legally responsible for the damage that may
occur. But all these measures may remain ineffective if you didn’t explain the
rules to your employees through a short training.
So what can you conclude from this example? Information security is never a single security measure, it is
always more of them together. And the measures are not only IT-related, but
also involve organizational issues, human resources management, physical
security and legal protection.
The
problem is
– this was an example of a single laptop, with no insider threat. Now consider
how complex it is to protect the information in your company, where the
information is archived not only on your PCs, but also on various servers; not
only in your desk drawers but also on all your mobile phones; not only on USB
memory sticks but also in the heads of all employees. And you may have a very
disgruntled employee.
Seems like an impossible task? Difficult – yes, but not
impossible.
How to approach it
What
you need to solve this complex problem is a framework. The good news is that
such frameworks already exist in the form of standards – mostly widespread is ISO
27001, the leading international standard for information security
management, but there are also others – COBIT,
NIST SP 800 series, PCI DSS etc.
I’m going to focus here on ISO 27001 – I think it gives you good
ground for building the information security system because it offers a
catalogue of 133 security controls, and offers flexibility to apply only those
controls that are really needed in relation to risks. But its best feature is
that it defines a management framework
for controlling and directing the security issues, therefore achieving that security management becomes a part of the
overall management in an organization.
In short – this standard enables you to take into account all
the information in various forms, all the risks, and gives you a path to
carefully resolve each potential problem and keep your information safe.
Consequences for business
So, should the corporations be afraid that their information
will leak to the public? If they are doing something illegal or unethical, they
certainly should.
However, for companies operating legally, if they want to
protect their business, they cannot think only in terms of return on
investment, market share, core competence, and long term vision. Their strategy
must also take into account the security issues, since having insecure
information can cost them much more than for example a failed launch of a new
product. By security I mean not only physical security because it is simply not
enough anymore – the technology makes it possible for information to leak
through various means.
What is
needed is a comprehensive approach to information security – it doesn’t matter
whether you use ISO 27001, COBIT or some other framework, as long as you do it
systematically. And it is not a one-time effort, it is a continuous operation.
And yes – it is not something your IT guys can do alone – it is something the
whole company has to participate in, starting from the executive board.
Забележка от Пламен Каменов:
Напълно приемам написаното от Dejan в този пост и "силно" го препоръчвам на всички, които стартират дейности по изграждане на системи за сигурност на своя бизнес.