Integrating ISO 27001 to Increase Efficiency, Eliminate Redundancy, and Demonstrate Effectiveness

Never before have we witnessed the current pressures on business to protect customers, employees, and proprietary business information.

IT security is becoming increasingly threatened on all sides as businesses struggle to protect all kinds of information, including computer data, marketing strategies, tax and personnel records, financial data, communications, and business plans. Many companies overspend in an effort to protect so many different types of data, both printed and electronically stored, because they throw money and resources at each problem individually. By taking this approach, the opportunity for a security breach is very high. This white paper discusses an integrated approach to information security and how it can manage real risks associated with internal security and validity, complying with regulatory requirements, and eDiscovery, or providing a legal proceeding with litigation-ready records.

What is an integrated approach?

From a business perspective, an integrated approach creates value for customers and shareholders by improving capability, reducing cost, avoiding further cost, improving efficiency and delivering an ROI. From a human perspective, an integrated approach is a pathway for developing people into business and process leaders, and for enhancing their knowledge, skills and value to the business. The aim of the integrated approach is based on the conviction that every process can and should be repeatedly evaluated and significantly improved in terms of time required, resources used, cost and other aspects relevant to the process.

How can an integrated approach manage risk?

Organizations of all sizes and from all sectors face an identical problem set. All face inherent vulnerability to a wide variety of threats. Likewise, they face the high cost of reducing risk by maintaining an appropriate level of preparedness based on customer requirements and multiple regulations and standards

An integrated approach can create the basis for a safe and secure resiliency program or management system resulting in the design and deployment of a comprehensive risk governance platform both for compliance and assurance

How is an integrated approach better than my current solution?

Organizations spend millions on firewalls, routers, segmentation, and compartmentalization of their security model, but most don’t spend enough time on internal processes and people. 80% of your information security breaches are committed by people internal to your organization. Internal employees are past the firewalls and routers intended to protect you from security breaches. This type of security model is referred to the “egg shell” security model, because it’s hard on the outside but soft in the center, like an egg. This solution fails due to a lack of employee training, any real security awareness, and an overall lack of substance. The result is that a lot of information supposedly protected under your IT infrastructure is not protected. This is where most breaches occur, whether by social engineering or by purposefully leaked documents.

When each individual component of information security is analyzed independently of your other security systems, it creates a “silo” effect, which is expensive to maintain given dozens of regulatory requirements that a company is expected to implement individually in each system. The integrated approach is a holistic approach that allows you to break down the silos that have been inappropriately implemented and develop an information security policy from the ground up, rather than by putting pieces together on the fly.

Are your infosec policies litigation-ready?

“The e-Generation” is one term that has been used to describe the current generation. Mail has given way to eMail. Commerce has given way to eCommerce. And, at the risk of stating the obvious, discovery, the process preceding a court trial where legal teams on each side gather evidence, given way to eDiscovery. Out of a necessity to bring the legal system into the 21st century and allow the admissibility of computer records into courtroom testimony, the rules and regulations concerning eDiscovery have been standardized in legal statutes across America.

Effective December 1, 2006 U.S. companies and other parties involved with US companies and in federal litigation are required to produce “electronically stored information” as part of discovery, the process by which both sides share evidence before a trial.

If your employees’ “personal policy” is to delete emails that would be considered vital to litigation, that could be deemed virtual shredding. The information the attorneys are looking at isn’t there, and the organization or employee will have to explain why. If the organization does not have formal policies and procedures in place, virtual shredding or other employee practices could get your organization sanctioned by the court or fined.

Litigation-readiness is just one type of regulatory requirement that could easily be ignored by the internal employees in an egg-shell security model. There are dozens of other regulatory requirements that your organization must follow as well, including ISO 20000, HIPAA, SOX, SAS 70, FACT Act, State Privacy Laws, COSO, COBIT, ITIL, and a dozen more. The soft center of the egg-shell model simply makes enforcing all of these regulations piecemeal an expensive and complicated task.

Develop a comprehensive risk governance platform

To ensure both compliance and assurance with regulatory requirements, design and deploy a comprehensive risk governance platform using the steps defined here.

Step 1: Create a defined problem statement based on business priorities

• Identify poorly performing and/or redundant areas of compliance
• Understand sources of compliance requirements and business data to understand performance and business objectives
• Prioritize areas in terms of improvement value
• Define and launch projects with well-articulated scope, problem and objective statements that have a beneficial impact, either financial or strategically, to the business. Suggested project plan is designed.

Step 2: Identify ways to break down silos and begin to introduce effectiveness through collaboration

• Identify the true processes contributing to the observed undesirable performance, and determine the most likely contributors (e.g. business systems that contribute to the overall resilience, regulatory, and compliance program)
• Characterize the process thoroughly in terms of the inputs to and the outputs from the process, and measure the accuracy and repeatability of the method.
• Identify and analyze the data used to manage the process, and document value and non-value added activities (e.g. sources of variation)

Step 3: Eliminate risk management redundancy

• Apply appropriate analytical tools to determine with statistical certainty which areas in the BCMS, compliance, and security processes are redundant and in need of improvement and better performance. Examples include process mapping, use case modeling, maturity optimization analysis.
• Now that the true causes of the problems are known, along with their sensitivities and effects, accurate improvement solutions can be identified. Examples include redundant systems, silos, fragmented processes, and meaningless metrics.

Step 4: Continuous improvement process based on performance objectives

• Systematically review critical factors in the process to focus on the modifications and adjustments needed to achieve the desired level of performance output and to optimize specific processes. Begin the development of objective metrics.

Step 5: Measurement process driving long-term viability

• Incorporate the basic tools of process control and choose the critical process inputs to assure that the improved performance will be maintained and sustained.
• Implement a measurement process that provides management with the reporting mechanisms for tracking improvements, identifying opportunities, and documenting the ROI. Finalize the objective metrics.

Once completed, a new management system is now implemented, allowing continual improvement and increased measurable savings over time. At this point, it’s appropriate to hand off the project from improvement specialist to the owners and workers within the process. This step involves knowledge transfer, development of consistent processes, and the determination of organizational resilience, resulting in one process that complies with many requirements.

The ISO 27001 Solution: Implement an Information Security Management System

ISO 27001 is an umbrella that organizations can use as a framework by which they can organize, monitor, and control their regulatory and industry-standard requirements. A holistic ISO 27001 compliance solution means breaking down the silos and introducing effective information security policies.

The result of ISO 27001 is a continuous improval cycle on the reliability and efficiency of internal security procedures. Implementing and maintaining an ISMS in accordance with ISO 27001 is a four-step process:

This section provides a walkthrough of ISO/IEC 27001 policies and implementation guidelines.

Step 1: Establish an ISMS

Define an ISMS policy and scope. Define the risk assessment approach. Identify the assets and risks. Analyze and evaluate risks. Identify and evaluate risk treatment options. Select control objectives and controls. Get management approval of the proposed residual risks. Get management authorization to implement and operate the ISMS.

Step 2: Implement and Operate the ISMS

• Risk treatment plan for managing information security risks
• Classify information
• Implement training and awareness programs for employees, managers, human resources, legal, third party vendors, outsourced companies, auditors and compliance managers, and information technology professionals like system administrators, network operators, and help desk staff.

Step 3: Monitor and Review the ISMS

• Analyze inputs and outputs of your processes
• Undertake regular reviews of the effectiveness of the ISMS, including meeting ISMS policy and objectives and a review of security controls.
• Measure the effectiveness of controls to verify that security requirements have been met.
• Review risk assessments at planned intervals and review the level of residual risk and identified acceptable risk.

Step 4: Maintain and Improve the ISMS

• Implement the identified improvements in the ISMS
• Take appropriate corrective and preventative actions. Apply the lessons learned.
• Communicate the actions and improvements to all interested parties.

Ensure that the improvements achieve their intended objectives.

 

Conclusions

The results of implementing ISO 27001 standards and a managed risk architecture for your ISMS is confidence at all levels of your organization: at the organization level, at the legal level, at the operating level, at the commercial level, at the financial level, and at the human level. With proper due diligence performed, you can ensure that your organization is litigation-ready when asked to produce records concerning regulatory requirements.

Failure to implement an ISO 27001 standard increases the likelihood of control inefficiency and risk mitigation strategy overlap, resulting in overspending by the organization. The integrated approach of ISO 27001 delivers a measurable return on investment after implemented.