From misclassifications to more standards, here’s what we think the next 12 months will throw into the IA mix.
Misclassification leads to security breaches
The Government Security Classification Scheme is due to come into being in April 2014. There are still some who don’t believe that this is going to happen but let’s presume that it will. Everything is certainly not going to change overnight. The old protective markings will continue to exist for some time; perhaps years yet.
However, 2014 will not come and go without at least one fairly serious security breach happening as a direct result of the scheme being introduced. It is most likely to come from misclassification at the OFFICIAL level. Government documents will be discovered with no OFFICIAL marking, as per the scheme, but the information they contain is likely to be sensitive enough for the press to have a field day. Questions will be raised! As for hacking attacks on Government systems, it is too early to predict whether successes will increase. During 2014, new standards and controls will be introduced that are aimed at the OFFICIAL Tier. Whether these are sufficiently robust remains to be seen.
As for hacking attacks on Government systems, it is too early to predict whether successes will increase. During 2014, new standards and controls will be introduced that are aimed at the OFFICIAL Tier. Whether these are sufficiently robust remains to be seen.
Information security training demand on the increase
The continued meteoric uptake of cloud-based services, mobile working and Bring Your Own Device (BYOD) increases the responsibility of the end user to ensure that the information they are trusted with is appropriately protected. The fact that the end user can now get at the information they need from anywhere, at any time, from any device means that they must be far more aware of their security responsibilities. They need to have a good understanding of security issues and be able to make decisions about whether appropriate security is in place.
Physical Security: Consider the physical environment – is it safe to view the information? Are there people watching to try and capture PIN numbers to access the device being used? Are people able to see the information displayed on the screen? Should the device even be taken into certain countries?
Procedural Security: What happens when the device is lost or stolen? What action should be taken and how quickly should it be reported? Will the user expect to be in trouble and therefore less likely to report the loss or theft? What happens if a virus is detected? The user needs to understand how to react to ensure any compromise is contained quickly and efficiently.
Technical Security: The technical security issues are probably the most challenging. Does the device need to encrypted and if so, to what level? What encryption protocols need to be used when communicating over the Internet? HTTPS is fairly well understood but how does a user determine the encryption being used by non-browser based applications? Does the device they are using need to be protected by a password or PIN? If so, what complexity is appropriate? Can the user do local backups? Cloud backups? The list goes on and on.
Personnel Security: Can the user share information with other users? What are their clearance levels? How can this be confirmed?
Holistic security training covering some of the basic processes and procedures needs to be provided to the end users – and there are an awful lot of them. Training providers should be ready to step in and provide security training that is not aimed at specialists but normal, non-techie people that now have responsibility for information on their own devices and want to protect it properly.
A new standard for Cloud Service Providers (CSP)?
The popularity of migrating services to CSPs doesn’t seem to be waning. The cost benefits are simply too great. For CSPs that offer the full end-to-end service as an all in one package with control over each e.g. Microsoft Office 365, the overall security will continue to mature and represent less risk to customers. However, Software-as-a-Service (SaaS) only providers will continue to find it difficult to provide customers with the confidence that everything is joined up. We have seen many instances of a single cloud-based service having at least 4 different organisations responsible for its secure delivery:
- The service management authority – that sets up the contract and manages licences etc.;
- The SaaS provider itself – that manages the software delivery and operational support;
- The Platform-as-a-Service provider that manages the underlying operating systems
- The Infrastructure-as-a-Service provider that manages the data centres and networks that it all sits on.
How SaaS CSPs manage to ensure every party with a hand in the pie is able to manage customers’ information in a secure manner remains to be seen. A new standard, or modifications to the Cloud Security Alliance backed Cloud Controls Matrix for SaaS only CSPs may be on the cards for 2014.
Ascentor continues to provide an excellent IRM service
Not a prediction; a statement of fact….! We’ll continue to do all we can to deliver first class Information Risk Management and Information Assurance services this year.
Whatever you are doing, have a safe and enjoyable 2014 – it will be over before we know it.
- Why not join the growing band of Ascentor customers taking advantage of the Innovation Voucher Scheme and get £5000 to help cover the cost of information security consulting?