Good question.

Information risk is the classic slopey shoulder issue – the corporate ‘hot potato’ that is often lobbed at the IT department when the risks go far beyond their remit.  This approach can leave an organisation vulnerable, with the result that information risks are not really managed at all.

So, who should be responsible for Information Risk Management? The short answer in our view is ‘everybody’. In a well-implemented Information Risk Management system, everyone has responsibility to ensure this is applied and effective: from IT to HR, from finance to individual business managers and staff on the ground.

But the ultimate responsibility must surely lie with the Board. Even though information risk affects all areas of a business it is often not prioritised at top level. It’s the Board’s duty to weigh up the corporate risks and benefits, aligning the goals of IT and the business for a balanced information risk management stance and approach.

We urge every business to see Information risks as business risks, with a top-down mandate and company-wide control.

Responsibilities of the Board

So if the Board is going to own information risk what steps do you need to take?

• Make a firm commitment to managing information risk: develop an information risk management strategy that sets out principles, roles, responsibilities and a sound system of internal controls (your ‘security architecture’).
• Prepare an Information Risk Register: a good mechanism for identifying and treating risks.
• Provide policies (as required by international security standards) to give direction to employees. These policies will define your position on all aspects of information security and these policies are at the heart of your management of risk.

If your organisation is serious about protecting its valuable information have a look at the Ascentor Information Risk Action Plan.

Article by Dave James, MD of Ascentor

Other articles you might like:

• Information Risk is NOT Just an IT Issue
• What information, where? The first step in Information Risk Management
• Seven Solid Benefits of Information Risk Management

In our business we talk a lot about cyber security, IT security, information risk and information assurance and but what do the terms really mean?

We want you to fully get to grips with Information risk management (there’s another one!) and what it’s all about and so have outlined the core terms below.

Information Risks. Information risks are the threats and vulnerabilities every organisation faces today. When it comes to the information you rely on there is a growing need for protection from loss, damage or malicious attack.

Protection means three things:

1. Confidentiality – your information should only be accessible to those with a genuine business need.
2. Integrity – your information needs protection from unauthorised changes.
3. Availability – your information needs to be available to the right people at the right time.

IT or Computer Security. The technical security controls used to protect the functionality of IT systems or the information they store.  These controls are developed to protect the confidentiality, integrity or availability of information.

“Modern IT security: at the basic end of the spectrum, this means keeping all software patched, minimising exposure to attack via un-trusted networks and auditing for unusual behaviour.

At the more complex end, it is about broad and comprehensive monitoring to quickly detect and respond to intrusions.

At both ends, it’s about ensuring you know when an attacker has got into your network, minimising the (temporary) access they enjoy, ensuring you know what they’ve done, knowing you can kick them out quickly, and being sure they can’t get back in the same way.”

Dr Ian Levy, Head of CESG, quoted in the Guardian Government Computing, 25 October 2011.

Information Security. All controls (physical, procedural, personnel and technical) that are used to protect the confidentiality, integrity and availability of information, regardless of form (on IT systems, hardcopy prints, telephone lines etc.) Information security is the term used in the commercial world (for government sectors see IA). It is the result we all want – adequate protection for valued information.

Information Assurance (IA). Information Assurance (IA) expands on Information Security to highlight the need for formal assurance requirements. IA is the term used by most western governments.

“The confidence that information systems will protect the information they handle; function as they need to, when they need to; and be under the control of legitimate users.”

Cyber Security. Expands on Information Assurance or Information Risk Management to include the ability to proactively respond to the threats. Cyber security involves protecting information by preventing, detecting and responding to attacks.

Information Risk Management (IRM). The solution. The process of identifying, understanding and managing the risks to your information within the context of an organisation’s business needs. It is what we do here at Ascentor (see: Information Risk Management the Ascentor Way).

“The systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, treating and monitoring information related risks.”

Please let us know of any jargon we’ve missed and that you’d like a definition for. We will add it to our jargon buster.

Article by Dave James, MD of Ascentor

Related Articles:

• What is PCI DSS?
• Information Risk Management the Ascentor Way

What is IAMM and why should I care?

IAMM, The Information Assurance Maturity Model and Assessment Framework was published by The Cabinet Office and CESG in late 2008 to support HMG Departments in developing IA maturity.  This was to support the adoption of the Security Policy Framework (SPF), which mandates 70 security controls for Government Departments to address.

Does IAMM apply to us?

From 2011 onwards, Ministerial and non-Ministerial Departments have been required to provide an annual report to Cabinet Office using the Security Risk Management Overview (SRMO). Departments are to use the IAMM and associated CESG Supported Self-Assessment procedure to establish the evidence to support the SRMO.

Organisations such as the Association of Chief Police Officers have stated that Police Forces are to demonstrate compliance with the SPF using the IAMM. Police Forces were to achieve a baseline review by 31st May 2011 with the aim of reaching Level 2 by March 2013 (See: Police Service IA Strategy 2010-13 v 1.0).

Government Departments are also  required to report on the IA maturity of their supply chain. This means that those commercial companies forming parts of that supply chain are increasingly going to be required to demonstrate their compliance in this area.

Those businesses that can demonstrate their IA maturity and competence are more likely to have a competitive advantage.

How does IAMM work?

CESG proposes a number of options for audit and compliance:

• Self Assessment;
• Supported self assessment;
• Independent assessment and audit by an external body.

The IAMM assesses maturity of the following areas of information risk management:

• Leadership and Governance;
• Training, Education & Awareness;
• Information Risk Management;
• Through-Life IA Measures;
• Assured Information Sharing;
• Compliance.

The process is as follows:

• Assess if the requirement to demonstrate IA maturity applies, is likely to apply to, and would benefit your organisation or company.  If yes, then plan an assessment of IA maturity;
• Establish a Board level requirement with a commitment to achieve an IA maturity goal in a time frame that meets your business aims;
• Use the results of the maturity assessment to develop a strategy to address IA deficiencies to meet your timeline;
• Implement the strategy and plan for audits to confirm that IA maturity is improving.

What do I do next?

Decide if the IAMM applies or is of benefit to your organisation or Department.

If so conduct a self assessment or get qualified support in the form of an independent IAMM audit from an assessor company such as Ascentor.

By Steve Maddison, IAMM specialist and Director and Principal Consultant at Ascentor.

Related content:

• What every Government Supplier needs to know about the UK Cyber Security Strategy
• Find out about Ascentor’s IAMM Audit service

Lost laptops or disks, saying the wrong thing loudly on the phone on the train, leaving a folder of sensitive customer details in the pub – all can have a serious impact. People make mistakes. This article gives advice on what you can do to minimise the risk of human error.

Social Engineering is on the rise

“People are the weakest link at any level of security,” says hacker quoted in BBC article

People are often the weakest link to securing information within an organisation. Social engineering, where users are duped into giving away their passwords or other sensitive information has always been the easiest way to get information.

A report by Computer Weekly (September 2011) found that less than a third of UK businesses provide regular training aimed at preventing social engineering attacks, despite 42% being hit this way in the past two years, at an average cost of £15,000 per incident.

Often, security incidents arise because of a failure to comprehend the risk. Awareness and personal responsibility in protecting the organisation against information incidents is key. This awareness needs to permeate the entire organisation so everyone understands their relationship to information risk and their responsibilities.

Security awareness programmes and training should be an ongoing function – from induction to regular training and updates.

The following story illustrates how a simple lack of awareness of security risks by a children’s hospital resulted in a full scale data security breach, in addition to the payment of damages and jail for one unsuspecting man.

The story of the jealous boyfriend

An Ohio man sent an email to his girlfriend that contained spyware because he thought she might be cheating on him. The girlfriend opened the email on her work computer and the spyware installed on her work system rather than her home system. As a result her boyfriend began to receive copies of her emails, which included sensitive medical information. This constituted a data security breach on the part of the Children’s Hospital where his girlfriend worked.

Whilst the man was caught and jailed for up to 5 years in prison and was forced to pay $33,000 in damages to the hospital, the hospital could have done much more to eliminate this risk.

Lessons to be learned:

• Allowing access to home email from work IT systems increased the risks and additional protection was required.
• Anti-virus/anti-spyware software might have prevented or identified the spyware and alerted the systems administrators.
• ‘System hardening’ could have helped.
• The breach was likely caused by poor policies and procedures within the hospital and a lack of training for the staff. Make sure all staff are aware of what constitutes sensitive information and that such information has adequate levels of protection.
• Never send sensitive information across the internet or by email unencrypted.
• Don’t spy on your girlfriend!

Related articles

• Protect Your Systems from Cyber Threat with 5 Basic Security Controls
• Top 10 Information Security Breaches (and what you can do to avoid them)

You can find the full article on the BBC Business News site here – Small firms are ‘easy target’ for cyber crime. 

The BBC article is right to highlight the dangers to small firms as well as large. Research from Symantec shows that since the beginning of 2010, 40% of all targeted attacks have been directed at small and medium-sized businesses, compared to only 28% directed at large companies. Worrying statistics. If you run a small business here are answers to some of the questions you might well be asking:

Question: Where are the key flash points for small firms in terms of technology security?

Answer: The consumerisation of IT, bringing your own device (BYOD) to work, the cloud and the rise of social media are the things small businesses should be concerned about. Yes, smartphones and tablets make life easier (and they’re cool), and allowing your staff to bring in their own devices for work purposes along with cloud based services makes doing business cheaper but there is a downside if your company has valuable information stored on these devices. Social media brings opportunities for business but also risks.  There are no easy answers to balancing the need for efficiency and securing valuable data. It’s all about risk and business leaders need to think through what is acceptable in the context of their business operations.

Question: Who is likely to attack businesses and why?

Answer: High value information is what an attacker will be looking for but what constitutes ‘high value’ depends upon the business and the attacker. The Cost of Cyber Crime, a report by Detica and the Office of Cyber Security and Information Assurance identified the cost of IP theft and industrial espionage at £17Bn per annum for the UK so any small company involved at the cutting edge of technology is certainly a target from cyber criminals who will profit from stealing new ideas.

But it’s not just the techie SMEs that need to be concerned, companies processing peoples credit or debit card details need to protect the processing and transit of that data within their network. Credit card fraud is down again this year but it’s unlikely that the cyber criminals will stop attacking as obtaining and selling on card details from poorly protected companies is relatively easy work.

At the end of day whilst there is little understanding of cyber crime and cyber attacks for the majority of the population, cyber criminals will exploit this and cyber crime will continue.

Question: What impact do such attacks have?

Answer: In the main an attack impacts a company’s finances or reputation. A small start up technology firm that has its ‘about to be patented design stolen’ could go bust almost immediately. The mature company that trades on innovation may see a reduction in sales over a longer period of time. In between these extremes there are a myriad of scenarios but in general the impact is to the financial standing of a company.

Diginotar, the Dutch based certificate issuing authority, went bust as a direct result of their information loss, as an IT company involved with ‘security’ Diginotar’s reputation was irreparably damaged by the incident. But not all companies suffer catastrophic impacts; TKMaxx share price was not affected at all when they had 100,000’s of card details stolen, but that was a few years ago. There is ever more awareness of cybercrime and people may be less forgiving of large companies being victims of cyber-based attacks. The network attacks on Sony PlayStation and RSA both cost significant amounts to rectify but their long-term future was not in jeopardy.

“The UK is pushing for a knowledge-based economy keeping hold of that knowledge becomes paramount if we are to succeed in the global economy.”

Question: What steps should small firms be taking to protect themselves?

Answer: This falls into two categories; understand what and where your valuable data is and then do something to protect it.  When protecting your data, if nothing else do the basics. Passwords, patching, anti-malware, access, admin rights, firewalls, and encryption – basic security controls can prevent 80% of all cyber attacks.

See our previous article – Protect your systems from cyber threat with seven basic security controls.

Article by Dave James, MD of Ascentor.

Other articles you might like

• What information, where – the first step in Information Risk Management
• Information risk is not just an IT issue
• Assess your company’s risk with our free online information risk review tool

The Payment Card Industry (PCI) Data Security Standard (DSS) is the worldwide benchmark that helps you safeguard your customers’ payment card data. As a merchant you are at the centre of payment card transactions. Compliance with PCI DSS will help to make you less vulnerable to payment card fraud, your customers less vulnerable to identity theft and build customer trust.

There are billions of payment card transactions each year. Most of these go without a hitch but payment card fraud and identity thefts are increasing. More than 234 million records with sensitive information have been compromised since January 2005 according to Privacy Rights Clearing House. Your customers rely on you to keep their payment card information safe and secure – repay their trust with PCI DSS compliance.

“The goal of the Payment Card Industry Data Security Standard is to protect Cardholder Data that is processed, stored or transmitted.” Payment Card Industry Security Standards Council

Who needs to be PCI DSS compliant?

• Merchants/retailers
• Ecommerce businesses
• Service providers to merchants
• Application developers
• Manufacturers and handlers of devices used in card transactions

Any company that handles information held on payment cards is required to fully comply with PCI DSS regardless of how many card transactions it carries out. You have to renew compliance annually – either with an onsite security audit or self-assessment questionnaire. Think of it like an MOT certificate for your cardholder data security practices. Don’t lie on a self-assessment questionnaire – it changes the nature of the issue from a contractual argument to a criminal offence.

What risky behaviour does PCI protect against?

A survey of businesses in US and Europe by Forrester Consulting found that:

• 81% store payment card numbers
• 73% store payment card expiration dates
• 71% store payment card verification codes
• 57% store customer data from the payment card magnetic stripe
• 16% store other personal data

These types of activities are a huge risk to the businesses involved.

What does PCI compliance involve?

The PCI DSS is a comprehensive set of controls for enhancing payment account data security – common sense steps that reflect security best practices.

1. Assess. Identify Cardholder Data within the business, identify where it is stored or processed, and analyse vulnerabilities that could expose them.
2. Remediate. Fix vulnerabilities and do not store cardholder data unless you need it.
3. Report. Compile and submit required remediation validation submissions and submit compliance reports to the Acquirer. Otherwise have a QSA audit and submit a Report on Compliance.

A PCI DSS Qualified Security Assessor (QSA) firm such as Ascentor will help you to identify and implement the controls needed to achieve compliance first time and maintain it for the future.

The positive benefits of PCI DSS compliance

The time and money you put into becoming PCI certified is more than matched by the advantages it will bring.

• It will protect your business from threats
• It will protect cardholder data
• It proves your organisation takes data security seriously
• It will improve your reputation with payment partners
• It increases customer trust, which means more sales and loyalty
• It will strengthen your business

You’ve worked hard to build your business. Secure your success by protecting your customers’ payment card data with the PCI standard.

If you have a PCI DSS question do get in touch. Based in Gloucester, UK Ascentor helps businesses to achieve and maintain PCI compliance. PCI can be a complex process. We’re at your side every step of the way.

Related information:

• Ascentor’s PCI DSS compliance service 
• 5 things to do to maintain PCI compliance each year

Before you look at how to protect your valuable information it is important to be clear on what information you need to protect and where it sits in your organisation. This is a vital first step in the Information Risk Management process (see Ascentor’s 4 step Information Risk Management Process) and one that is sometimes forgotten.

Things change fast with business and information

Many organisations carried out a data audit when privacy legislation first came in (this was a requirement of the Data Protection Act of 1998) but this was a long time ago now. It was a snapshot in time, and things change fast when it comes to business and information.

As your company grows, so do your information risks. Information volumes creep up over time: strategic decisions, new projects, new partnerships, new technology – all have an impact and require careful change management.

Is that new information more or less valuable than that previously held; does that new contract require more or less rigour in the protection of the customer’s data? Important questions that need an answer.

The need for regular audit

In the way that good stock control starts with an understanding of what stock is held and where it can be found, so the management of information and consequently information risks must start with knowing what information is held and where. But this can’t be a ‘once and done’ activity.

Organisation’s need a regular audit process that allows for the recording of all information and where it sits. Regular information audits will help you to understand the value of your information – a crucial process to embed in the business, ideally undertaken every year; sometimes more often in high risk or dynamic environments.

Good decisions require good information

Knowing what and where your valuable information is will enable you to make better investment decisions on how to protect it, ensuring money is spent on controls that mitigate the risks you care about the most, not the ones the hardware and software resellers want you to spend money on.

Managing information risks gives you the visibility and confidence you need to make the right decisions to protect your information and strengthen your business. It all starts with knowing what information, where.

Is it time for an information audit?

Article by Dave James, MD of Ascentor

Other articles you might like:

• Protect your systems from cyber threat with 7 basic security controls
• BT’s major broadband outage and being prepared for information risk

“80% of cyber attacks could have been prevented by having basic security in place.” Paddy Keating, Ascentor

Today we have access to more information than ever before. With the huge resources of the Internet; a massive increase in cheap storage capacity; the phenomenal take up of Cloud computing and social media – new threats and vulnerabilities arise. Technical equipment and systems are designed to be function and feature rich, not necessarily secure. Windows PCs only had a built-in firewall recently!

For business systems this means an increase in information risks and frighteningly, a rise in security breaches. All is not lost however. Just doing the basics will help to protect you from many of the cyber-threats your information systems face today.

7 basic security controls to protect your business

Get the basics right with these seven controls and you’ll be a long way towards making your information systems more resilient.

Don’t forget, once you have your systems protected test them to make sure the controls have been implemented properly and make sure nothing has been forgotten.

Article by Paddy Keating, Director of Ascentor and Information Risk Management consultant.

Related information:

• Information risk is not just an IT issue
• Top 10 information security breaches
• Assess the security of your information with our free online risk review

For many businesses or organisations today, protecting valuable information from risk will be a growing priority. If you want to remain competitive, profitable and trusted by your customers it’s a concern that needs to be taken seriously.

Information Risk Management is the solution to managing your organisation’s information risks. It’s the process of identifying, understanding and managing the risks to your information within the context of your business needs. Robust Information Risk Management is an opportunity for the business and a positive challenge for the management team.

Here are seven good reasons why a robust Information Risk Management approach makes sound business sense.

1. Robust Information Risk Management brings competitive advantage through an increase in trust that will improve the company’s reputation for better sales results.
2. Effective Information Risk Management lowers the chances of a damaging information security incident. It will help you understand your risks and what you need to do to avoid a breach.
3. Mastering Risk Management gives you the visibility and confidence to make better business decisions – decisions based on real risks, not rumour or scaremongering.
4. Information Risk Management can save money through more efficient controls, more effective architectures and appropriate levels of protection.
5. Information Risk Management includes business continuity, keeping the business going in unforeseen circumstances or emergencies.
6. Information Risk Management gives you full visibility. Knowing where your information is will enable you to put your hands on the right details fast, faced with any request for information (e.g. HR/legal)
7. Understanding and managing your risks brings peace of mind – you can be confident that you have taken due care and diligently exercised risk management in accordance with your business requirements.

Find out more about effective Information Risk Management in The Board’s Guide to Information Risk.

Article by Dave James, MD of Ascentor

Other articles you might like:

• BT’s major broadband outage and being prepared for information risk
• Information risk is not just an IT issue

It is tempting to think that once you have achieved PCI DSS compliance you can rest on your laurels. That’s it, finished isn’t it – nothing more to do until this time next year?

I know you have worked very hard on PCI, but I am going to disappoint you here. If you want to KEEP your PCI DSS compliance you have work to do throughout the year. Unless you keep your eye on the PCI ball you could end up with a very expensive compliance project each year. The key to ongoing PCI success is continuity. You’ve got to keep up all that good work.

5 ways to ensure consistent PCI DSS compliance

1. Make someone responsible. Give someone responsibility for ensuring that all changes to business processes or the IT and network take account of your PCI DSS compliance obligations. This person needs to have a say in all areas of the business and all aspects of operations.

Often a business will task a project manager to run a PCI DSS compliance achievement project but when the project is complete the project manager moves on to another project. Nominating an internal PCI DSS manager – your organisation’s PCI conscience – will help to ensure that continuity is not lost.

2. Stay in touch with your QSA. Your PCI DSS Qualified Security Assessor is not only a worthwhile source of information and advice during the audit but throughout the year. They have a wealth of experience that can save you wasted time effort and considerable expenditure. Your QSA’s advice is invaluable to ensure that you are not undertaking work you don’t need to. At the very least they can give you the peace of mind that they are not going to raise objections next year at the audit.

3. Keep up the vulnerability testing. Most important of all make sure that you close off those “not so important low level vulnerabilities”. You will need to demonstrate to the QSA at the next audit that you have a good vulnerability management system in place. You can’t do that if you still have a lot of the same vulnerabilities that you had last year – even if they are unimportant low-level ones.

4. Focus on configuration control. Configuration management is essential in making sure that you have the correct versions in the right places. PCI DSS compliance is about keeping control of your network, routers, servers and ancillary devices. Without good and consistent version and configuration control you cannot hope to maintain control over your network and the way in which it works.

5. Make sure patch management and change control go hand in hand. Change control and patch management can cause inconsistency within a network. Systemise your patch management so that it is not a new job every time a new patch comes out. If you make it a continuous process there is less opportunity for overlooking a patch or failing to realise its significance. Patch management must be carried out within a change control framework. Without this framework the network will develop organically and consistent control becomes impossible.

“Variability is the enemy of efficiency.” Denning

Do these 5 things and PCI DSS compliance will be far easier and less expensive to maintain year on year. Reduce variability: consistency is key for PCI success.

Article by Colin Dixon, Ascentor’s lead QSA for PCI DSS.

Further Information

• If you have any questions about this standard and how to achieve or retain compliance Colin would be pleased to help: colin.dixon@ascentor.co.uk.
• Achieve PCI DSS, the Payment Card Industry Data Security Standard compliance with Ascentor