Carphone Warehouse, Experia, T-Mobile, the US Office of Personnel Management, Adobe and even the Italian cyber-security organisation Hacking Team. These are just some of the major organisations that have had malicious data breaches in the last 2 years. TalkTalk have just announced a breach that was allegedly carried out by a 15 year old hacker!
So what hope do the rest of us have in protecting our data?
Well, the guidelines laid out in ISO 27001:2013 are a good start. ISO 27001 for Information Security Management is an international standard that provides a “recipe” for keeping your data safe and secure.
In its simplest form, the standard ensures that we risk assess all of our activities and then improve anything that isn’t secure enough.
Now, the term Risk Assessing is something that we hear all the time, but what does it actually mean?
Here’s where James Bond comes in…
Risk is made up of 3 factors; Hazards, Likelihoods and Consequences. Whilst 007 may appear to have nerves of steel and throw caution to the wind, in reality he is carrying out numerous risk assessments and making split second decisions. OK, he’s also hard as nails with balls of steel, but there is still a risk assessment process taking place on a continual basis.
So here’s the analogy. Whilst hitting a combined speed of 140 mph on a Vespa moped, on top of a Trans-Canada express train going over a bridge, Bond sees that the train is heading towards a low tunnel. Recognising that he has no option but to jump, he quickly risk assesses the situation. Dana dana da na na…
So what are the hazards? Well, he could end up hitting something before he reaches the water, or he could do the mother of all belly flops (that would undoubtedly smart).
What are the consequences of jumping? Obviously, it could be an extremely short box-office smash as he plummets to his certain death.
Now what is the likelihood of it all going wrong. In reality, it is pretty high! Vespa’s are not renowned for their parachute-like properties and aerial freefall stability…
This is where the real work starts. Bond has processed the risk of jumping from the train; he now has to think up some ingenious mitigations to increase the likelihood of survival and reduce the possible consequences should it go wrong.
Bond being Bond, he is already equipped with a multitude of Q’s gadgets, including the pop-up parachute diving watch and the GPS-tracking chocolate biscuits in the breast pocket of his penguin suit. So, obviously he will live to die another day!
So what does this have to do with Information Security?
Well apart from being exciting, sexy and at the cutting edge of technology and business best practice, we can follow the same basic process in protecting our data.
ISO 27001 provides a framework that enables us to look at anything within our business that could affect our Information Security, good or bad, i.e. opportunities or threats. These can be the assets we use, the way we store or control data, or how we train people to use or classify data. We then have to risk assess these impacts and figure out if we need to mitigate the risk. Mitigations are the actions we carry out to reduce or eliminate the risk.
We can then use the mitigations or improvements to generate our controlling procedures.
It then all falls into that good old fashioned best practice process for managing your business.
The following diagram shows a basic example of the ISO 27001 risk process. It also shows just how similar our isCompliant IT Security Ninja’s are to James Bond… [editor’s note: they wrote that bit!]
So, now that we have saved the world and prevented inadvertent losses of data to the nasty villains of the 21st century, we can sit back and enjoy the delights of a vodka martini… shaken not stirred.
Get your free isCompliant trial here: https://www.iscompliant.com/free-trial
Tags: auditing, information security, ISO 27001, technology