Introduction and Background
Providing a fixed definition for “information threat” is challenging because there is no acceptable definition. As a result, in this article we focus on the concept of information threat - factors that can negatively affect the confidentially, integrity and availability (CIA) of data and knowledge. In companies, information is transferred between entities, stored internal and externally in the cloud on various platforms, edited constantly and supposedly deleted. Owing to these traits of information, the exposure of information to threats is large and the motivation of exploiting vulnerabilities/flaws/loopholes within a company’s process/infrastructure for financial and competitive advantage is high.
A company’s information security aim should be to reduce the impact/consequence of the exploitation of vulnerabilities to an acceptable risk level. Risk and threats will always be present owing to the traits of information, but the ability of companies to apply security controls in layers and reduce the impact to an acceptable level is the essence of information security. This is illustrated in the expressions below: -
The issue of threats can be classified into insider threat and outsider threats, Insider threats: individuals who have a degree of privileged access to company information who then seek to gain further access or unauthorised access for malicious purposes, while outsider threats: individuals without any privileges that exploit vulnerabilities/loopholes in external perimeters to gain internal access to information for malicious purposes.
The individuals in a company who may pose an insider threat may include board member, senior management, technical consultants and system administrators just to name a few, whereas, outsider threat would include company competitors. Although there are grey areas such as whether classifying an ex-employee using their non-disabled access details for malicious purpose into insider or outsider threat? Surveys (FBI/KPMG and others) in USA/UK and other countries have shown that on average 35% of information security incidents are caused by insider threat and these incidents are growing.
Information security as discussed in the previous section deals with the application of security controls to mitigate the risk of exploitation of CIA of information data, whereas cyber security a new buzz word as extended this scope to include the protection of critical infrastructure system such as water/power/heating/communication and others. Cyber security takes into consideration the digitalization of the current world and it is a natural and logical progression of traditional information security methodologies. Information security and cyber security are often used interchangeably, however information security is a subset of cyber security
Information security in any company is the responsibility of everyone, although spearheaded by the board of directors. The tone of correct information security governance strategy is set by the board of directors and should include risk management processes, legal and contractual obligations that may affect information data.
The information security governance strategy deployed should stipulate due diligence to ensure security controls used to manage possible risk are continually monitored for effectiveness and if non effective, then appropriate improvements should be made. As discussed, information security is everyone’s responsibility not just the board of directors. The board of directors provide the support such as financial and ensure high-level milestones are accomplished, senior management will provide additional support by updating board of directors appropriately via regular meetings and ensure the board of director’s information security governance strategy are understood by the department units and are broken down to specific milestone as deliverables. Further still, departmental units will implement these milestones as part of their daily operation processes as their job function.
This procedure supports a top-down approach and all level of staffs are involved and Information security is effectively implemented.
No information security governance strategy is perfect, mainly due to the exposure of information data to the ever changing channels used for processing, storing and transmitting. As a result, a continuous risk assessment is required to thwart newly introduced flaws and vulnerabilities.
To support the continuous process of information security governance strategy, companies utilise best practice standard(s) like this information security management system (ISMS) ISO27001 and the Cyber Essentials Scheme.
Information Security Standards
Best practice information security standards provide a benchmark for requirements, specification and guidelines that support companies for a consistent information security governance. The best practice information security standards are developed via open calls to review and input ideas from knowledgeable subject experts across a wide area providing a high degree of reliability and credible content. The standards are continually reviewed and updated and as such include current threats, risk methodologies and security controls, as a result reducing the level of investigation to be carried out by companies to obtain this current information.
Information security management system (ISMS) – ISO 27001
ISMS ISO 27001 is currently one of the most popular best practice security standards and considered by some as the de facto standard for information security. This standard is used by organisations of varied sizes and its popularity is mainly due to regulatory and contractual obligations. In most countries it is a requirement to be ISO27001 certified to be eligible to bid for certain public and private contacts. ISO27001 references the “PLAN DO CHECK ACT" (PDCA) approach as shown in Fig1 to emphasise the continuous improvement and process methodology of the standard. The PDCA approach encourages regular reviewing/monitoring of the management system to check its effectiveness against the risk they are supposed to mitigate against, and a re-evaluation if there are any lapses.
Fig1- PDCA Illustration
For the actual implementation of ISO 27001 standard, companies use the code of practice standard ISO 27002, that describes in detail best methods/guidance for implementation of ISO 27001 security controls defined in ISO 27001 (Annex A). These security controls defined in ISO 27001 (Annex A) are illustrated in Fig 2. These security controls cover the entire business domain of an organisation and serves as a means of managing risk across people, processes, services, IT, physical assets and others.
The certification of ISMS is based on the ISO27001 standards and it involves a 3-year life cycle. The first year involves a stage 1- documentation review of all mandatory documents specified in the standard like statement of applicability, policies and risk treatment. The stage 2/certification stage is the practical audit of the ISMS scope and effective implementation of the security controls defined in ISO 27001 (Annex A). After the first certification, companies undergo 2 years of surveillance audits to ensure they maintain the certification standard requirements and finally undergo a re-certification in the fourth year.