CHAPTER 7: FEBRUARY: MONEY DOESN’T BUY HAPPINESS

Divide and conquer?

As an ISM, you can see by now that you have to consider yourself to be some kind of plate spinner – with a number of different sub-projects going on at any one time. This may have been done to serve the needs of management, rather than for anything effectively designed by you. So the end result could be that nobody knows what’s going on!

However, there is always a concern that your large project is somewhat of an elephant that cannot be eaten whole. Therefore, breaking it down into a number of sub-projects, is a tactic designed to focus each team on specific tasks, rather than trying to spread them too thinly. We were encouraged to break it down into the following:

• Port control/removable media – the implementation of data loss prevention technology was installed at the ports, also referred to as robust endpoint security, in order to ensure greater visibility of the devices being connected to the network, and to ensure that these were managed appropriately, in particular through scanning all connected devices.
• E-mail marking – technology was implemented for the e-mail system to allow users to be able to select from a drop-down menu the appropriate marking for the classification of information being sent at a particular instance.
• PC replacement – to continue the work being done on the desktop refresh programme, a dedicated team was afforded the time to reallocate equipment and ensure that the disposals element was appropriately handled.
• Patch and vulnerability management – a team was required to focus on addressing the results of the recent penetration testing report and address the various patching and server updating that needed to be done as a matter of urgency.
• E-mail archiving – a solution was implemented to provide quick and searchable e-mail functionality, and retention capabilities that integrated with the existing e-mail system.
• Server farm upgrade – the server infrastructure was upgraded across all of ICT to ensure that the whole server ‘farm’ met the minimum expected housekeeping levels of ICT operation and information security best practice in terms of vulnerability assessment and patch management.

As the ISM, you may have no day-to-day authority over the time allocation of resources provided to you on project tasks, and this can be very destabilising in terms of project progress. Of course, the reality, in these straitened financial times, is that it’s the same people on each of the project teams. Therefore, setting up sub-projects actually increases their workload, as they now have to do even more reporting and upward management, as well as attending even more meetings, and this is very wasteful of time, energy and resources.

Sadly, people never seem to pay attention to the blindingly obvious. So your task has to be to keep highlighting to management that for as long as resources are not afforded appropriate time, the overall project will slip further and further backwards, and they will ultimately pay the price for a lack of compliance with a required external mandate or a lack of connectivity to a particular infrastructure. This would impact a significant number of users, way beyond the immediate management team considerations.

Remember the big picture

Every now and then, you need to take a step back and remind yourself, and everyone else, what it is that you are trying to achieve. Your programme of change is ultimately seeking to influence the review of information flow and business process re-engineering, to ensure that those processes that are being undertaken are appropriate, adequate, safe and secure, given the nature of the information assets at risk during all transactions. This is fundamentally about ensuring your organisation is in compliance with relevant legislation. For example, particularly in the UK, your information processing, in all its forms, must not breach the Data Protection Act, which is from a European Data Protection Directive. Therefore, similar principles apply to all organisations processing information across Europe.

Most endeavours in this area have always been about more than just technology, in spite of their uptake usually being served by the implementation of new tools. It is part and parcel of the information governance agenda, which embraces any legislation, regulation and standard that relates to information as an asset and that requires risk assessment, impact analysis and proper management. (We will return to describing the breadth of information governance itself in the next chapter.) This, therefore, needs to be owned at a senior level in the organisation and supported with appropriate resources. Otherwise, ICT continues to be perceived as the natural lead, which results in projects being afforded a technical focus, rather than an operational one, and users are left feeling that things are being ‘done’ to them.

It is certainly true that technological solutions can be used to make the policing and implementation of information security easier, but there are implications for how we do business to ensure the protection of data and information. Continuing to deliver on your programme of activity requires changes to policies, too. For example:

• More stringent security checks are required for staff employed by the organisation and these need to be embedded into your personnel-related policies.
• An enhancement to asset management security is usually required, to ensure that all assets are identified across hardware, software and information.
• A meaningful clear-desk policy needs to be in place and adhered to and the acceptable use of ICT services and systems needs to be defined more clearly.
• Information ownership should be established by appointing information asset owners for all systems containing personally identifiable information, in order that such information can be appropriately managed and secured. This should be embedded as a management responsibility.
• Provide all users with some level of information security awareness delivery. This is best achieved through the roll-out of briefings on as many occasions as possible.
• Refresh ICT business continuity arrangements to reflect the updated policies once they define those security requirements.

Breadth of technological change

As mentioned previously, many of the issues addressed by information governance-related programmes of change concern personnel and procedures, but there are obviously technical matters, too. A lot of these have already been covered in previous chapters, but others are identified below:

• Moving users’ data to a secure storage area network (SAN) – in so doing, it moved users and data to a secure area and meant that data was unavailable to those who were not in the same secure segment of the network.
• Upgrading firewalls, anti-virus technology, anti-spam software, routers, switches, cabling, servers, etc. – whilst this was done for the segmented network, a great deal of work was still required in order to bring the rest of the network up to the expected minimum baseline security standards, as demanded by most external connectivity, regulatory and legislative arrangements.
• Implementing two-factor authentication (2FA) – done in order to address a requirement to identify users reliably. The first factor, ‘something you know’, is the familiar system password (and as previously described this was upgraded to a mandated minimum eight-character standard), but setting up the second, ‘something you have’, takes real effort.
• Gathering, storing and presenting security event data is another important part of some external requirements and agreements. This means keeping control over all the security-relevant log data, generated by various systems and devices on the network, and putting it into secure storage for future analysis and reporting. Again, there can be a lot of server work to be done in order to identify, upgrade and maintain this accordingly.
• Implementing a secure network – sadly, not all networks are historically created equal. Most have been created in a segmented manner, cascading across geographical boundaries as organisations grow, and system and transactional requirements develop. Achieving the transformation programme requirements for relocating staff and systems can be hampered by old infrastructure, as users may be straddled between secure and insecure platforms, with data housed on different servers in different locations. Adopting a ‘one organisation network’ usually enables wider transformation and secure information sharing, thus helping the realisation of corporate aims and objectives around information sharing, particularly if you are working in a public sector environment.
• Most external connectivity requirements that are auditable put a high degree of focus on the way services and systems are deployed. Compliance will require corporate commitment to ensure users comply with new regimes surrounding governance of network access, control of the utilisation of hardware and general adherence to associated corporate guidelines and policies.
• Extending the depth of information security across the organisation, accepting it as a BAU activity that benefits from corporate mandate, and management that can be embraced into the information governance family, is the ultimate goal. In other words, this is how a user culture should always operate, not just for the purposes of gaining connection to a secure network or fulfilling any other contractual, regulatory or legislative requirements.

In reality, anything that is described in this book is nothing more than encouragement to achieve the minimum expected security standards for an organisation.

Embracing data protection and privacy

There is a fundamental and intrinsic link between security and data protection and, indeed, privacy. You cannot have the latter two without the former, and the seventh data protection principle in the UK Act places security squarely as a fundamental requirement to be embedded into the fabric of your organisation, where you are in a position of protecting personal data in whatever form it may take.

As the ISM, it may be that you are asked to assist with fulfilling subject access requests (SARs), when individuals ask to see all the information that your organisation holds on them. This can require trawling through data logs, e-mail archives, system records, etc., as well as paper/manual records, and can be time-consuming and challenging in terms of piecing together the breadth of information captured and ensuring that the response is provided within the requirements of the legislation.

Data protection is a huge legislative learning curve, but it behoves the ISM to learn the Act and understand it from both a legal and technical point of view, as it is not going away. More changes are planned in terms of data-breach notification and the underlying premise in terms of how the various data protection authority bodies assume that your organisation is handling personal data in that a) you know that you have it, b) you know where it is at all times and c) you have taken ‘appropriate technical and organisational measures’ to protect that data. The latter, in the 21st century, implies encrypting data at rest, data in motion and data in transit, at minimum. Again, this is a massive area in itself, and there are many great books that can be found on the subject.

We will address the need to undertake privacy impact assessments (PIAs) in the next chapter. Suffice to say that if you are in this mode of thinking, then you should be able to see the links with business impact assessments or analysis too. The ISM has a key role to play in identifying the likely root causes of threats being realised, establishing their likelihood and being the creator and author of the definition of a great many of the mitigating or compensatory controls that could be implemented to ensure the appropriate protection of personal data and/or information assets, as expected by the regulators, your stakeholders and the public at large.

Other security tasks for this month

User administration

This is another easy fix – a low-hanging fruit task – and yet it is so often not addressed. We talked about this back in Chapter 1. It is an ongoing task and you really need to make it a mission to ensure that:

• there are no users on the systems who are no longer part of the organisation;
• every single user only has the access they need to do the current job for which they are employed;
• no one is still holding access rights for systems that related to other roles they have previously carried out, for which they no longer require such access.

It’s these kinds of little things that really show whether an organisation is taking security seriously, both internally to itself and to outsiders (when audited or otherwise).

Inventory management

The list of items needing to be included on your inventory gets longer and longer, or at least it does if you reflect on the potential risks associated with the use of some machines. Consider the purchase of new dictaphones – the technology has come on so far that these now have an inbuilt storage element similar to a USB drive, and if that drive is not encrypted, you need to review the potential requirement for addressing this risk. What if the dictaphone was dropped in the street? Anyone could pick it up and press play to hear what had been recorded and, depending on the result of the discovery, take it straight to the local media – or worse still, the national press. In all likelihood, this would become an immediate data breach and an incident response would need to swing into action. Mighty oaks from little acorns grow …

Security awareness theme

This month’s information security theme could pick up on the fact that the media focus is usually, at least for the first two weeks of February, related to Valentine’s Day, so there’s a ‘love’ element. You could run a campaign entitled ‘Love your laptop’, where users are encouraged to ensure that they have connected to the network, updated the patches and anti-virus status, run a back-up, cleaned out the cookies and Internet history, etc.

Chapter summary

The brevity of this chapter reflects that February always feels like a short month for everyone, depending on how it ‘falls’ across the calendar weeks. It is a time to make the most of the speed of the month and tackle some of the basics, as have been expressed, whilst continuing to keep plates spinning at a management level.