ISO 27001 is in incredible demand these days. Certainly if you are an organisation that are active in the UK market, it has become almost a mandatory requirement to have an independently verified ISO 27001 Information Security Management System (ISMS) in place.
Part of what we do at JSC Consultant is to provide ISO 27001 assessment services to BSI clients so as you might expect we see many ISO 27001 information security management systems. As you might also expect the quality of the ISMS can differ quite significantly. Some systems are unfortunately just not fit for purpose and would not provide the minimum level of information security or in some cases the opposite is true where the information security management system is just too restrictive (compared to the risk level of the business) and is tying the business unnecessarily down.
However the key “ingredient” we always look for in a system is the ability to either prevent incidents from happening or identify incidents that has occurred, and then do a thorough analysis of what went wrong (or could have gone wrong), what learning can we take away from the incident, and what improvement can we implement as a result.
However, you do not always have to wait for incidents to happen to you for you to learn.
A great source to subscribe to is Krebs on Security which recently reported on the Target Corp. breach and what went wrong and what learning anyone can take away from an incident like that.
In summary, it is believed that hackers broke into Target via one of Target’s 3rd party suppliers that had suffered its own breach via malware delivered in an email. In that intrusion, the thieves managed to steal the virtual private network credentials that the 3rd party used to remotely connect to Target’s network.
- Once inside Target’s network there was no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.
- Weak passwords was used
- Default passwords used for system administrator roles
- Un-patched systems
- Remediation procedures did not address findings discovered by the vulnerability scanning program in a timely fashion, if at all.
This is just a high-level take away but please read the article for more details and learning.
If you have an ISMS, or are in the process of building one, I would strongly advise you to make sure you build in capabilities that will allow you to both learn from your own incidents as well as learning from others incidents. Information security is a changing subject and requires constant improvement to be effective.