A standard choice

Choosing a security standard is easier said than done. The average enterprise in the Middle East which is looking for an enterprise wide security standard is faced with an absolutely perplexing, alphabet soup of choices that can deter everybody but the keenest.

To add to the confusion, names of standards often get changed, even when the content remains the same, as these moves from one standards body to another.

Security service providers and consultants, such as Kurt Information Security, tend to pick and choose among different standards to form the basis of their practices and procedures. Such companies have a research and development arm which integrates pieces of various standards to form a security matrix for the firm to employ with its customers.

This is not a choice available to most enterprises. For one, standards cost money and for another, integrating the best among standards requires valuable resources, time and capital – none of which an enterprise can or should rightly be expending.

However, enterprises can simplify the choice and implementation of standards with a little effort and background information. And that starts with understanding where standards come from.

The standard source

Standards of security within a particular country are often dictated by home-grown benchmarks put down by national bodies. Such bodies include BSI (British Standards Institution), AFNOR in France (Association Francaise de Normalisation), DIN in Germany (Deutsches Institut fur Normang), BIS in India (Bureau of Indian Standards) and ANSI in the USA (American National Standards Institute).

These standards bodies can set down guidelines across industry sectors and include information security as part of that. Among the lot, BSI’s standards have gained global traction as security yardsticks for organisations and is being used by some Middle East enterprises as well.

Then there are industry specific standards, such as the PCI DSS (Payment Card Industry’s Data Security Standard), which was developed by credit card companies to provide guidance to organisations which process these cards in order to prevent credit fraud and other security mishaps.

It covers areas such as security policies, procedures, network architecture, software design, management and other critical areas and every industry that processes credit cards globally has to comply with the particular standard in order to avoid being blocked by credit card companies.

However, for a true enterprise-wide security standard, most Middle East enterprises tend to choose the benchmarks developed by ISO/IEC (International Standards Organisation and International Electrotechnical Commission) under its 27000 series. Specifically, they prefer the 27001 standard.

“It is easily one of the fastest growing standards certification that we are seeing here. Adoption levels are extremely high generally and in the Middle East a lot of enterprises are working to get themselves certified,” states Theuns Kotze, managing director for BSI Management System in the Middle East and Africa.

Regional enterprises consider ISO/IEC’s 27001 certification, more commonly referred to as the ISO 27001, as the baseline for planning and implementing their security strategy. The ISO 27001, which was published in October 2005 and belongs to ISO’s 27000 series of standards, was originally the BS7799 which was a long-standing standard since the 90s.

The standard itself is essentially based on the BS7799-2. Its objective is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information security management system.”

“ISO/IEC 27001 addresses information security management systems (ISMS) – it is not an IT security standard, but a generic management system standard applicable to all types of organisations. It provides a management systems framework for protecting information, whether it is in electronic or non-electronic form, irrespective of the technology used and irrespective of media used. It is applicable to the application of ICT for business to the extent that it protects the management and operational environment where the ICT is being deployed. Hence the security controls are at a management level not a technical level,” says Professor Edward Humphreys, one of the leading experts responsible for the ISO/IEC series of information security management system standards.

Most enterprises in the Middle East adopt ISO 27001 practices to provide them with the necessary base on which to build their security policies and larger strategy.

Though some of them buy the standard, many tend to use documents connected to the standard which are borrowed from a well-known reseller or partner. Many also work at customising the standard in order to make it fit the enterprise’s particular needs better.

There remain a large proporition of regional companies which effectively follow the strictures laid down by ISO 27001 but do not proceed to get themselves certified. They often do not want to put in the effort and resources necessary to formalise the fact that they follow the standard. This is also because they believe the certification process is tough.
However, as Kotze points out, an increasing number of enterprises, especially those which work with businesses outside the region, are getting themselves certified and this will drive standards certification among other regional firms.

Getting certified

Getting ISO 27001 certified can be either easy or difficult – depending on how the enterprise in question handles it. Companies only have to implement and follow the requirements specified by the standard and then call in a third party auditing firm to carry out the test and if they pass the same, they get certified.

Carrying out the rigorous demands for certification can be easier said than done. In fact, the task can seem so daunting that many enterprises are put off from even starting the process.

“One of the most common mistakes that companies make when they try to get certified is they believe that such standards are too difficult when they are not. They also think that they can cut corners when implementing ISO/IEC 27001 by leaving out some of the requirements,” says Humphrey.

“Many also believe that such standards can be an expensive undertaking. But the truth is that it can turn out to be inexpensive for the firm if they do it right. Lot of enterprises also make the huge mistake of ignoring some of the critical aspects of ISO/IEC 27001 such as the risk assessment process or the need to take regular measurements to check the effectiveness of security,” explains Humphrey.

According to Kotze, who has specific experience with Middle East enterprises, corporates in the region tend to ignore the obvious sometimes.

“While information security is high on the agenda of most enterprises, they do not pay enough attention to physical security. They make a lot of mistakes especially with the kind of documents that get carried around and thrown away. Just by digging in dustbins there have been situations where we have got a lot of information including credit card details, personnel information, even cheque books. Lot of enterprises concentrate only on firewalls and hackers. They are negligent towards physical security which can turn out to be a problem,” says Kotze.

Kotze also stresses the importance of educating end-users within an enterprise.

“Companies which want to get certified should do training needs analysis quite early in the programme. There should be different levels of security knowledge within the organisation. They have to decide what level of knowledge and detail of subject is required for different roles in the organisation. They need a quality system, levels of knowledge, awareness, different levels of expertise, competence and skills. Without these in place it is difficult to get certified,” says Kotze.

All of this starts with a proper risk assessment, identifying problem areas, address ing the level of risk and applying systems to deal with it.

“Risk assessment is the point of starting. Companies have to implement measures and procedures based on the risk assessment. Otherwise, it would not be effective,” adds Kotze.

Obtaining the certification is only half a victory as enterprises have to continue the standard’s practices and manage it in order to retain the certification or get re-certified.

“After the initial assessment, we go back four months later. We visit the company to make sure that everything is as it should be as per the certification. We then visit them every six months after that. The certificate itself lasts for three years,” explains Kotze.

During this period, if companies are found to be lacking, they are warned and the certification may be suspended. If the non-conformance continues, the certification can be cancelled.

Walk the talk

The truth though is that most enterprises which have invested in getting certified on the standard do not turn their backs on it and only in rare cases do they lose their certification entirely.

The ISO 27001 standard is a global acknowledgment of the company’s seriousness in business practices and in ensuring the highest standards within the organisation. This is of special importance for enterprises that trade with other businesses as well as service providers who offer hosting and telecom services in the region.

Considering that, whatever the troubles involved, larger numbers of regional enterprises will move towards the ISO 27001 standard and, in the process, increase awareness of security best practices.