21April2007
Posted by Vinod Kumar under: ISMS Articles.
The first and foremost task to do after your certification process is to mitigate all non-conformities/non–compliances that were identified during your certification audit. This must be completed before your surveillance audit is due. Auditors will not be happy to see any of their findings to re-appear again in the following audits. If any of your policy or procedure documents require to be updated, ensure that you document these changes (version control within the documnet), get these document reviewed, approved by management and circulated to authoirzed people.
Keep an eye on any assets been added to your infrastructure. Usually in large organizations it is quiet obvious that you tend to skip this task and get surprises during your next audit. There are also possibilities that an asset has been removed from the infrastructure. Identify the assets, do a risk assessment, update your risk treatment documents and the SOA if required. Since you are already certified, I assume the process of adding assets or removing has already been defined, communicated and followed.
User awareness should be an ongoing process. Try to avoid giving the same details over and over again. Employees will be interested in knowing the latest threats and
• how that can impact the organization
• what measures have we taken to avoid this risk
• by implementing information security practices how have we taken care of such threats
• how much value they as employees have added
Never forget to check the effectiveness of the awareness sessions. You can conduct quizzes, scenario based training programs, online training programs etc, which can be made mandatory by having the performance of individuals mapped directly to their appraisals.
Internal audit should be carried out at regular interval. The interval of audits will be as per your internal policy. There are different areas were the audits has to be conducted. I am sure you would have experienced this during your certification audit. Some of areas are as listed below. For more details on what to look for under each of these areas, refer to my article called “ISMS Implementation guide” which is posted in the same site.
• On floor audit
• Desktop audit
• Awareness audit
• Technical audit
• Social engineering
Some of the other activities that should be carried out on a regular basis, apart from the awareness are as mentioned below:
• Fire drills
• Check for the expiry dates on fire extinguishers
• Penetration testing, Vulnerability assessment
• Testing of BCP implementation
The last one on this article is to measure the effectiveness of your implementation. There is something that you have implemented and you need to know if what you have implemented is useful, valuable to the organization which includes employees and effective. This will also help you in your surveillance audit to a great extent in showing improvements.
How to measure your controls effectiveness is a topic by itself. I am looking forward in writing an article at the earliest. In the meantime there is a document from National Institute of Standards and Technology (NIST), sp800-80, which is still in a draft stage. You can get this document from the following location.
Guide for developing performance metrics for information securitydraft sp800 80
7April2007
Posted by Vinod Kumar under: ISMS Articles.
Let me narrate a small story here to show you how a server administrator and an Information Security Officer (ISO) of an organization struggle to protect organization assets.
ISO of the organization has the password policy written and it says that the user password should be
• minimum of 8 characters long
• password lock-out at 3 failed attempts
• expires once in every 45 days
• Should be a combination of uppercase, alpha-numeric and special characters
Policy handed over to the server administrator and it has been implemented across the organization.
Now who is the sufferer…??? The end user who used to put in passwords such as password, date of birth, chicken65, wonder girl, name of wife or son or daughter, has to now choose a complex password or a combination of these passwords with a special character embedded somewhere.
Finally the user comes out with a password which is like this;
Password291173$
What a mess. Now this password is valid for 45 days only as per the policy. By 45 days the user with great difficulty remembers the password or his fingers is already used to going to these letters automatically when the screen reads Password at logon.
Ok. The password expires after 45 days and now the user has to choose a new password to move forward. These users are also very smart. They think as how to overcome this process, cause by now they have already got used to the old password and imagine remembering a new one. So the user would obiviously choose a password like this;
Password291173%
Now the user does want to remember the new password, because he is used to the old one. He has met the policy requirement to change the password once in 45 days, now he will revert back to the old password, but doing Cltr+Alt+Del -> click on change password and have it changed back to;
Password291173$
Ok. Both are happy. I mean the administrator and the user. The ISO somehow finds that this is not working. It is not serving the purpose and needs to put in some more control. The ISO now decides to enhance the policy and say that the server password policy should now have a history of last 5 passwords, that this user had used and should not allow the user to use the same password again.
Ok. Now the scenario that I had mentioned above will not work. These users are very smart. Now they come out with another solution to overcome this problem and remember the old password. When the system prompts them to change their password after 45 days as per the policy, the user does this;
Password291173$ — original password
Cltr+Alt+Del -> Change Password -> Password291173$1 – Changed to new
Cltr+Alt+Del -> Change Password -> Password291173$2 – Second change
Cltr+Alt+Del -> Change Password -> Password291173$3 – Third change
Cltr+Alt+Del -> Change Password -> Password291173$4 – Fourth change
Cltr+Alt+Del -> Change Password -> Password291173$5 – Fifth change
Cltr+Alt+Del -> Change Password -> Password291173$6 – Sixth change
All this done in about 10 minutes.
Remember the system will hold a history of 5 passwords only. The user now comes back to his old password and configures it as;
Password291173$
Now the ISO finds that this is not working again. So some more control is added by saying, Ok, now the user cannot change the password for next two days after the first change. In this case if I have to come back to the old password as shown above, it would take me 12 days, which is now more tedious to the user. This is when the user starts blaming the IT department, cursing the ISO etc etc.
So let us see at the password policy again:
• minimum of 8 characters long
• password lock-out at 3 failed attempts
• expires once in every 45 days
• Should be a combination of uppercase, alpha-numeric and special characters
• Should maintain a password history of the last 5 user passwords
• Password cannot be changed for next days after the initial change
Two new controls are added. There should already or will soon find how to overcome this issue and the users are clever enough to do so.
The conclusion is what is the ISO or the server administrator trying to protect…??? What is the probability of an intruder getting into your network to break the password and get into the systems that is holding information…??? Is it easier for an intruder to break a password and get into a server or is it easier to compromise the server itself. Maybe traceability is an issue….
My thoughts are why we need to enforce this password policy to end users. This is a clear example of delegation of ownership. Who are the owners of the organization assets…??? Let’s not say top management. Yes it is the top management, but the top management has better work to do and have designated the end users to take ownership of the assets.
I would also like to say that ISO should not be spending time and breaking his head on password complexity but to take up the responsibility to clearly push this message down to the end users and making them aware that they are the owners of the information assets and not the IT Department.
1. Identify the owners of information assets, within the organization. Which, I assume would have been done during the risk assessment exercise
2. Conduct awareness sessions and emphasize on information assets, owners of those information assets, responsibility of the owners, custodian of those information assets, responsibility of the custodians etc,
3. Give the asset owners a simple risk assessment methodology for them to evaluate and understand the value of the assets they handle. This will also let them this on how effectively to secure their assets
4. Give more flexibility to the end-users than taking up everything on by self.
5. Make everyone understand the security is everyone’s responsibility and not just the IT department or of the ISO.
It has been told and understood that the biggest threat in today’s world is human and the human who is inside your organization. Now if that human has the password and intend to do damage, how is complex password going to protect or help…???
Just for our thought, how critical is your ATM or Credit Card to you…??? What is the complexity of a PIN number of your ATM or Credit Card…??? Mine is just 4 numbers… 
4April2007
Posted by Vinod Kumar under: ISMS Articles.
Some reasons that is commonly given by organization members to avoid change in the process.
1. Nothing has happened for the past X years. What is going to happen now and why do you want all these security
2. How is the organization benefited out of implementing information security practices…??? How much will be the profit…???
3. So you mean to say, once we implement information security practices, my network is completely safe.
4. We want work to be done. Do not hamper our routine to integrate your security practices
5. Security!!! Please ask IT
6. I have firewalls, IPS, two-factor authentication, anti-virus gateways, web filters, motion detectors, access control mechanisms etc implemented , what more security are you going to provide…???
7. If I change this now, nothing is gonna work. Please do not suggest any changes, it has been working, let it work