Burying the password

It's time to bury the password. Passwords may well be the longest serving security tool in the history of humanity. Long before computers, people were using secret words. The only technology to come close to that record may be encryption.Encryption, however is only now coming into it's own as a standard defense against unauthorised access to confidential information - think about Windows, where only the latest incarnation provides any hard disk encryption as a standard part of the tool set.

Passwords, on the other hand, have been the bedrock of IT systems security since the dawn of computing. Virtually every computer system every produced (with the possible exception of gaming platforms) has provided for some kind of password protection, however weak this may have been.

Most of today's corporate networks are completely dependent on passwords to maintain security.

Yet passwords no longer work.

As security has progressed in both technology and awareness password requirements have become more stringent.

Network security policies are standard, defining user's behaviour, requiring password changes and complexity.

Users of a corporate network can now expect to have to change a network password every 30 days, each time selecting a combination of characters containing any or all of letters, numbers, capitals, non-standard characters such as question marks and exclamation marks, avoiding the use of letters in any pattern, or with a link to their name, network user name, company or other defined words. Dictionary words, even disguised as part of a password, are increasingly unsuitable. What was six characters must now be eight or even ten.

The other factor at play here is the other systems people access. Most users of corporate networks will have home computers, with multiple passwords for access to their PC, laptop, smart phone, web sites and and online applications. People now have to remember a huge number of passwords that change regularly.

It's not possible to do this securely. More and more, passwords are written down, forgotten, or created around patterns. More and more passwords are used on multiple systems, some of which will be less secure than your network.

Passwords also have a horrendous weakness: their users. 'Something you know' will always be subject to social engineering attempts.

Because of these weaknesses, the day of the password is over. Information on a system can no longer be protected simply with information in a user's brain.

It's time for something new. Something you have is no good (it can be stolen or lost). Something you know is no good (the same applies). The only remaining option is 'somthing you are'.

Fortunately, for one that walking security disaster, the human being, comes into it's own. What will always be unique, and remains very hard to steal: You.

It's time to retire the password, and make people the key.

CRISC resource guide

With ISACA announcing 1,000 CRISC certifications awarded under grandfathering provisions, CRISC is - whether you like it or not - something information risk professionals should consider.To help you, we've filtered through the blog-spam, sales pitches, and ill-informed opinion and pulled together some of the top resources from around the web - your one-stop resource guide for CRISC certification.

What is CRISC?

In ten words or less, its a professional certification for specialists in information systems risk and control.

A full explanation is available on ISACA's web site here - or read Riskmonkey's more readable but less authoritative summary (linked below).

Should I certify CRISC?

How do I certify?

There are no end of companies on the internet advertising sample question banks for sale. There are also quite a few offering training. At the moment though, both are pretty much irrelevant - currently, the way in is through grandfathering - which requires 8 years experience. The application form doesn't take 8 minutes to complete, and is available here. At not far short of $500, paying for it will take most professionals a little longer than that, though. A tip: ask your employer to cough up the cash.

What do I do with it?

Put it on your business card, or on your CV. Use it to help argue for a pay rise or promotion. Or simply to help make sure you don't get downsized. Just don't forget to tell us what you think!

Further reading

Can you CRISC? (26/8/2010)

Top ten mistakes audit firms make whilst tendering

Riskmonkey has had the pleasure of presiding over a number of procurement exercised for internal, external and IT auditors over recent years. I had been looking forward to writing some solid technical content this afternoon, but the latest round of printed PowerPoint presentations (complete with spelling errors) has reminded me what a frustrating task this often is.Knowing your stuff is not enough: If you work in practice and are involved in business development, bidding for client work, producing presentations, presenting to auditor appointment panels, or just want to come across well when explaining the role of audit to internal clients, here are my top ten mistakes audit firms make whilst tendering for audit contracts.

  1. Don't answer the questions. OK, I understand that you have a standard presentation. I know it's easy. But if we've given you a list of questions, you're wasting your time if you don't answer them directly. If I'm hiring auditors for a health trust I'm not interested in your achievements for the tobacco industry. If I'm hiring an internal audit service, I don't want to know how well reputed your external auditors are. If' we've specified the sections we want in the tender, stick to them.
  2. Forget to do your research. I know you have a business development person who does this for you, but really - you will have to stand in front of us on the day. If you don't know what our governance arrangements are, what our recent external audits said, or why we've been in the press recently, don't expect us to be impressed.
  3. Ask your kids for help. I'm really serious. One recent top-10 firm actually included a chart produced by ' my 12 year old son, he's better at computers'. How did we find them out? It looked like it had been produced by a 12 year old. In Microsoft paint.
  4. Change the team. I know your firm has a great reputation, or you wouldn't be on the shortlist. When I ask whether the people doing the presentation and listed in your tender are going to be the ones supplying the audit service, the answer I'm looking for is 'yes'. If its another partner and manager from another office, why are you here - because they're not up to it? Fortunately we'll never find out.
  5. Don't ask what we're looking for. If we've asked a number of questions about how you're going to work with the non-executives, we don't expect to hear that you'll speak to the audit committee and AC meetings and that's it. If we've asked what value you'll add to the finance or IT department, we don't want to hear that all audit is valuable, so we shouldn't worry about it. There's a reason for these questions - take them seriously.
  6. Understand you're USP. Not so long ago Riskmonkey asked five audit firms presenting what set them apart from their competitors and how that would add value for the organisation. You'd think people would prepare for that, but two audit firm partners had no answer at all, one was saved by a junior manager jumping in to stop his boss floundering, 1 saw an opportunity to criticise the competition for lax training standards, and only one had a positive answer. All were top 10 UK firms, several were big 4. No surprise who got the work.
  7. Forget you want to be reappointed. We know you'd like to be reappointed. Don't think we close our eyes when you get the job, reappointment is earned because you gain our confidence in that first term.
  8. Be honest. If you're new to our sector, expanding into our area and your audit team will travel 200 miles to get here and stay in a hotel, it won't fill me with enthusiasm - but being honest about it, demonstrating competence, understanding the organisation and showing enthusiasm will count for a lot, too.
  9. Understand our objectives. You can only help us manage our risk if you understand what impact those risks have on our operations. That's not always obvious without giving it some thought. Organisations don't just provide a product or service, they have real problems - rebuilding confidence after a crisis, demonstrating capacity to regulators, improving public perception, managing excessive headcount, reshaping capital structures.. take a minute to look under the surface and understand what we need to achieve.
  10. Be late. Riskmonkey was not impressed to find one organisation he serves on confronted with possible legal action for not taking into account a tender received after the deadline. I know post normally takes a couple of days, but don't count on it and expect us to understand - if it's a £50k job, it's worth a fiver for special delivery. And, to be honest, it's worth doing well before the deadline. Start as you mean to go on.

Top ten reasons why your portable media is not secure

It seems that virtually every data loss being reported in the press at present, where the loss occurred through exposure of physical media to an unauthorised party, relates to portable data storage devices - USB sticks, CDs, and the like.Riskmonkey is getting used to the standard response put forward by companies who think their data cannot be exposed in this way: "Oh, we're not worried. All our USB sticks are encrypted".

Of course, they couldn't be more wrong.

It's not hard to see why organisations think encryption is a good control. It sounds like your data is secure. Even if it's lost or stolen, you can tell people their data may still be secure. You can say you took precautions, that you understand their concern and put controls in place to keep their information safe. What you can't do, however, is tell them their data is safe. It almost certainly isn't.

Riskmonkey has a simple view of encryption. There's no harm in it, but it ought to be the last line of defence. If you do have to defend yourself against 10,000 heavily armed savages, even a stick is worth having. It will make you feel better, but it probably won't save your life. What you need is an army, and if you get the controls right, you've got one - it's your colleagues. Get them wrong, and you've just got so many dead bodies for the savages to trample over on their way to you.

Over-dramatic comparators out of the way, here are Riskmonkey's top reasons why even encrypted data is not secure:

  1. Your encryption may not be very good. 'It's encrpted' doesn't really mean much. I can encrypt this article by moving each character one to the right on the keyboard. It wouldn't take a second for the average intelligent 14 year old to crack it (in a future article, I'll go into this in more depth and explain what encryption works, and what doesn't).
  2. Your password may not be secure. Take the Yorkshire Building Society, who recerntly left the password to a laptop containing thousands of customer records with the laptop. It was stolen - data, passwords and all.
  3. Your password may be no good. Let me guess: your company name? your mothers maiden name? replace a character with a digit? If I'm still locked out, I bet it won't be for long. Companies can't enforce password standards on encrypted disks in the same way they can on networks, so passwords tend to be weak
  4. It's probably not your USB stick, anyway. You gave some out to your staff, but the encryption was annoying so they used one they got free with a box of cereal.
  5. You don't know what data is on it. Most people use USB sticks as a growing repository of random information they 'might need to share' at some point in the future. You may think its 1,000 customer names and addresses, but are you sure 50,000 account records weren't put on it last year?
  6. You don't know where it's been. When you get it back, you won't know whether it;'s been accessed or not.
  7. Even encrypted data can be copied for later decryption. You may get the USB stick back, but you won't know where else the data might now be.
  8. You don't know who's using them. Be glad you found out about this incident. There's a fair chance the last 10 employees to lose a USB stick didn't report it. Would you - really? If a CDs gone missing in the post, how did you find out? Chances are the recipient reported it missing. There's no obligation for them to do that, and no reason why they have to tell you first.
  9. Did they need the data in the first place? They may have needed some of it - but did that systems test really need full customer histories on all accounts - or would an anonymised sample have done the job? If people within your company have data they shouldn't have, it would be a good idea to sort that out, first.
  10. It's probably too late, anyway. The problem is that you lost the data, not that someone else has obtained it. You need to controls to make sure you don't lose it, rather than controls to stop someone else taking advantage.

Next time, watch out for our article on the top controls you can implement in your company to keep your portable data secure.

Can you CRISC?

Making sense of ISACA's growing stable of qualifications is an increasingly complex task. But is the new CRISC qualification right for you?My general view is that building better core qualifications would be a better strategy for the association, but that doesn't mean the new additions have no value on a CV - on the contrary, even the recent entries can help set you apart from the competition.

IT audit is an unusual profession, in that there is no one industry qualification that's right for everyone - the field is just too wide.

Here's the rub: ISACA now has four closely related qualifications:

  • CISA (Certified Information Systems Auditor), for auditors
  • CISM (Certified Information Security Manager), for managers

Riskmonkey didn't really see much of a gap between those two, if they were developed to their potential. ISACA's eagle-eyed experts clearly did though, which led to the creation of...

I have no real problem with CGEIT, except that it really ought to be a required part of CISA and CISM - how can you be a competent IT auditor or security manger if you don't understand IT governance? CGEIT really just shows up the weakness of these qualifications.

CRISC, however, is another question. ISACA says "CRISC is designed for IT professionals with experience in risk identification, response and monitoring; and IS control design, implementation, monitoring and maintenance".

I struggle to separate these skills and experiences from those that would be expected of any good IT auditor or manager - in effect, CRISC seems to add little to the CISA or CISM qualification. Risk is a core part of those qualifications in a way that governance, as covered by CGEIT, is not.

As such, it seems to be a qualification suited to auditors and managers alike. Certainly, ISACA seem to be going for the widest possible audience, requiring experience in wide ranging fields that would cover practically anyone who read this web site. The target audience, "professionals who are engaged at an operational level to mitigate risk" doesn't even imply knowing how to turn on a computer, so if you're a policy wonk this qualification could work for you. Indeed, it would seem to cover absolutely anyone with a professional job of any kind, in any field, for any employer. Perhaps then, that is the qualification's potential strength: it doesn't button-hole you into a role.

It does however demonstrate an understanding of risk in a IT-centric environment, something that should a a critical skill for any IT manager, auditor, consultant, or business advisor. It could therefore add value to anyone from a network infrastructure manager to a high-street Accountant, as long as they have the right skill set.

And therein the mystery - as the exam has not yet been sat, we just don't know how rigorous it will be. We do know however where it will focus, namely on:

  • Risk identification, assessment and evaluation
  • Risk response
  • Risk monitoring
  • IS control design and implementation
  • IS control monitoring and maintenance

This is clearly spelt out by ISACA, and whilst all this is relevant to CISA and CISM (indeed should be at the core of it), the risk focus is not as strong as it could be in those qualifications and the questions will presumably have to be different to reflect the change in perspective, and a focus on operational response to risk.

I Therefore sees four types of professional for whom CRISC might be particularly useful:

  • People who want to do CISA or CISM, but whose experience doesn't meet ISACA's requirements for those qualifications
  • People who have done CISA or CISM, but want to demonstrate a wider perspective that is not constrained to auditing or security management.
  • IT managers who want to demonstrate a risk focus, but do not want the 'auditor' or 'infosec' label
  • People who want to move out of an IT security environment towards a more general risk focused role

Ultimately though, whether a qualification is right for you depends on what you want to acheive. As Urs Fischer, the Chair of ISACA’s CRISC Certification Committee, points out "each one of ISACA’s four credentials sets professionals on unique and desirable career paths: Chief Audit Executive (CISA), Chief Security Officer (CISM), Chief Risk Officer (CRISC) and Chief Information Officer (CGEIT)".

Can you CRISC? If seeing the risk, and knowing what to do about it and how, is your USP - CRISC might well be right for you.

Should I get CISSP certified?

The focus of CISSP is purely Information Security. Having said that, its a big field. It's a demanding, well thought out, and well manged certification that commands considerable respect, more so than CISA and CISM, and if you see it as a learning experience rather than a rubber stamp, you'll get a huge amount out of it.

How can I obtain a CISSP qualification?

You need to pass an exam and evidence 5 years of relevant experience, then get an endorsement. Sounds straightforward? Perhaps, but the exam is a six-hour marathon consisting of a vast array of intentionally confusing questions covering everything from the obvious to the extremely obscure. The field it covers - review the CBK or 'common body of knowledge' maintained by ISC2 - is vast and detailed.

There are lots of reasons not to do this exam. You can study for ages, but not know whether you know enough to pass. You can know everything, but not like their take on multiple choice questions - or you can just be a bit too slow. For some the biggest reason not to do it is the sheer length of the exam, for others the breadth of the syllabus. A few have complained that food and water was not available - I'm told this is better now. For others still, it's the fact that good people do fail - and sometimes less good people pass.

ISC2 really should look at splitting the syllabus into several 3 hour exams to do it justice. They should also review some of the slightly more unreasonable rules, that add nothing to it's integrity.

All in all though, once you've done it you haven't proved you are Information Security practitioner, but you've proved you know your stuff.

The exam is not impossible or unreasonable - if you know the material you could even say it's not particularly difficult - it just requires you to understand what you're doing, as well as know what you're doing. As it should, after all.

The experience is easier, if it takes a little longer - 5 years experience in information security, with 1 year off for a degree. There are no extra years off for other qualifications, but really - don't bother unless you've been doing something relevant for the last five years as you probably won't pass the exam anyway.

What does CISSP cover?

The syllabus is governed by the ISC2 CISSP CBK - it's a lot of letters to describe a lot of content, and pretty comprehensive. If you're a business policy wonk, be prepared to understand the underlying principles of networking and cryptography. If you're a network monkey, be prepared to understand business, governance and risk.

The areas covered are:

  • Access Control
  • Application Development Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security Governance and Risk Management
  • Legal, Regulations, Investigations and Compliance
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security

What does CISSP cost?

The exam is around $400 (assuming you enroll well in advance), but the main cost is training. Unless you're supremely confident (or just enjoy resitting exams) it's definitely worth investing in a training course. Don't accept anything under 5 days, and be sure to do the homework - a course that long can't possibly teach you everything you need to know, so see it as a revision course and read around the syllabus in your weaker areas before hand.

Be prepared also for travel costs unless you live in a capital city or US state capitol, and keep an eye on exam dates as they often get booked up well in advance. You could do a lot worse than to sign up for a course that ends with the exam - the knowledge will be fresh, even though you might be tired! As for the cost of course - expect to pay between £200 ($300) and £400 ($600) a day in fees for most courses, plus VAT or sales tax, along with accommodation and travel costs. To a large extent you get what you pay for, but do your research and ask for referrals from friends or colleagues for course providers and specific tutors - it makes a big difference to how much you learn.

How long will CISSP take?

It varies depending on you and the time you have, but allow at least 3 months from registration to sitting the exam and allocate some time teach week to go through each area of the syllabus. If you have IT audit experience, good IT knowledge and a strong background in business, a one week training course followed by the exam may be enough - but you'll be lucky. If there are gaps in your knowledge or you're relatively new to the profession (less than 5 years proper experience leading audits or managing an Information security team), you will need more time and might want to consider doing something like CISA or CISM first. You will want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam. If you're weaker in one area it might be worth doing a course in that area first, or trying to get some on the job experience that covers it to make it easier to understand where the examiners are coming from.

Add several months if you have to resit. If you've done a six hour exam once, you definitely won't want to do it three times.

Do I get letters after my name?

Yes, you can use the letters CISSP, as long are you keep your certification up to date. The letters are worth a fair bit on the recruitment market, particularly combined with CISA for auditors, or good technical or business qualifications. Just don't use them to convince another infosec pro that you know what you're talking about.

Do I need to do CPD to retain my CISSP qualification?

Yes. You need 120 CPD points over three years, and at least 20 each year. It's quite a lot, and for the privilege of doing this you get to pay an annual $85 fee. However as the alternative is to resit the exam, I'd recommend the CPD option - strongly.

Is CISSP appropriate for me?

Yes, if you're an experienced professional looking to demonstrate confidence and plug any gaps in your knowledge - CISSP is the one 'must have' IT security qualification, and everyone will learn something be doing it.

No, though, if you're new to Information Security, even if you already have some IT experience. It's the closest there is to a gold standard, but it's not easy for beginners. If you're new to Information Security or IT audit or looking to move in that direction from a relevant IT or operational audit field, forget CISSP for now and look at CISA or CISM as a qualification you can do straight away. CISSP just doesn't make sense without experience.

How do I get started with a CISSP certification?

Visit the CISSP pages on the ISC2 web site and sign up.

Should I take a course, and where can I do it?

There are plenty of options, it's now very popular. You can study on line, or you can do a one week course that leads up to the exam on the final day. Find out about my experience of CISSP training here.

  • Access Control
  • Application Development Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security Governance and Risk Management
  • Legal, Regulations, Investigations and Compliance
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security

webmail: enterprise security disaster?

Hosted applications are revolutionising the world. The way forward is remotely hosted applications, accessible from anywhere. Or even locally hosted applications accessible from anywhere. There is a touch of hyperbole (and perhaps a bit of bandwagon-jumping) to this statement, although on balance Riskmonkey agrees. Riskmonkey.net is a devotee of Google Apps, web hosting in shared data centres, and yes - you've guessed it - wordpress. The bottom line is, there is no point doing something yourself is someone else can do it (or has already done it) much better and at a lower cost. RM is sat in a coffee shop on a Sunday afternoon typing into a web site hosted in Sheffield and using email hosted in the United States, using 3G provided by a German company's British subsidiary. Putting to one side for now the data protection issues (perhaps a subject for a future post), the security problem here is the word 'anywhere'.

My email, my web site, my documents - all accessible from any computer or mobile device anywhere in the world. Public library computer, airport lounge terminal, railway station hot-spot, android mobile or iPhone, hotel reception or space station(1) - no problem. Therein lies the problem.

man using webmail in cafe

When applications are available anywhere so is data, and the main culprit in most organisations is email. Specifically tools such as the rightly maligned Microsoft Outlook Web Access, but Google Apps carries exactly the same risk: as you no longer control the access device, any data accessed may be cached or downloaded to the local machine. Once there, you have no way of detecting it, controlling it, or removing it.

What can you do about it? Unfortunately, the answer is often not as much as you need to if you wish to adequately address the risk. High risk organisations - those with lots of personal data in circulation - should simply ban it outright or restrict it to use over a corporate VPN.

For others, assuming you are satisfied with the security of the application itself and the data in transit between the webmail interface and the supporting Microsoft Exchange server or mail server (and if you've implemented it, you ought to be!):

Here are our top 12 actions you can take to limit the risk of data being transferred to an uncontrolled local machine or network via your web based email solution:

  1. Restrict by IP address. If you know where people need access (and there is a static IP address for those locations) tie down access to pre-approved IP addresses
  2. Prohibit file download via webmail to any client on on the corporate network (if your solution allows for this)
  3. Provide staff with screens to restrict the field of vision from which data can be seen on a laptop monitor
  4. Prohibit access via known public access points (such as BT Openzone) and unsecured wifi connections
  5. Restrict access from aboard using IP address - not perfect, but if you're staff never go further abroad than the next county, they don't need access from Thailand or India.
  6. Provide preferred alternatives, such as controlled Blackberry devices
  7. Subject webmail to higher levels of monitoring and lower attachments limits
  8. Restrict access to webmail to users with a requirement for it. Outlook Web Access, for example, can be granted on an individual or AD-group basis.
  9. Establish an documented approval process for staff requesting access, including a requirement for staff  to sign to say they understand they are responsible for how they use the service
  10. Introduce mandatory training, for example a CBT, for staff using webmail. This could include all aspects of security - access in public areas, avoiding CCTV, risks of shoulder-surfing, not storing emails or attachments on the local machine, and not uploading files from the local machine.
  11. Keep detailed logs, including attempts to download files or large volumes of email, and let staff know logs and usage are closely monitored
  12. Remove access promptly when no longer required, and audit usage every 3 months to check it is being used. Remove the permission if it is not.

Some of the risks are non too obvious but still potential critical flaws. For example, if you monitor email traffic you may pick up on an email being sent with a suspect attachment, or at least have logs to refer to should you need to investigate an incident. However, you might not pick up an email with a data file being put in a 'drafts' folder in a users mailbox in the office, for later download from the drafts folder to a computer outside the control of the corporate network using webmail - just one easy way for malicious users to by-pass corporate network security and email monitoring controls to extract restricted data.

Even after all this though, there really is no security guarantee with remotely accessible email, unless accessed via a VPN solution such as Citrix -which means that Riskmonkey's preferred solution is still only allow access to email via approved devices.


(1) Riskmonkey has never actually a written a post from a space station, but would be happy to try if anyone is offering a free ride to the ISS.

Credit card processing with an external payment gateway: Riskier than you think?

These days is seems businesses will do almost anything to escape the rigours of PCI-DSS (the Payment Card Industry Data Security Standard), that infects the operations of any organisation daring to process payment by credit or debit card. Got customers who want to pay? Try cash and carrier pigeons, it's easier. Got customers who don't want to pay? Take them to court, it's quicker. OK, so Riskmonkey is getting a little carried away again, but it's fair to say that PCI-DSS is not the most flexible or accommodating standard in circulation, and there is simply no way round it if you want to take card payments.This is understandable though - the security risks involved are extreme. A single weakness in your IT infrastructure could be sufficient to expose sufficient details on your entire customer base for identify theft or just plan old theft of cash. Given the rectification costs in the event of a data security incident and the fact that if you are a big company hackers will target you for card details, even PCI-DSS compliance can seem like a bargain.

However, it's understandable that many companies, particularly those with under 20,000 transactions a year who can qualify for the lowest level of supervision under the PCI-DSS standard, try to avoid the cost entirely. This is a reasonable course of action, and if you never store card details yourself but hand over the entire task to a PCI-DSS compliant payment gateway you may have to do nothing more than a fairly minimal type-A self assessment.

However that doesn't mean you can sleep easy knowing customer card data is secure, as there may still be a number of crucial weaknesses in your data security controls.

For example, how does data get on to the third party system in the first place?

  • If your staff or customers write down the details, for example on an application form, you're already storing card data, even if it is only temporarily and the data is subsequently destroyed.
  • You staff will be handling the payment details. How do you know they will not make copies or use the details for unauthorised transactions. Proper training, vetting, and supervision are still required.
  • Is there a delay between receiving the payment details and processing the transaction? if so, where are the details stored? if on a computer, you're into electronic storage and your systems immediately fall fully within the remit of PCI-DSS. If on paper, are they held by remote workers or sales staff, in a shopping mall, in a briefcase in a car boot, or in your incoming post which is opened in reception and circulated in the internal mail. All this creates risk that needs to be managed and controlled. To give so,me examples, if your remote sales team drive to clients, ban them from keeping their case in their car overnight. If details are held on laptops, they should be fully encrypted at an absolute minimum.
  • What facilities does your payment gateway provide? Assuming we're processing the card payments using a web interface, the company will probably also provide online reporting functionality. If so, how much information does this provide on your customers and transactions, and who has access?
  • Who has access to the payments interface anyway? If it isn't controlled by your network security, ask yourself whether your staff leavers and staff changes procedures ensure that access is removed in a timely manner.
  • Does the payment gateway integrate with other systems, even if only to transfer general customer and order details? If so, is that data transfer secure and is the information held securely in the destination system?

Finally, don't forget that even if you've ticked all the boxes and you're storing no data, you still need to talk to your payment gateway and merchant account provider about your PCI-DSS self assessment questionnaire.

What are the risks in your data warehouse?

Increasingly companies are storing data for retrieval in dedicated 'data warehouses' - large structured data storage systems from which information can quickly and easily be retrieved for reporting. However, putting all your confidential information in one place comes with risks.

Here are some of the top risk areas to consider with your data warehouse:

Data inputs

  • How do you know that all the data you need is being stored?
  • Have you tested that it is being stored correctly, without any loss of integrity?
  • What is the process for inputting data?
  • Are automatic links with data sources properly configured, documented, secured and monitored?
  • Do you have a data classification policy, and if so is it applied to data entering the data warehouse?

Data outputs

  • Is data exported from the warehouse to other applications, for example for reporting?
  • If so, is the data secure in these applications?
  • What happens to the output, and is it transmitted and stored securely?
  • How do you know that only authorised recipients are able to obtain the output?
  • How do you know the right recipients receives the right information - and nothing more?
  • How do you know outputs are accurate?
  • Are reporting jobs run at optimal times to maintain good system performance and proviode accurate, timely information?

System security

  • Have user access rights been determined and documented?
  • Are these rights appropriate?
  • Are they based on roles, for example through Active Directory groups (easier to control), or individual user permissions (pretty much impossible to control)?
  • Are administrator and super-user accounts carefully controlled and audited?
  • How is data segregated in the database- for example clients, departments?
  • Is the supporting database appropriately configured and hardened for maximum security?
  • Is access to data restricted according to it's sensitivity?
  • Are backups maintained in a secure location, and is access to them restricted?


  • Do you have sufficient people to manage, monitor and maintain the data warehouse and supporting systems and infrastructure?
  • Are they appropriately trained?
  • Does your system have sufficient capacity as the amount of stored data grows?
  • Will performance and availability continue to be satisfactory as usage and reliance on it increases?

Is your document archive storage secure?

It's all very well to keep digital backups secure, but are your paper files exposed when no longer actively required?Here's a quick checklist to help you find out if you're exposed to archive storage risks:

Policy & procedures

  • Do you have a document retention policy that spells out how long documents should be retained?
  • Do you have documented procedures in each department for archiving of documents not actively required?
  • Do you have a documented process in place for selecting files for disposal at the end of their life?
  • Is there a processing in place for verifying compliance?
  • Are the policies and procedures regularly communicated?
  • Has a risk assessment been carried out, and subjected to regular review?

Document management

  • Are records kept of retained documents?
  • Would if be easy to locate a document if required to do so, for example to fulfil an operational requirement, Data Protection Act subject access request, or legal order?
  • Is it clear who is responsible for documents and for maintaining records?

Physical security

  • Is the archive in a suitable location, not accessible or visible to the public?
  • Is access demonstrably restricted to current staff?
  • Is access monitored to ensure documents are deposited - do you review access records for unusual trends, for example if one department deposits fewer files than expected?
  • Are document retrievals logged to record who has obtained them?
  • Are checks carried out on retrieved documents to check if they are still in use or should be returned to the archive?
  • Are staff involved in the archiving and storage process trained and vetted?
  • If off-site, are documents transported to and from the facility in a secure manner, and are records kept of transfers?

Contract management

  • Do you outsource archive storage? If so:
  • Is there a written contract, and is is current?
  • Has a due diligence exercise been carried out and references or accreditations verified?
  • Does it impose a strong duty of confidentiality, with appropriate penalties?
  • Does it state the security provisions the contractor must have in place?
  • Are procedures and authorisations agreed and documented for document retrieval?
  • Has a site visit been carried out to validate procedures and controls?

End of live disposal

Eventually you will want to dispose of archived documents. Are you exposed to any of the risks of document disposal identified in this article - "Why secure data disposal isn't always secure - and what you can do about it?"

Why secure data disposal isn't always secure - and what you can do about it

Most organisations with more staff than this monkey has fingers will have made provision for secure disposal of confidential paper documents and - hopefully - data storage media as well. Usually, this involves passing the documents and disks to a trusted third party contractor for shredding, incineration, or whatever means of secure destruction takes your fancy.

Here we highlight why this may leave gaping holes in your information security provisions and leave hard copy data in dangerous hands.

XYZ Plc had built their reputation of the excellent service they provide to their customers. They know trust is the key to maintaining this relationship and thereby their competitive advantage. Understandably, Managing Director John Smith Jr.  was concerned about the security of the business documents they get rid of every day. He installed confidential waste bins in every department and instruct staff to use them. Each day, the waste was collected in special sacks and taken to the basement for collection. At the end of the week the sacks were collected by a contracted firm who provided a certificate of secure disposal.

One day, a list of direct debits containing the names and bank details of all their customers is found for sale on the internet and is picked up by a national newspaper. Their reputation is in tatters and they are facing a potential £500,00o fine from the Information Commissioner as well as costs of around £60 per record in damage limitation and rectification. The Managing Director finds his job on the line. To keep it, he needs to establish what went wrong.

Unfortunately, even after a thorough investigation it's unlikely he will every find out - there are just too many weaknesses in this system of control. Some of the failings that might accompany the investigators' report and Mr Smith Jr's dismissal could well include:

  • Not enough bins were installed, resulting in staff putting documents in the general waste on a regular basis. Why weren't the bins emptied more often, or more bins installed?
  • The bins were not in the right locations, many were further away from printers and desks than general waste bins. Why wasn't there a confidential waste bin for every general waste bin?
  • Staff had been told to use the new bins at when they were brought in, but there were no reminders. Why were new staff not advised of procedures? Why did did not feature in the annual CBT test given to staff?
  • The company had conducted a risk assessment which covered data disposal, but not all departments had been involved. Members of the finance team did not think that  finance reports counted as customer data - it had just never occurred to them to consider it. Why hadn't all departments been asked to identify data security risks in their business processes?
  • Staff did not understand the reason why secure disposal was important. As a result, they didn't pay too much attention. Why weren't staff informed that leaking confidential information would result in disciplinary proceedings, or told about the problems it could cause for customer relationships, sales, and therefore salaries?
  • The bins were collected daily, and left in the basement next to an unlocked and unmonitored door often used for deliveries. Why were confidential documents not stored securely pending disposal? Why weren't they in a locked room or cage with limited access? And why was the entrance not locked with a keypad or similar device?There was no contract with the disposal company, so even if the loss had been proven to be their responsibility it would have been very hard to seek damages. Surely a contract should have been agreed - with a suitable confidentiality/ non-disclosure agreement?
  • The company operated a clear desk policy, but there were no records as to when this was last checked. Investigators found that, whilst customer service departments were clean, large amounts of paperwork was left on desks in support departments. Why was the policy not better communicate, enforced, and compliance checked regularly and across all departments dealing with customer data?
  • The contractors often arrived late, in which case the caretaker would leave the sacks outside for collection. Why were they allowed to come outside scheduled hours, and why did the caretaker not know better than to leave the sacks outside for anyone to collect? Why did line management not know to intervene? Why did no-one check procedures were being followed or check the collection records?
  • The contracted company had lax procedures as a result of under-staffing. This was caused by financial problems. Why had no risk assessment or due diligence exercise been carried out?
  • XYZ Plc was unable to prove that documents had been disposed of securely at that time, as disposal certificated were not retained,no records were kept of bin emptying, and procedures had not been documented for the caretakers who emptied them. Why not?
  • The company had conducted background checks on high-risk staff but this had not included caretakers and cleaners, as they were considered to be low risk. Subsequent checks found one of the cleaners who worked out of hours was an undischarged bankrupt, and one of the caretakers had a prior conviction for theft. Employer references could not be traced for two further staff. Why had they not checked references, credit histories and criminal records? Why had these risks not been recognised?
  • A visit to the contractor noted a number of significant weaknesses in their procedures which meant they could not be sure that all documents had been properly shredded. Why was no site visit undertaken to confirm the contractors was doing everything expected of them?

Could any of this happen to you? Only one of these weaknesses would be enough to compromise your security. Why not compare this list to your company's document disposal process or your audit programme?

Top ten tips for controlling IT Procurement

Riskmonkey audited a procurement project last week. Unfortunately, things hadn't gone very well - the system met the specification but just wasn't welcomed by the IT department, which refused to support it. Here are ten things they could have done differently to avoid the problem and make the IT procurement exercise a success - are they in your audit programme?

1.    Define the non-functional requirements, as well as the functional ones.

What systems does it need to be compatible with? What organisational policies must it comply with? There's no point buying a system that requires SQL Server 2008 when IT are only using 2003- or even worse, buying Microsoft when your organisation runs Linux. You don't want a system that enforces six-character passwords when your Information security policy requires 8 characters. Databases may be all the same to marketing, but they are not in IT.

2.    Identify how it will be managed, not just who will set it up.

IT weren't happy to be told they would have to manage access rights for hundreds of users of an application that wouldn't integrate with Microsoft's Active Directory, which they used for network and application authentication. in the end, an expensive third party utility has to be procured to sync the two sets of permissions. Easily avoided by explaining up front who will have to manage access rights, do the backups, maintain user profiles, undertake upgrades - and of course manage the operational aspects of the application. Then involve them in the project, and wait for them to say 'hold on a minute, we're not doing that....'

3.    Involve people from the start

So you need a new HR database. That doesn't mean HR should go and buy it then pass IT the disk. It means HR need to consult with key operational departments they will be reliant on - IT Technical Services, Information Security, Datacente Operations - as well as legal services, compliance, and even perhaps audit. That way you can get everyone's requirements up front and eliminate solutions that don't meet requirements. If nothing then fits the bill, it's time to rethink - but better to know now than later.

4.    Establish and communicate technical guidelines

You can't expect operational departments to comply with policies and guidance that don't exist. Do you have clear, established policies and guidelines for IT roll-outs? Most systems involve - at a minimum - an application and a database. This means that all network, system, database and application risks and policies are relevant. Do you have a standard configuration for operating systems or databases? Do you have security standards that prohibit the use of certain Windows services - if so; does the proposed solution use them? Does the application need to be run from a system admin account, or have a large number of stored procedures that need the public role? Do your standards allow this? There may be good reasons why not. Best to get this clear up front - for example, with a questionnaire to be filled in by the supplier or by the procuring department in conjunction with IT.

5.    Get the support right

Who is going to configure the solution? Who will support it? If this is in-house, do you have the skills and the time, and does the supporting department understand it's role and the commitment that entails. What happens when something goes wrong? How often are upgrades, and how involved is the upgrade process? How much testing will be required? If you're getting support from the third party will they need access to your network and systems? How will this be controlled and managed? How will you monitor access and restrict access to other systems? Are you confident the third party has the skills and the resource, and do you have a contract - including data protection and confidentiality?

6.    Think about the data

Who will have access to your data? What data is involved? Think about whether you will need to supply data to a third party for testing or installation, or whether they will be on-site (which can pose its own risks - such as visitor access to data centres). How does the solution ensure data integrity, how can data be backed up, retrieved, and shared with other systems? Is the format open or proprietary? Getting it wrong can impose big costs down the road.

7.    Right to audit

In many cases, the third party will be providing an outsourced process or storing and processing data on your behalf. Do you have a right to audit their operations and visit their site to check their operating procedures, processes and controls? Who will do this, and do you have the time and resource? If not, are you prepared to take the risk that they may let you - and your customers - down?

8.    Location

Is the supplier local? If they are abroad and processing your data, in Europe you will need to make sure this is reflected in your DPA registration or equivalent. Does it affect your customer contracts? Are there political or economic risks that would not normally apply. Do you understand the legal risks - and are your lawyers qualified to comment on and understand the implications of the contract?

9.    Lifetime cost and sustainability

Buying it costs £70,000. The procurement project is 54 days, which you've added up to £13,500. The hardware is £14,000. The cost is NOT £95,500 - it's much more. Have you considered the cost of the additional network bandwidth, data centre capacity, management time, administration time, audit resource, security costs, user management, upgrades, ongoing license fees, and support? How long do you expect the solution to last, and is that realistic - when do you need to budget for replacement? Will the supplier still be there in five or ten years time. If it's based on obsolete technology, will people still understand the code it's based on a decade from now - remember the year 2000 problem, which only came about because systems operated longer than expected. Then remember the life of an average web site of application is under three years. Are your expectations reasonable and prudent?

10.    Understand the risks

It sounds obvious, but whilst you may do risk assessments for corporate projects, do you do risk assessments for suppliers and procurement exercises? Do you monitor critical suppliers and have a reserve if they let you down?

8,000 medical record lost - as yet another NHS trust fails to secure data on USB memory sticks

The Information Commissioner’s Office (ICO) has found Lampeter Medical Practice to be in breach of the Data Protection Act, after an unencrypted memory stick containing the personal details of 8,000 patients was reported lost to the privacy watchdog.Time for an article on securing portable media, I think. Will have to send it to Lampeter - along with most of the NHS.

Read more at ICO Press Releases | Regulatory Updates from Riskmonkey.net

A third of UK data breaches are due to theft

According to records from the Information Commissioner's Office, it has been revealed that a third of data breaches reported are accounted for by thefts - with a third of these being from the NHS.What hits us about this chart is not the (unremarkable) level of breaches - after all, this is only the reported ones - but the hign number that would have been preventable with effective internal control.

One has to wonder just what all those auditors and audit committees are doing - and why management clearly haven't woken up to the risk.

The giant NHS data spine will make this risk massively worse, with the threat of complete disculosure of all medical records becoming a feasible 'worst case scenario'. Time for NHS managers to wake up.

ISACA: get a CRISC qualification without an exam

UPDATE 28/8/10: Read our full review of CRISC hereProfessionals with eight or more years of IT and business experience can now apply for ISACA’s new Certified in Risk and Information Systems Control (CRISC) designation—without taking an exam—under yet another grandfathering program. The program, which opened today, is designed to recognize professionals who are highly experienced - but will it do this, or will it be yet another surplus qualification?

Maybe ISACA should put it's emphasis on improving it's core CISA and CISM qualifications instead of introducing confusing new ones?