And yet another bad office day

A woman mistakenly thinking she was about to be fired allegedly took revenge on her employer by going into the office late one evening and deleting data files worth $2.5m. Although the deleted data were later retrieved (whether from backups or by 'undeleting' them is not stated), the potential remains for trusted insiders with access to corporate IT assets to cause enormously costly damage by sabotage.

Deliberate or accidental sabotage by backup operators are tough threats to control against. They have both physical and logical access to servers and their data, often work unsupervised out-of-hours, and are mostly relatively junior staff. Trust is the primary control, though many would argue that it is no control at all, merely blind faith in many cases. The risks can be reduced by various security control measures, such as:
- Alternating backup operators
- Combining on- and off-site backups
- Tightly controlling physical access to backup storage and especially archives
- Closer management supervision and/or physical monitoring of trusted employees working in the data center
- Better training and automation of backup processes, reducing the need to give backup ops unrestricted logical access to data
- Better HR processes for monitoring employees in such trusted positions and more respect for the valuable jobs they perform.

New IT security standards for US electricity industry

FERC, the Federal Energy Regulatory Commission, has approved eight new mandatory critical infrastructure protection (CIP) reliability standards developed by NERC, the North American Electric Reliability Corporation, covering:
- Critical cyber asset identification (NERC standard CIP-002) - essentially inventory and risk assessment of critical information assets;
- Security management controls (CIP-003) - security policy and management structure, exceptions process etc.;
- Personnel and training (CIP-004) - personnel risk assessment, training and, of course, security awareness;
- Electronic security perimeters (CIP-005) - a 'crunchy outer shell' for networks;
- Physical security of critical cyber assets (CIP-006) - physical perimeter controls, card locks, processes, visitor logs etc.;
- Systems security management (CIP-007) - security testing and patching, controlled network services, antivirus, security monitoring and various other IT security controls including, I note, minimum 6 alphanumeric+punctuation character passwords with a lifetime of up to one year (!);
- Incident reporting and response planning (CIP-008) - an annually-reviewed incident response plan; and
- Recovery plans for critical cyber assets (CIP-009) - DR plans with at least annual exercises.

For completeness, CIP-001 covers sabotage reporting, the critical infrastructure equivalent of SB-1386 and similar requirements to report unauthorized credit card or personal data disclosures.

FERC's IT security standards are stronger that mere recommendations and will probably become fully mandatory when get-out clauses relating to business judgement are removed. In-scope companies should all have started work on this by now and have to be fully compliant by mid-2008 or mid-2009 depending on the type of company and the specific standards.

FERC did not go as far as to mandate NIST's SP800-series security standards, however, excellent though they are, nor indeed international standards such as ISO/IEC 27002. The stated reason was not to delay implementation. While I applaud their haste to beef up infrastructure security, it's a shame to ignore the large existing body of work on information security from the likes of NIST, ANSI, BSI, ISO, IEC and others. Arguably there is a need for specific security standards covering SCADA (Supervisory Controls And Data Acquisition) systems, but the electricity industry is not pure SCADA by a long shot: there are conventional systems, many running Microsoft Windows and various UNIX/Linux variants, and TCP/IP networks all over the place, and security architecture, operations and management issues are basically the same as for any other industry. [I guess adopting existing standards would put a posse of electricity industry security consultants out of jobs but IMHO they are better deployed implementing security standards than creating new ones.]

Looking over the lit of bullets above, it is not hard to align FERC's advice with ISO/IEC 27002 ... whereupon gaps such as compliance stand out. FERC evidently intends to assess or audit the utilities' security against the standards but there's more to compliance than formal assessments/audits. Electricity companies should have suitable governance structures and processes in place to ensure compliance with their internal security requirements (policies, standards, guidelines and procedures) and with legal obligations unrelated to FERC (e.g. software license compliance plus other intellectual property issues, SOX and protection of Personally Identifiable Information) along with compliance by their suppliers and business partners. There are solid commercial drivers for information security in the electricity industry, quite separate from the critical infrastructure protection angle. Surely FERC could leverage this to their advantage?

The standard on DR is also notable for the absence of any advice on contingency planning and business continuity. I would have thought that 'keeping the light on' is absolutely number 1 top priority for the electricity industry, therefore resilience is more important than recovery. Perhaps this is so ingrained that it is taken as read but I'm surprised by the omission.

By the way, I also couldn't help but notice that "Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission" are explicitly excluded from the scope of the standards. I trust the nukes have their own, strong, rigorous, comprehensive cyber security standards ... they do, don't they?

Top information security risks for 2008

We have completed and published our collaborative white paper listing the top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls, as we head towards the new year.

My sincere thanks are due to all who participated in the project, contributing directly to the shared document on Google Docs or commenting on it through the fora. I suspect there are still several points of disagreement but I hope we are all reasonably happy with the end result. I have certainly enjoyed the process and value the discussion.

Info for SysAdmins/Infosec Managers on WPAD

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.

The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.

Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.

Good luck!

Singapore sling

Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics.

So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to think of a better definition of "asset".

A virtuous circle for information security management

A blog describing Intel's 'defense in depth' approach to information security has a neat description of the 4 main phases:
(1) Prediction (essentially risk assessment);
(2) Prevention i.e. classic preventive security controls;
(3) Detection and monitoring for threats that evade, disable or bypass preventive controls; and
(4) Response and recovery - corrective controls, a last resort.

Add a pinch of continuous improvement to learn from every event, and there you have it. Sure beats ISO/IEC 27001's somewhat simplistic plan-do-check-act model!

[By the way, Intel, the 'defense in depth' concept also applies within any of those phases e.g. using multiple information sources to broaden and deepen the analysis of security vulnerabilities in phase 1, or combining real-time alerting with near-time log anaysis in phase 3.]

New ISF standard released!

The Information Security Forum's Standard of Good Practice for Information Security has been updated and re-released just a few days ago. I have long admired the ISF standard for two key reasons:

1. It is well written, clearly laid out and eminently usable. As a user, I really like pragmatic standards!

2. It is free. If the ISO/IEC 27000 standards were free, I'm sure they would be even more popular and widely used than they are and the world would be a safer place. For organizations or individuals who are unwilling or unable to afford ISO27k, the ISF standard makes a good second choice ... along with the NIST SP 800 standards and a raft of others.

The 2007 version is a weighty 372 pages but is fluff-free. Each of the controls is simply and directly stated with very little in the way of explanation, context, justification or implementation guidance. That's great for those of us with sufficient experience to fill in the gaps for ourselves but could be a bit ambitious for those new to information security management.

I'm sure I'll be referring to the standard in our security awareness materials, though not as much as ISO27k.

Windows security spec with free audit tool

The US Government's plans to use standardized Windows desktop environments has advantages for non-US Government entitities also. The Federal Desktop Core Configuration (FDCC) specifies reasonable Windows XP and Vista security settings, and application software vendors are encouraged to make sure their products work on a standard spec PC. Tools such as Secutor Prime (free for non-commercial use) will audit a PC against the FDCC and report discrepancies, with enough details for a competent sysadmin to resolve. It's not quite point-n-click one-button-security for the masses but is useful for those who want to improve security of their own Windows systems. Companies that rollout standardized Windows desktops would be well advised to check their standard builds against FDCC too.

I won't go into the downside of encouraging a PC monoculture at this point but leave that for your homework, and Google.

CSI's 12th Annual Computer Crime and Security Survey

The latest Computer Crime and Security Survey from America's CSI (Computer Security Institute - not the TV show) is a handy source of statistics to consider and perhaps spice up your security awareness materials. The survey is well respected, being vendor independent, having just under 500 responses and being consistently designed from year to year.

Key findings:
- Since last year, the estimated average loss has nearly doubled to $350k per organization per annum
- Nearly 1 in 5 respondents who suffered security incidents said they’d suffered a "targeted attack" i.e. a malware attack aimed exclusively at them or similar organizations
- Financial fraud caused the greatest financial losses
- Insider abuse was the most prevalent security problem
- Just under half of respondents said they had suffered security incidents, similar to but slightly less than the past 2 years
- 29% of organizations report security incidents to law enforcement

Being a security awareness specialist, the following caught my beady eye:

"Almost half—48 percent—spend less than 1 percent of their security dollars on awareness programs. While this may be the case simply because some forms of awareness training (such as putting reminders on corporate intranet sites) aren’t expensive, one is tempted to conclude that while the industry talks a good game about teaching users how to be good stewards of company network resources, they don’t yet put real dollars behind the proposition."

~Half spend less than 1% of their security budgets on awareness! Golly! Given that security budgets are around 10% of IT budgets, there must be a lot of managers out there that are so frugal on security awareness that they 'squeak when they walk'. Our very own security awareness products typically cost about the same as a single cup of coffee per employee per annum, barely enough to merit a budget line item. Cost is surely not the issue: many organizations evidently don't appreciate the potential business benefits of a well-run security awareness program. Perhaps they think employees will just 'be secure' without any guidance? Flying pigs optional. Security incidents averaging $350k p.a. are (at least partly) the inevitable result of such wishful thinking.

ISMS documentation checkllist

If you are planning or just starting out on your ISO/IEC 27002 implementation project, this may be just what you need. The ISMS Documentation Checklist is simply a list of the documents typically required by and/or created by an Information Security Management System. Your project plans should include researching, drafting, reviewing, approving, publishing and promoting your own suite of ISMS documents, so it helps to know what is typically expected.

The list was created by a team of ISMS users on the ISO27k implementers' forum, a mailing list run at ISO27001security.com

Phase 2 of this collaborative project involves collecting and publishing examples of each of the documents in the checklist. If you would like to get involved in the project, please contact me (Gary@isect.com) to join the fun. We anticipate publishing example documents gradually between now and the end of the year.

Security metrics for the Bored

The CSO Executive Council is running a series of surveys to assess security metrics practices. The latest survey report revealed that two thirds of respondents do not gather security program data in order to create statistical reports to present to senior management, and followed up with the following (sample) of explanations:

- Not requested, and no value to security program at this point.
- Lack of management interest in seeing security metrics.
- Lack of interest by senior management.
- No funding'
- Embryonic'
- Information is gathered and presented to senior IT security management.
- Security organization is not established due to budget constraints.
- Nobody is asking, and I would not know what to prepare.
- Time, not sure what to measure.
- No good collection method.
- Didn't start to do it yet. We plan to do it in the near future.
- Data points too qualitative.
- No manpower.
- No formal security program.
- Not my responsibility.
- No demand from The Clueless.
- Not my role.
- Narrative reports are provided, not statistical.
- Not needed for awareness, budgeting, etc.
- Haven't developed metrics.
- Management doesn't know that they want this.
- Not requested.
- Don't have the requisite systems in place.
- Insufficient resources to gather automatic and consistent metrics.

"Lack of interest from senior management" caught my eye and "No demand from The Clueless" made me smile but rather than simply accepting this sad state of affairs, how about running some security awareness activities to give senior managers a clue? If information is seen as a valuable organizational asset, the need to protect it is a natural and easy step (and if not, you have more fundamental issues!). If protecting information assets is important, measuring the extent of protection and identifying improvement opportunities is also important, isn't it? So there we are: an executive security awareness program in one paragraph.

I have more sympathy with other comments about the difficulties of designing an objective metrics scheme for information security. It's hard to figure out security metrics that are both simple/cheap to gather and meaningful/useful. My discussion paper published in ISSA Journal in July 2006 might help, as may a paper written by members of the ISO27k Implementers' Forum at ISO27001security.com that derives pragmatic security metrics from ISO/IEC 27002.

Take the CSO Executive Council's third Security Program Scorecard survey to be eligible for a drawing for a copy of Measures and Metrics in Corporate Security

Security awareness success in the US Army

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

The light goes on?

"Agency computer systems are vulnerable because many lack basic controls,
and one of the best ways to improve information technology security is
to improve the metrics for how departments measure how these basic
controls are implemented."

Golly. Those in charge of rewriting FISMA have figured out that they probably need information security metrics to track government departments' performance.

OK guys, the next baby step is to work out what metrics are needed.

I'll put money on "number of security incidents" being one of the 'cutting edge security metrics' about to be proposed, followed shortly by some bright spark noticing and promoting NISP SP 800-55 as The Answer.

With that and the news about the hacking of three well-known US electronic voting systems, I'm glad I don't live in the Good Ol' US of Eh?

IT Security: The Data Theft Time Bomb

The 10th annual Global Information Security survey conducted by Accenture for Information Week compared responses from ~3,000 companies in US and China.

'Spreading security awareness' is the fifth biggest security challenge identified by respondents. Amazing! [To stage left: "Get their addresses someone, I need to send them a leaflet"].

In commenting on the data, the report's authors go well beyond simply re-stating the statistics. Their analysis warns complacent information security managers to pay more attention, keep up with current threats and prepare for tomorrow's.

"It seems as though security pros are missing the point, choosing to focus on the security threats with which they're most familiar as opposed to emerging threats designed to cash in on the value of customer data and intellectual property. A careful reading of our survey's results, however, indicates that organizations are waking up to just how vulnerable their customer information and intellectual property are to data thieves."

...

"Some security pros may be blissfully ignorant. Botnets, which can take control of IT resources remotely and can be used to launch attacks or steal information, debut as a concern in this year's survey, though only 10% of U.S. respondents and 13% of Chinese respondents rank them as a top three problem. This may be because companies are often unaware that they've been infiltrated by botnets, which is exactly what bot herders are counting on."

If you need more gen than the article provides, the report itself costs $499 or just under $12.80 per page.

State of the art security metrics

Dan Geer has been extremely generous in posting Measuring security, a presentation/training course (350 slides with readable speaker notes!) on the application of mathematics to information security. It neatly exploits ideas from statistics and other fields of study in the context of information security, revealing a wealth of creative ideas - so much so that I spent most of my afternoon reading it cover-to-cover and thinking about the practical applications.

Dan's summary slide hardly does it justice but might be just enough to intrigue you into downloading the presentation if "security metrics" is your thing too:

• The field is a mess, but progress can be made in any direction
• State of the art is the inequality and the ordinal scale, but those suffice for much decision making
• Consistency beats clever, and trend accuracy beats point precision

Dan refers more than once to the discuss@securitymetrics.org mailing list: guess I'll have to join up if that is a guide to the level of discussion!

Information security year in review - 2007

Over several years, Professor Mich Kabay of Norwich University has built a sizeable database of annotated abstracts of relevance to his information security students. From the database, Mich extracts an annual dump - the latest one is here. It's essentially a massive reading list but the annotations allow users to search for relevant material using keywords. I'm sure I'll be using it frequently when researching new or updated NoticeBored security awareness modules.

Infosec news sources - a top ten

For anyone else who's keen to keep up with information security and related events as they happen, I thought I'd list the hit parade - my top ten favourite Web resources.

Starting with the chart-toppers, here are the six big hits I use practically every single day:

1. ISN (Information Security News) - a handful of relevant infosec news items to my inbox every day, each one supplied as plain text email with a URL in case I need to reference the original source. Always relevant and on-topic. No wasted bits. Moderator William Knowles does a fantastic job.

2. SANS ISC (Internet Storm Center) - a continuous blog/diary of what's hot from the people who are constantly scanning Internet traffic for new attack vectors. Generally first to identify and publish info on emerging malware and vulnerabilities. Makes a great browser home page. SANS Newsbites is not bad either - twice weekly email digests with informed commentary.

3. CISSPforum - a professional community of over 4,000 CISSPs and SSCPs from around the globe. A virtual locker room, ideal for lonely infosec professionals who don't have several hundred qualified peers in the office with whom to pass the time of day.

4. Gigalaw - similar style to ISN but focuses on legal IT-related news such as IPR issues and new privacy legislation. Supplied as one email per day with about 6 headlines leading to short summaries on the Gigalaw site and URLs to the original sources.

5. Blogs like this one - way too many to list. When I have a quiet moment, I use a blog reader to catch up with what other infosec pro's are saying and generally browse through for interesting leads. Good for discovering alternative perspectives on everyday issues and interesting items from obscure places. Bad for time management.

6. Google. 'Nuff said. Well almost: Google's Alerts are a handy way to run those searches that I always run, delivering daily email digests again (yes, you're starting to see a pattern).

Other sources to complete the top ten, used as and when necessary:

7. CERIAS and CERT-CC - a wealth of cool information but you need to set aside time to browse the libraries.

8. ISO, NIST etc. - for security standards

9. ISACA, ISSA, ITGI, CCcure, ITPI and various other professional membership bodies.

10. Selected infosec magazines such as [In]security, CSO/CIO and of course The Register, always good for a laugh.

11 (bonus item). RISKS-List is a long-running source of news and insightful commentary on IT risks.

Conspicuous by their absense from the hitlist are:

- Myriad "portals" that pad out far too many intrusive adverts with "news" (mostly vendor press releases) and "articles" that are also thinly disguised adverts. More biased than a capsizing supertanker.

- Vendor websites and newsletters. At least they admit their bias but I value independence and objectivity over marketing fluff any day. Used selectively to gather information on new and updated infosec products, critical patches etc.

- Podcasts, online seminars, eSymposia and similar. Unless I'm having trouble sleeping, I don't generally have the time to waste listening to some sales machine droning on for hours about how their particular hammer cracks all known nuts, or to waste time listening to cheesy royalty-free muzak from amateur producers who love the sound of their own voices and can't even get the audio levels right [/rant]. The accompanying presentation slides are sometimes worth a quick browse, taking a few minutes to skim not an hour or more. A few online speakers are worth the effort but I'm very choosy. Life's too short.

OK there we are. What about you? What's in your top ten? If there were just one or two resources you'd persuade me to add to my list, what would they be? Please either add a comment here or write your own blog post and send me a link.

A little something to browse over lunch

"Today’s information systems are incredibly complex assemblages of hardware, software, firmware, and people, all working together to provide organizations with the capability to process, store, and transmit information on a timely basis to support various organizational missions and business functions. The degree to which organizations have come to depend upon these information systems to conduct routine and critical missions and business functions means that the protection of the underlying systems is paramount to the success of the organization. The selection of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity (including non-repudiation and authenticity), and availability of the system and its information. Once employed within an information system, security controls are assessed to provide the information necessary to determine their overall effectiveness; that is, the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization’s operations and assets, to individuals, to other organizations, and to the nation resulting from the use of the system.

... so starts the latest and greatest draft of NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems - Building Effective Security Assessment Plans". What a neat way to sum up the whole of information security in just one paragraph!

The standard essentially comprises a large audit checklist for checking a broad range of information security controls against good practice advice in NIST SP 800-53, FIPS 200 and other standards (including ISO27k), topped-and-tailed with background/context, explanation, glossary and references. Being a typical NIST SP, it is well-written and comprehensive.

NIST is seeking feedback on the draft. I'm currently skimming my copy and scribbling a few notes while eating my lunch 'al desco'. We have until the end of July to respond but I'm sure project leader Ron Ross would appreciate comments sooner rather than later.

Return on Information Security Investment

Return on Information Security Investment (ROISI), perhaps more commonly if less accurately known as ROI or ROSI, is one of those topics that is often discussed but never truly resolved. It has been declared a zombie topic on CISSPforum for that reason: we're tired of hearing the same old arguments re-hashed every few months. That said, we are always open to new angles on the old saw. Masters student Adrian Mizzi took a long hard look at ROISI and wrote his thesis around it. Adrian's model involves finding an optimal investment choice by balancing three key factors: “Viability of Expenditure”, “Successfulness of Attack” and “Motivation to Attack”. Adrian's thesis has been published as a book ($37) or PDF ($25) for those who are interested in some primary and secondary research on this important topic.

Whistleblower hotlines work!

An excellent 36-page report by The Network ,Inc., a company that runs whistleblower services, and CSO Executive Council gives the results of their statistical analysis of 180,000 whistleblower hotline calls from 550 organizations over 4 years. That's quite a sample on a seldom-reported topic. Here are a few salient points from the 2006 Corporate Governance and Compliance Hotline Benchmarking Report - a Comprehensive Examination of Organizational Hotline Activity:

- 65% of calls were 'serious enough to warrant investigation' - that's management-speak for "Oh shit" - with nearly half resulting in 'corrective action';

- 71% of callers gave information that was 'news to management'. 71%! Managers I have known think they are well-connected to the workforce. "I'm all ears", they say. "My door is always open" or "I Manage By Walking About." Yeah, right;

- just over half of the callers prefer anonymity, with callers alleging corruption/fraud (10% of calls) less likely to remain anonymous than those reporting other things such as HR issues, policy/code violation, environment/health and safety concerns etc. In my experience, managers considering whistleblower policies seem overly concerned about anonymity, claiming that it encourages frivolous or scurrilous calls, and that they won't be able to investigate calls made anonymously. More poppycock! It seems to me they need to focus more on addressing the content of the calls than on the callers;

- What I would categorise as "blue collar workers" are more likely to use whistleblower lines than "white collar workers", with retail and transportation/comms/utilities employees leading the way.

Does your organization have a whistleblowers' policy, with or without a hotline? Was its introduciton driven by SOX, by Audit, as a result of a particular incident or for some other reason? Who answers the calls/emails and how do they handle them? How useful is the information obtained in relation to the effort/cost involved? If you could start over, how would you set it up? Comments and further links are very welcome. I'm eager to learn more.

Infosec laws, standards & regs cross-referenced

The IT Compliance Institute (ITCi) has produced a useful cross-reference matrix showing the points of contact/overlap between a whole bunch of US/international laws, standards and regulations relating to information security (free access requires registration on the ITCi site - there are other useful resources too so it's probably worth doing). Some of the main ones are: ISO 17799 and 27001, COBIT4, COSO ERM, NIST SP 800-14/26/53, FISMA, Mastercard SDP, HIPAA, various FFIEC, SAS 94, PCAOB and SOX. They are listed along one axis with control objectives on the other axis and the page or section references in the body note the coverage.

So, here are three ways you might use the matrix:

- ISMS coverage by control objective: check down the list to confirm that your ISMS covers most of the control objectives, and if there are any you do not recognize or you know are weak, look across the rows to find references from the standards that will explain the requirements;

- ISMS coverage by laws/standards/regs: highlight the vertical columns for all those laws/stds/regs which which your organization has to comply, then highlight the horizontal rows where there are any entries in a marked column. Rows with multiple entries are common controls so you probably already have them but implementation should integrate the multiple requirements. Be careful about the rows with single entries: do you have them all covered in your ISMS? If not, there's a noncompliance risk to consider.

- Linking standards to laws & regs: management are strangely concerned about compliance to laws and regs if not standards, presumably because they fear the personal accountability and business impact of non-compliance. The cross-reference matrix can help the information security manager who is promoting best practice ISMS standards by identifying the legal and regulatory requirements that coincide with best practice controls.

A lot of work must have gone into compiling the matrix. Make the most of it.

There's further information on ISMS best practices at our ISO 27001 Security website.

A webinar explains the ITCi's Unified Compliance Project which is making excellent plans to simplify, harmonize and perhaps even unify the IT compliance problem across laws, standards and regs.

More information security links here