ISO/IEC JTC1/SC27 meeting report 4 (updated)

Hello again from the SC27 meeting.

Today we ended our editing of ISO/IEC 27002 having discussed sections 10 through 15 during the week [the earlier sections having been covered in the previous SC27 meeting].  Yesterday, we worked until 10pm to try to cover as much as possible.  We have discussed literally hundreds of comments and proposed changes to the standard: I don't propose to detail them all here but will mention a few specifics that are close to my heart:

1. Structure: many information security controls are relevant to several chapters of the standard, and could therefore be included in several places.  However, the duplication is unhelpful, and wording differences due to the different contexts can be confusing for readers, so as a general rule, we try to describe the controls just once where most relevant and, if appropriate, cross-reference them from the other sections.  This process broke down for the change management control which is currently in both the Operations and Development sections of the draft standard.  I hope this anomaly will be resolved in the next round of comments.
   
   
2. New controls: we have agreed to incorporate new controls for integrating information security into the entire systems development lifecycle and security requirements for specialist systems.  The former is straightforward.  The latter concerns the need to seek specialist advice on the security aspects when developing SCADA/ICS and embedded systems, various systems having health and safety implications etc.
   
   
3. Referencing other standards: where appropriate, we propose to reference relevant standards (particularly other ISO27k standards) that provide more specific and detailed advice on certain controls rather than detail them in 27002 - for example, network security is being covered by ISO/IEC 27033 and so much of the existing 27002 text on network security can be dropped (more or less) and referenced from 27002.  However, we may retain any 'management controls' or security issues that require management involvement in 27002, and will [hopefully] provide enough of an introduction to the detailed standards to help readers determine whether they need to obtain and consider them.  Section 14 on business continuity management for example will most likey refer to ISO/IEC 27031 and ISO 22301, and perhaps BS 25999 and BS 25777, which will cut down on the amount of detail needed in section 14.  This is a bit tricky due to the parallel development, release and updating of various standards, so the final referencing will be left until the end of the 27002 revision process.
     
4. Deleted controls: some rather narrowly-defined and/or obsolete controls have been dropped, albeit sometimes still-relevant parts of the content have been incorporated into other controls.
   
   
5. Definitions: the definition of "information asset" has caused some consternation as the phrase sometimes has differing implications in different contexts.  The current proposal is to drop the definition, reverting to the dictionary definition and so allowing some flexibility to suit the context.

I should stress that THE REVISION OF THE STANDARD IS A WORK IN PROGRESS.  Decisions we have made this week may well be changed and perhaps reversed before the revised standard is finally issued.  Please do not assume, for example, that the new controls I have noted will definitely be included, nor that these will be the only additions (e.g. one or more new controls on cloud computing are a possibility).  The standard will not stabilise for another year or so yet.  

Moving on, parallel meetings have been working on many other ISO27k standards this week.  I have updated the respective pages for them on the ISO27k.org website. 

OK, this concludes my report from the SC27 meeting after a long and productive week's work.  If you have any questions or comments, please join the discussion on the ISO27k Forum or email me directly. 

ISO/IEC JTC1/SC27 meeting report 3 (updated)

Here's my unofficial progress update from Singapore, updated Thursday:

• ISO/IEC 27000: work has completed.  1st revision of 27000 will be based on the existing/current versions of 27001 and 27002 - a 2nd revision will pick up the revised versions of 27001 and 27002 in due course, plus ISO 27799.  "Management system", "policy" and "stakeholder" terms from JTC1/TMB may cause problems for ISO27k (work in progress).  Will put effort into collecting terms from other teams in a comprehensive and systematic way.  Likely to go to 3rd WD after this meeting.
  
  
• ISO/IEC 27001: progressing well, likely to upgrade to 1st CD after this meeting.  Will give feedback to JTC1/TMB regarding the proposed alignment of all ISO 'management systems' standards on a common structure.  With a lot of work, the imposed structure and text has mostly been incorporated fine, with just a few areas of concern.
  
  
• ISO/IEC 27002: we are still working through the 850-odd comments.  Section 10 is 'done'.  Will continue the meeting until 10pm today, and again tomorrow morning.  Structural changes are still being discussed.  Discussions are generally positive.  May progress to 1st CD after this meeting, but possibly another WD.
  
  
• ISO/IEC 27006: editing finished, comments resolved, standard successfully aligned with the new version of ISO 17021 under time pressure.  Minor changes made - basically "should" has become "shall".  The revised 27006 will go to DIS vote urgently after this meeting with final clearance for publication being sought at the next SC27 meeting in Kenya later this year, with publication in Jan/Feb 2012.  The standard will then go into a normal, lengthier, systematic review process in parallel with the planned revision of 17021. 
  
  
• ISO/IEC 27007: document is stable and agreed.  However, the dependence on ISO 19011 is creating some problems for the editing group due to late revisions of 19011 (now at FDIS), particularly late structural changes and content changes around auditor competence. 27007 is likely to progress to FDIS soon.
  
  
• ISO/IEC 27008: edit meeting is tomorrow ...
  
  
• ISO/IEC 27010: currently at 1st CD.  Edits finished.  All tech comments addressed.  Structural changes to be made to align with the current 27002.  Will incorporate certain parts of the text from 27002 where needed for explanation and readability.  Will go to DIS after this meeting.
  
  
• ISO/IEC 27011/X.1051: standard is still needed.  Likely to be revised in a year or two (after 27002 is revised and stable).
  
  
• ISO/IEC 27013: in progress, technical comments done. Liaison with another committee is working. Project has fallen behind so pressure is on. Will go to CD after this meeting.
  
  
• ISO/IEC 27014: lively security governance discussions completed.  Project has fallen behind so pressure is on.  2nd CD likely to be issued after this meeting, and DIS after next meeting.
  
  
• ISO/IEC 27015: over 100 pages of comments addressed.  Lively sessions.  Project has fallen behind so pressure is on.  Extensive financial sector specific input has now been received and is being incorporated.  ISO TC68/SC2 committee member will join the edit group soon.  Will go to 3rd WD or CD after this meeting.  Project may yet be terminated if the standard does not get sufficient support.
  
  
• ISO/IEC TR 27016: good progress, productive meeting.  Will go to 2nd WD.  Want more contributions.  The standard's intended audience is the CISO or ISM to use in proposing investment in an ISMS to senior management.
  
  
• Cloud computing security and privacy: the study period is going well.  It is likely to continue in some areas for a further 6 months and may then propose further parts.  For starters, a 3-part standard will be proposed: (1) Requirements standard, (2) Controls guideline (a top priority for development bythe committee) and (3) Audit guidance.  NWIP drafting meeting planned for Friday.  Cloud Security Association editor likely to be invited if CSA liaison is agreed.

So far, so good!

ISO/IEC JTC1/SC27 report 2

Hello again from the ISO/IEC JTC 1/SC 27 meeting in Singapore.

Today I have been involved in a session considering the ~800 comments received on the last working draft of the revised ISO/IEC 27002 (got that?!). The enormous number of comments reflects the breadth of interest in this standard, and the need to update it in various respects to catch up with differences in information security controls since the 2005 version.  That version was written about 7  to 8 years ago, so you can probably guess at some of the significant changes that we are considering. Aside from obvious examples such as cloud computing, we are also dealing with more general changes such as the continued move from IT security to information security, which means incorporating and/or explaining controls in a broader context than purely IT or communications technology, going beyond the traditional remit of the IT department. 

Today so far we have been discussing changes to section 10 "Communications and operations management". It seems from the discussion that some people have hitherto been interpreting and using this section as an ICT-specific suite of controls, primarily technical IT security controls plus some manual/procedural controls that happen to apply to IT people. However, I read the existing text more broadly than that, but admittedly it is a bit of a stretch to cover broader security aspects of changes to processes involving information that fall outside of IT.  Some national bodies agree that we might broaden the section 10 text subtly to incorporate  aspects beyond as well as within IT, but this was not accepted by all.  There is a valid concern that we might be opening up the scope too far, and a counterpoint that restricting section 10 to IT  is too narrow. There was no resolution to this today but comments were accepted from both perspectives - in other words the ambiguity of the scope of this section continues.

Discussion around change management went in a complete circle: at one point we agreed to combine and rationalised two existing change management sections, but following discussion about the two sections applying to different business functions, the decision was reversed. We missed the chance to reduce the duplication.

Overall, the discussions today on 27002 have been positive, helpful and respectful of all opinions. We are making good progress.

ISO/IEC JTC1/SC27 meeting report 1

I'm writing this report during the first day of the SC27 meeting in Singapore not as a detailed or formal report, rather as an informal, personal summary of events and news so far specifically in relation to the ISO/IEC 27000 family of standards (which are only part of the agenda for the meeting). Although the meeting has several parallel streams, I cannot be in more than one place at once, but chatting to SC27 colleagues who have attended other sessions can help fill-in the gaps to some extent. Furthermore, this is a dynamic and complex environment: things are changing as I write this sentence - literally. There are informal discussions ongoing in front of me concerning the scope and nature of a standard that we have just been discussing, and other parallel sessions are going on in other rooms.

Anyway, with that background, it's time to spill the beans on day 1 so far.

The revisions of ISO/IEC 27001 and 27002 have been the primary items of interest, mostly because of the large number of comments received on both. The sheer volume of input makes the editors' job tough as they need to make sure that all comments are addressed to the satisfaction of the national standards bodies that made them. There is not physical time to discuss them all in detail, so some level of consolidation, rationalization and prioritization needs to occur, and that makes the editor's job even harder. It's a bit of a juggling act to get right through the agenda and yet to give each of the comments and discussion sufficient time for due consideration at the meeting.

Pressure from ISO/IEC JTC 1 to align all the management systems standards to a common structure is bound to affect the way that ISO/IEC 27001 is revised. Meanwhile, there is some concern about whether all these changes are sensible and if not how we might feed concerns back to the JTC 1 body responsible. This will develop during the week.

Various other ISO27k standards appear to be progressing well. The editors' progress reports referred to getting helpful comments from the national bodies, useful input and movement in the right direction. I have not noticed any big issues so far but again who knows what may pop out of the woodwork during the week ahead.

ISO/IEC 27016 on the economic side of information security is at an early stage. We have had a worthwhile discussion about the scope, structure, purpose and audience for this standard, prior to discussing the detailed comments received.

I understand that ISO/IEC 27014 on information security governance was intently discussing terminology and concepts this afternoon which again seems appropriate at this early stage of the standard's development.

That brings up a broader ongoing dicussion about clarifying and defining the terms used in the ISO27k (and in fact other SC27) standards. Those of you who only see the finished, published versions of the standards may not always appreciate the amount of discussion that goes on around the terms. It is extremely difficult to keep all the standards in alignment on terminology while the standards and concepts are still developing and being clarified. These are moving targets. The issue goes even further out than SC27, since various other ISO/IEC committees and bodies are also developing standards at the same time, and wherever possible we prefer to adopt definitions that are in common use or are formally defined elsewhere. In practice, however, this is awkward because contexts often differ. "Risk" for example, has different detailed meanings in relation to information security, economics, health and safety, environment etc. Finding and exploiting the areas of commonality, and addressing any discrepancies, requires broad knowledge, experience and creativity. It's definitely a challenge.

This evening, we will be discussing a proposed security standard for cloud computing. It will be fascinating because:

• Cloud computing is 'new' and actively developing;
• Cloud computing security is even less well advanced;
• There is widespread agreement that information security and privacy are very important in the cloud computing context (although we may not always agree on the details behind that broad-brush statement);
• There are already some useful sources of advice on 'securing the cloud', which means we have some donor content to work with (e.g. the CSA, ENISA and NIST stuff on this topic);
• We have the opportunity to discuss the concepts, scope etc. at this early stage, before the standards development work starts in earnest.

OK, that's my input from today. I will try to continue this tomorrow and every day this week. Comments and questions are very welcome and I will try to address them as I go, but I am not intimately involved with all the work going on here so please forgive me if I don't have all the answers.

Attesting to cloud security

Here's a curiousity: a cloud computing vendor information security self-assessment scheme that appears to be supported by a bunch of security companies, rather than (as I would have anticipated) a bunch of cloud service vendors keen to tick all the boxes without having to put up with some frightful auditor poking around the place.

I guess I'm feeling very cynical this evening.  The thought of vendors in an such a competitive and booming marketplace, stating their security status, even in 'an open and transparent manner', does't fill me with any more confidence than their extravagant marketing gloss.

Maybe I have totally misinterpreted it?   What do you think?

Google for the military

An intriguing piece in Defense Systems indicates that the US Army is deploying a cloud based military intelligence system in Afghanistan:

As the first tactical cloud operating in Afghanistan, the Army’s Distributed Common Ground System (DCGS-A) pools intelligence collected from the beginning of the war in Iraq up until today, aggregated from various databases for wider, faster and easier access and decision-making.  Army Col. Charles Wells, DCGS-A program manager, said the system is a paradigm shift.  “This is for better analysis and increased communications,” Wells said, noting that DCGS-A will leverage cloud computing to analyze all data, all the time.  “We’re trying to be a Google for intelligence,” said Army Maj. Philip Root, assistant program manager for the DCGS-A cloud. “One advantage of the cloud is that we can have advanced analytical tools, put it in the DCGS-A infrastructure and incorporate it very rapidly,” Root said.

We can but hope they have completely sewn-up the information security aspects of this. With so much highly sensitive information presumably available through the system, the consequences of security failures (certainly unauthorized access, plus unauthorized changes, and in due course unavailability) are mind-boggling. They do have access to some of the most competent information security pros on the planet, of course, and I guess the tactical [business] benefits outweigh any residual risks.

IEEE to develop cloud computing interop standards

The IEEE has launched a program to develop standards for interoperability of cloud computing.  The primary aim seems to be to permit portability of cloud apps between cloud platforms from different cloud vendors, but potentially there's much more at stake. Let's hope the standards will cover the information security elements as well - like for example how disparate cloud services should maintain secure communications channels and authenticate each other, as well as authenticating systems and users, passing authenticated user transactions among themselves, validating data ... actually when you think about it there are lots of security aspects to take into consideration, as anyone who has read this month's cloud security awareness module will appreciate.

Shared Assessments

Some managers claim to be wilting under compliance pressures, which is not surprising given the plethora of applicable laws and regulations, plus the contractual committments they and their colleagues have made. 

Going back a stage or two, most of the laws, regulations and contractual clauses arose because self-regulation failed: some organizations and individuals did not behave responsibly, ethically and fairly, leading to the introduction of formal rules to bring them in line.  Unfortunately, the rules apply to all, including those who have performed responsibly, ethically and fairly.  Which is of course unfair.

Going back another stage, organizations, individuals and industries had the chance to get their own act in gear without involving governments and regulators.  "The professions" have done exactly that for generations, with a range of self-regulation schemes that have, in the main, worked well in protecting the interests of the professionals, if not always the interests of their customers and clients (which is another matter!).  As we stand today, however, even the professions are heavily regulated.  It seems even professionals can no longer be trusted to do a good job well.

Overall, self-governance has patently failed, leading to the astronomic rise of enforced governance and independent assurance and compliance activities.

Compliance activities include all manner of self-assessments (which again are fine for responsible, ethical and fair organizations and individuals but worthless for the remainder), inspections, reviews and audits.  Compliance activties have become onerous because of the volume and depth of assessments needed to bottom-out information security, governance, risk management and control issues that often lurk deep in the bowels of the organization.  A major organization with lots of suppliers, partners and/or customers faces being audited by them or having to audit them, repeatedly.  This can be a significant overhead, especially in any of the most heavily regulated (read: untrusted) industries .

One response has been to introduce third party certification and audit schemes, the idea being that possession of a pass slip from a trustworthy third party will reduce if not eliminate the demand for audits by each dependent or concerned organization.  In relation to information security, governance and risk management, examples are ISO27k, SAS70, PCI-DSS and Shared Assessments. These in turn have spawned a global cottage industry for accrediting the assessor/auditors, conducting the assessments and offering related commercial services.  It's rampant commercialism.  Snouts are firmly in troughs.

Despite its five year history, I've only just come across Shared Assessments from BITS - a US financial services industry body.  The scheme claims to be aligned with ISO/IEC 27002, PCI-DSS, COBIT, NIST (presumably the SP800 and/or FIPS standards), FFIEC Guidance, the AICPA/CICA Privacy Framework, and other privacy/regulatory guidance.  It presumably hopes to integrate all these separate requirements and so eliminate duplication.  How it handles any conflicts between them is unclear (e.g. PCI DSS is quite prescriptive but narrowly scoped, whereas ISO/IEC 27002 is very open-ended and flexible).

Shared Assessments involve:

•  The curiously-named "Agreed Upon Procedures" which is basically a 91-page information security standard, worded as a series of information security control objectives, controls and compliance assessment/audit procedures;
  
  
• A set of compliance questionnaires, which are (mostly) worded as simple questions anticipating a yes/no answer (it's not entirely clear how "maybe" or "partially"-type answers should be recorded, which of course is the classic conundrum arising from the obvious conflict of interest between auditors/concerned stakeholders and auditees/subjects).

Going forward, it's hard to see where we're headed as a global society.  The commercial overheads and constraints imposed on trustworthy, ethical and fair organizations and individuals by all this compliance stuff are both unjustified and enormous, but at the same time selfish criminals, fraudsters and cheats are still getting away with the loot, despite the checks and balances.  One intriguing option would be to align the standards, laws, regulations and requirements more systematically, if not to combine them and cut out the duplication.  Reducing the compliance burden would I'm sure have enormous support from all those who are expected to comply, yet so far there is very limited evidence of any real impetus to do so on a trans-national basis (one notable exception being the EU privacy directives, designed to align privacy laws across Europe).  The cynic in me suspects active resistance from the global cottage compliance industry and the lawyers who are so busy making hay while the sun shines.