Topic-specific policy 4/11: information transfer

"Information transfer" is another ambiguous, potentially misleading title for a policy, even if it includes "information security". Depending on the context and the reader's understanding, it might mean or imply a security policy concerning:

• Any passage of information between any two or more end points - network datacommunications, for instance, sending someone a letter, speaking to them or drawing them a picture, body language, discussing business or personal matters, voyeurism, surveillance and spying etc.
• One way flows or a mutual, bilateral or multilateral exchange of information.
• Formal business reporting between the organisation and some third party, such as the external auditors, stockholders, banks or authorities.
• Discrete batch-mode data transfers (e.g. sending backup or archival tapes to a safe store, or updating secret keys in distributed hardware security modules), routine/regular/frequent transfers (e.g. strings of network packets), sporadic/exceptional/one-off transfers (e.g. subject access requests for personal information) or whatever. 
• Transmission of information through broadcasting, training and awareness activities, reporting, policies, documentation, seminars, publications, blogs etc., plus its reception and comprehension.  
• Internal communications within the organisation, for example between different business units, departments, teams and/or individuals, or between layers in the management hierarchy.
• "Official"/mandatory, formalised disclosures to authorities or other third parties.
• Informal/unintended or formal/intentional communications that reveal or disclose sensitive information (raising confidentiality concerns) or critical information (with integrity and availability aspects). 
• Formal provision of valuable information, for instance when a client discusses a case with a lawyer, accountant, auditor or some other professional. 
• Legal transfer of information ownership, copyright etc. between parties, for example when a company takes over another or licenses its intellectual property.

Again there are contextual ramifications. The nature and importance of information transfers differ between, say, hospitals and health service providers, consultants and their clients, social media companies and their customers, and battalion HQ with operating units out in the field. There is a common factor, however, namely information risk. The information security controls and other risk treatments (such as risk avoidance e.g. prohibiting social media disclosure of company matters) that are appropriate depend on the information risks in each situation ...

... so information risk identification and risk assessment might be a suitable place to start specifying and drafting an information transfer security policy - or indeed an information risk management policy, since the principles are universally applicable.

On the other hand, it's worth exploring the purpose/objective for such a policy: what is it expected to achieve? What need would it satisfy, and is a policy the best way to proceed?

It may be, for instance, that the intention to exchange valuable information between organisations in the course of a business relationship leads either or both parties to want to clarify the terms and conditions, including the information risk and security implications as well as other aspects such as the nature of the information, its volume and frequency, information ownership, and the media/technologies to be used. The 'policy' in this case would probably be discussed, drafted and eventually embedded in some form of agreement, possibly with accompanying procedures. In other words, the policy may be in the form of one or more contractual clauses plus the mutual understanding and commitments. It would probably be unique to that relationship, although either party may use a template or donor document to speed up the drafting.

Here's one possible approach, the guts of a donor policy provided for your education, consideration, inspiration and perhaps adaptation:

Background

We have numerous commercial relationships with third parties such as suppliers, partners, customers, regulators/authorities and the general public.  Information, sometimes extremely important, valuable or sensitive corporate or personal information, passes routinely between us and the third parties using a variety of communications mechanisms and media (e.g. conversation, emails, network connections and point-to-point links), hence information security is an important consideration.  General information security controls may be sufficient for some situations but are unlikely to be sufficient to offset significant information security risks associated with the routine exchange of significant information assets with third parties.

Policy axioms (guiding principles)

A.          Information security aspects must be assessed and taken fully into account in business relationships involving the exchange of information with third parties.

B.          The associated information security risks must be assessed and mitigated to an acceptable level, while the risks and controls must be actively monitored, managed and maintained during the life of the business relationships.

Detailed policy requirements

1.  Significant business/commercial relationships with external/third party organizations qualify as information assets that must be listed in the Information Asset Register.  In their rôle as Information Asset Owners, the corresponding Relationship Managers are accountable for protecting the information assets, necessitating information security risk assessment and the implementation of adequate information security controls.

2.  Relationship Managers are responsible for assessing the information security risks associated with business relationships and identifying the threats, vulnerabilities and potential impacts of security breaches, preferably using a recognized information security risk analysis process acceptable to the information Security Manager.  It is generally appropriate to assess information security risks jointly with the third party using a mutually acceptable method, since both parties may face unacceptable information security risks and both parties may require security controls, some of which may be jointly operated.

3.   Information security risks should be minimized through the design, implementation and operation of suitable information security controls, but the particular controls that are required depend on the specific situation at hand.  Generally speaking, strong controls are more expensive to implement and operate, hence the cost of selecting/designing, implementing, using and maintaining the controls should be offset against the cost savings likely to be achieved by reducing the number and/or severity of incidents – in other words, the controls need to be cost-effective.

4.  If the Information security risks associated with a particular relationship are determined to be low, relatively low-cost “baseline” controls such as the following are likely to be sufficient:

• General information security requirements (such as compliance with ISO/IEC 27002) whether incorporated formally into binding commercial contracts or agreements, or expressed and agreed informally in relationship management meetings, by email, by letter etc.; 

• Procedures or mechanisms for dealing with actual or potential information security breaches, and for communicating the facts in a timely manner to the other party (e.g. regular ‘relationship management’ meetings and reports); 

• Trust and confidence established by an unblemished record, by reputation and by implicit undertakings between those involved in managing and conducting the relationships.

5.  Additional confidentiality, integrity and/or availability controls might be required for relationships whose risks are assessed as medium and will certainly be needed if the risks are high, or where there are specific compliance obligations on us (e.g. to protect the confidentiality of personal information in our care).  The following controls are merely illustrative examples:

• Legally-binding contracts or agreements explicitly stating required information security controls, obligations, liabilities, compliance activities etc.; 

• Encryption of data and/or of network links, storage media etc., typically using specified encryption schemes (i.e. particular encryption algorithms and key lengths) and associated procedures (e.g. for mutual authentication, resetting shared secret keys etc.); 

• Digital signatures, message digests and similar cryptographic mechanisms to identify corruption or tampering with messages in transit or when stored and retrieved from disk; 

• Automated network/system monitoring/alerting to identify and block attempts to communicate unencrypted information, plus various other network, system and/or data access and security controls (e.g. regularly-reviewed system security or audit logs); 

• Prohibition of the assignment of non-security-cleared or similar potentially untrustworthy employees to the relationship, and possibly all such employees to be pre-agreed by the other party before starting work on the relationship; 

• Compliance of the third party with information security management standards such as ISO/IEC 27001 (whether self-asserted or certified, depending on the levels of risk and trust involved); 

• Explicit prohibition of onward communication of sensitive proprietary or personal information to any third party, or to certain third parties (e.g. sending Personal Information beyond legally-permissible “Safe Harbor” countries); 

• Technical security controls for data communications (e.g. antivirus and integrity checks on data received; failover or disaster recovery arrangements for high availability links); 

• A ‘right of audit’ meaning the right to determine in person or through a mutually trusted intermediary (such as an external auditor, consultant or other competent authority) whether specified security requirements and controls are being upheld by the third party, particularly following a breach; 

• Various other specific controls recommended by security, legal or other expert advisors.

6.  High risk information must not be passed to a third party until the necessary information security controls have been fully implemented by them.  Ideally, the information exchange should be delayed until the information security controls have been reviewed and confirmed as adequate by our inspection or by some other form of proof acceptable to us.

7.  Once implemented, the information security controls must be used properly and maintained, for instance responding to substantial changes in the risks as the result of greater volumes of information being exchanged.  The Relationship Manager is responsible for maintaining the risk management arrangements and should review the security risks and controls at least every two years, or annually in the case of high risk information exchanges.  The risks and controls should also be reviewed promptly if there are information security incidents or near-misses.  Information Security Management can advise and assist with these activities.

Information transfers, communications or exchanges are so commonplace and so varied these days that there may be little point in trying to come up with a security policy that applies to all circumstances, particularly if there are adequate policies covering related aspects already. I will cover one in the next blog piece in this series, so tune in soon for the next thrilling episode.