INFORMATION SECURITY AND ISO 27001
Consulting services to secure your information assets and comply with ISO 27001 standards.
Information Security Basics
The illegitimate use, destruction or disclosure of corporate information will most likely damage a company. It is only a question of assessing the size of the damage.
Hence, the importance of identifying all information assets that require protection, their value, possible threats and vulnerabilities, and subsequently, define actions towards securing them.
Before initiating any IT security project aimed at protecting information assets, Net Studio will perform a preliminary assessment in order to understand beforehand the environment in which an organization’s information assets lie.
One needs to keep in mind the following when identifying controls for securing information assets:
- There is no such thing as 100% security
- Security measures must be uniform
- Costs and benefits need to be balanced
- Security and inconvenience must both be taken into account
Absolute security does not exist, especially when it comes to information security and technology.
The complexity of today’s technology, the lack of organisational/operational procedures, and the absence of behavioural rules and awareness programs, makes unwanted access to information very simple.
Organisations tend to invest extensively and depend on infrastructure to protect their information assets from external “attacks”, forgetting the other entry points that must be considered. A single, unaddressed vulnerability is enough for a hacker to find his way through.
Vulnerabilities will always exists, so it is impossible to protect information assets completely. One can however reduce the risk of an attack, and it is for this reason that Net Studio believes in adopting different preventive and corrective actions that can ensure a reasonable level of protection against identified risks.
Security measures resemble chain links: whether a chain will break or not depends on the level of resistance of its weakest link.
The C.I.A.C. Model
When it comes to security, there are specific requirements that need to be respected to ensure data protection.
The principles that ensure the protection of data (otherwise known as the C.I.A. Model) are Confidentiality, Integrity, and Availability, to which Net Studio adds an additional principle: Compliance to laws and regulations.
Information must be directly or indirectly accessible only by those who have the appropriate rights and explicit authorization to access such data.
Preserving the confidentiality of data means reducing the risk of unauthorized access to an acceptable level.
It is in this context that Net Studio applies data protection laws and regulations, described further on.
Information must be protected from alternations, such as improper updates, destruction, or deletions, even accidental.
Preserving the integrity of data means reducing, to an acceptable level, the risk of data altered by unauthorized people.
Information must always be available and accessible to authorized users. Data availability must always be ensured, according to agreed service levels.
Preserving the availability of data means reducing the risk that authorized people cannot access their data.
For Net Studio, Regulatory Compliance is essential when dealing with Information Security. Existing national and international laws (i.e. Italian laws 196 and 231, SOX, GDPR, etc.) regulate directly or indirectly the management of data security. Hence, the norms of these laws are mandatory requirements in the design of an organization’s information security. They must enforce and be an integral part of any organization’s Security Policy, in support of business needs.
Problems relative to computer security were first dealt with internationally since 1995 through the norm BS7799, which later evolved into the ISO 17799 in 2000, and then into the current UNI CEI ISO/IEC 27001:2006. The latter is the international standard that describes the best practices for information security management systems.
The main topic of ISO 27001 is Information, regardless of its form. The standard aims at ensuring the Confidentiality, Integrity, and Availability of information.
The ISO 27001 standard provides the requirements for an Information Security Management System (ISMS). An ISMS is a systematic approach to managing information security in day-by-day operations as well as emergencies, through the use of business roles, responsibilities, formal procedures, and processes.
The ISO 27001 standard consists of two distinct macro steps:
- The first part consists in Risk Analysis, which aims at identifying the list of requirements for setting-up a common, usable, and well-organised Information Security Management System (ISMS). Net Studiosupports its clients in defining a model for associating risk to each class of information.
- The second part consists in implementing an appropriately documented risk management system, and includes all the requirements that are necessary for designing, implementing, managing, controlling, reviewing, and updating a risk-based ISMS for an organisation.
Net Studio guides its clients in building an ISMS that is both appropriate for the organisation, and that respects the information security requirements (C.I.A.C.)
Net Studio uses an ISO 27001-based approach, whether organisations are seeking a certification or not. Adhering to international methodologies and standards not only ensures an appropriate level of security, but also reduces the effort in obtaining future certifications, should management, laws, or the market require it.
ISO27001 and GDPR
In 2003, the first Italian Data Privacy Laws were passed (D.Lgs. 196), based on EU directives. The law condensed into a unique document all the previous norms, with a specific section describing the minimum requirements that were necessary to ensure the confidentiality and protection of personal data. The European GDPR (General Data Protection Regulation), enforced as of 25th May 2018, replaces the privacy directives and various country-specific laws, whilst introducing the concepts of risk, accountability, and appropriate measures.
The GDPR aims at giving back to individuals the control of their personal data. Amongst other things, it describes in detail the measures that organisations must put in place to ensure the appropriate protection of European citizens’ personal data, whilst maintaining the reliability and availability of data in line with today’s advances in technology.
Because there are many areas of GDPR and Information Security that overlap, Net Studio uses an integrated approach when supporting organisations in their decisions towards ensuring data protection and information security.
Information Security and Italian Decree 231
Decree no. 231/01 introduced in the Italian legal system the concept of corporate responsibility and accountability, for crimes committed by administrators, managers, employees, partners, or collaborators.
Companies, and other legal entities, can be help directly liable for crimes committed by subjects acting on behalf of the legal entity, when unlawful conduct has been carried out in the interest of, or to the benefit of, the company concerned.
Companies can be held liable for not having implemented effective organisational measures apt at preventing the commission of crimes described in the decree.
An effective management of information assets is highly important under this scenario. Data that is compliant to C.I.A.C. principles offers assurance to stakeholders and controllers of the level of control of management systems.
Decree 231 also identifies a number of cyber crimes that fall under company liability. Companies that have not taken appropriate measures to prevent these crimes from happening (i.e. risk analysis, controls, organizational model), are held accountable for them under Decree 231.
Companies are liable for the following groups of cyber crimes:
- Damage to hardware, software, and data. Unauthorized access to systems, interception or interruption of data by means of specific software or hardware. Punishment is reinforced in case of public utility information systems;
- Detention and dissemination of software and/or IT equipment that can damage or disrupt data, as described in the previous point;
- The violation of a document’s integrity and/or use, by falsifying digital signatures.
Information Security Management Systems (ISMS)
The ISO 27001 standard provides guidelines for implementing an effective ISMS.
Regardless of ISO 27001, Net Studio always suggests using a risk-based approach to define, develop, use, monitor, maintain, and improve information security processes. A risk-based approach is key in the governance of IS security.