Today most of the businesses have become IT reliant for their core business and administrative activities. Since IT systems play a central role in mangament of sensitive corporate data, information security these systems provide has become a very important aspect. Now with the rapid rise of internet and e-commerce the security requirements has become higher than ever.
For example, before the rise of web applications organizations’ efforts to secure themselves against external attacks were largely focused on the network perimeter. Defending this perimeter entailed hardening and patching the services that it needed to expose, and firewalling access to others. Web applications have changed all of this. For an application to be accessible by its users, the perimeter firewall must allow inbound connections to the server over HTTP/S. And for the application to function, the server must be allowed to connect to supporting back-end systems, such as databases, mainframes, and financial and logistical systems. These systems often lie at the core of the organization’s operations and reside behind several layers of network level defenses. If a vulnerability exists within a web application, then an attacker on the public Internet may be able to compromise the organization’s core back-end systems solely by submitting crafted data from his web browser. This data will bypass all of the organization’s network defenses, in just the same way as does ordinary traffic to the web application. Effectively the applications such as these has expanded the security perimeter of the organization requiring it to divert more effort towards security hardening requirements.
It goes without saying information security breaches can have far reaching effects on the organization in several fronts including monetary and customer loyalty as illustrated in the following case study.
A Case Study
The TJX Companies, Incorporated (NYSE: TJX), is the largest international home fashion departmental store chain in the United States based in Framingham, Massachusetts. By 2004, the company moved up to the 141st position in the Fortune 500 rankings and was a $17 billion worth business. In 2007 TJX revealed that its security system has been compromised and some 45.7 million customer accounts has been affected. The biggest known theft of credit-card numbers in history began in 2005 outside a discount clothing store near St. Paul, Minn. Hackers used a telescope-shaped antenna and a laptop to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. Once in, they were further able to penetrate into the central database of TJX Cos. in Framingham, Mass. During the next 2 years they had been able to smuggle credit card data from the system and sell or use them in fraudulent card transactions amounting to $8 million or more. 
What went wrong?
Following information were uncovered during an subsequent security analysis performed. 
* Loose compliance with regulatory standards such as PCI DSS (Data Security Standard) for storing and transmitting credit/debit card information.
* Store systems were based on a weak wireless security protocol (WEP).
* Lack of additional security features such as firewalls and software patches on these systems.
* Track2 information, such as account numbers, expiration dates, encrypted personal identification numbers, along with Social Security Numbers and driver’s
licenses, were stored for unusually long periods of time.
* Lack of clear segregation and access control systems implemented for the critical information on TJX’s central servers. This additionally made the information
easily available to the hackers.
* $9.75 million breach settlement charges with 41 states to cover the costs of investigating the incident.
* An initial budget of $100 million for the possible security upgrades
* Several customer law suites for damages
* Heavily damaged customer loyalty and hence loss of business.
From this case study it is evident a well functioning information security framework within the organisation is necessary for preventing such security oversights which can become very costly. This is where a standardized security system becomes vital. Specially IS0 27001 is very important in this regard since it is the de-facto standard for establishing, maintaining and improving an Information Security Management System (ISMS).
Benefits of a ISO 27001 Implementation
From a technical perspective following benefits can obtained from a ISO 27001 implementation.
* Interoperability – Let’s say that a multinational company has its regional branches in China and US. Now the security requirements of the systems may differ in these localities and so will the security system implemenations. However the overall organizational security policy states all the regional information security systems should be in compliance with ISO 27001. So since above regional branches both follow ISO 27001 standardization, then they can achieve a comfortable level of interoperability when it comes to secure business information transactions even though they may belong to very different backgrounds, because of the common set of standardization guidelines that they follow.
* Quality assurance – Whether it is the organization or the business partners, there should be some quality in the information security system and hence of the organization in general. With a suitable ISO 27001 implementation the management can be assured they have a recognised framework for dealing with the information security.
* Compliance – Having a certification against an international standard is desireable and can create a positive image about the organisational security policies among the stakeholders of the business. There is a well defined path for the certification and it is a result of a continous process rather than a one off achievement.
* Benchmarking – An organization can use the ISO 27001 to measure its status against that of its competitors. They can emphasize on their current rank and the developments that they make as opposed to their rivals.
* Security awareness – Since the ISO 27001 implementation and its practice is a continuous process that will engage organisational personnal in various security related aspects it will raise the overall employee awareness about the security aspects. In fact this is one of the most important aspects when it comes to information security. The system is only strong as the weakest link and it has been proven that ill-informed user can be a great security risk no matter how much security systems are in place. So in this respect ISO 27001 is not just about security thorough software or physical infrastructure but it also encompasses influencing the behavioural and cultural aspects of the organization. Even significant change management processes can come in to play, in creating a security aware culture within the organization and may even cause some staff being laid off in some extreme cases due to non compliance behaviour and resistance to the changes.
From a business perspective following benefits can obtained from a ISO 27001 implementation.
* IT alignment of the business processes – To a proper ISO 27001 compliance a good IT alignment of the business activities should be present. A better IT alignment would mean increased efficiency in business processes causing quicker response times and reduction of costs.
* Avoidance and mitigation of damages – From the case study of TJX it is evident the amount of damages due to lack of security can become very significant. These damages both in terms of money, lost sales and customer loyalty, will have a significant adverse effects on organisational profit margins. This will also cause the organisation to divert its energy to cope with the aftermaths of the event in the form of law suits, security consultations etc instead of focusing on its core business activities. If a proper security mechanism was in place none of these would have happend and or at least the breach could have been tracked down earlier mitigating the damages. Since the implementation requires the organization to have backup plans to be in place in order to investigate and compensate if such security breach happens the organisation will be in a better position to handle such a situation.
* Increased profits – ISO 27001 certificate demonstrates that the orgnisation can be trusted to secure customers’ data, as well as their own. Specially corporate customers are likely to realise the benefits of this commitment and this can be helpful in developing a positive image of organisation. Having the ISO 27001 logos on the company literature is a continual reminder to potential and existing customers that the organisation takes confidentially, integrity and availability of their information seriously. This would drive higher customer satisfaction, new customers and increased profitability. This can even be leveraged as a competitive adavantage over the rival organisations. For example in government Tenders the government would favour the orgnisations with sound security policies and may even include a certification such as ISO 27001 as a prerequisite.
* Cost effective and rational security systems – Since the implementation requires clear identification of orgnisational security enviornment and its specific security needs only the required systems and processes will be put in place with configurations specifically suited to organizational security requirements. The organisation may have many technical safeguards, but a proper risk assessment may highlight the safeguards having little or no business benefits and would provide a better return off investment if they were reconfigured to protect assets that required a higher level of protection. This avoids bloated (and in turn costly) and unnecessary rigid (or on the contrary unnecessarily linienet) security systems and allows the organisation to obtain the level of security that’s required.
* Better employee relations – Clear policies and guidelines makes things easier for staff. This will increase employee satisfaction and may help reducing staff turnover. Better security awareness programs,trainings and clear disciplinary procedures will also induce increased professionalism among the employees as well.
* Better risk planning – The information security strategy can be integrated with the overall organisational risk strategy leading to a comprehensive platform on which risk planning decisions can be made.
 TJX Companies, Inc – http://publicloud.com/?p=368
 Calder Alan and Watkins Steve, IT Governance:A Manager’s Guide to Data Security and ISO 27001/ISO 27002. 4th ed, Kogan Page, London
 The ISO27k FAQ. – http://www.iso27001security.com/html/faq.html
Read Full Post »