There was a lot of stuff in the Security and Risk Management domain of the CISSP that I would never even think about in my past job(s) as a systems administrator. None of my previous employers ever mentioned anything about following ISO standards or operating under some “risk management framework”.
What was a framework anyway? It was frustrating to read about risk management without any real experience. I was sure that if the CISSP exam had any questions pertaining to risk, I’d get them wrong.
It wasn’t until working for a security firm, and studying for the CISSP, that things started to make sense.
My company was about to undergo an ISO 27001 audit.
It was a tense time in the office. Executives were milling around from conference room to conference room, some in good spirits, some with a resting mean scorn. Security officers were following right behind them, discussing strategies to make sure the audit goes well. The executives dressed in expensive suits appropriate for daytime. While the security officers were all dressed alike and reminded me of that headless guy in a black suit and white shirt that is associated with the Anonymous hacker group.
The ISO 27001 is a suggested set of instructions on how to best implement security controls within a company.
It’ll tell you the best practices for protecting assets, securing data, proper access control, or shredding papers so nobody performs a dumpster diving attack. Prudent security stuff. Oh, it also stresses documentation, documentation, documentation! Everything needs documentation!
We had failed last year, but hired a brand new CISO to make sure we get certified this year. Needless to say, there was a lot of pressure on the CISO. Sometimes in the real world, the CISO position is created just so the CEO has someone to take the blame in case of information security disasters. So if you’re in a CISO position, there is no room for mistakes.
One of the security officers walks over to my desk and asks in a refined British accent, “Hello there, good to meet you, I look forward to our talk later.”
“Hey! Nice to meet you too, yup, I’ll see you at 1pm.”
Right before he left, he studied over my cubicle. “Just a note, for the audit I just wanted to say that we’ll be starting to enforce a Clean Desk Policy, you know, just to cover ourselves. Here…” He shuffles through something in his briefcase and pulls out a small poster. He hands it to me.
It says “All employees must practice a Clean Desk Policy”, and a picture of the company logo.
Pretty soon, all the employees started to have one of these posters hanging within their cubicle wall.
Along with the posters, we all also started to wear identification badges with our pictures around our neck. There were some rumors that our manager said you can take them off after the auditor leaves.
The badges helped to identify personell who were in the office were authorized to be in the office. The idea was that if you didn’t have a badge, you were an intruder. ID badges and clean desks are good physical security practice.
Two weeks later, the auditor was in the office.
He had taken off his suit jacket, and walked around with a laptop, sometimes setting it down on a spare table to write some notes. He interviewed the higher level managers, and left us engineers alone. Earlier, we were warned that the auditor might go out back to smoke a cigarette with us, and try to pry as much information out of us to see if we would divulge in super company secrets. He never asked to go for a cigarette.
After 6 hours, the audit was over.
What happened after the auditor reported back with his findings?
We didn’t get fined. The cyber police didn’t show up at our door. We weren’t the ridicule of the information security industry.
All we had to do was change some long overdue access control processes, update our current documentation on all things security, and increase employee security training.
Why would our company submit to the ISO auditor voluntarily? So he could criticize the way we manage our company security? Tell us to change a bunch of things around?
Simply put, yeah. That IS the reason. To be ISO 27001 certified is somewhat of a matter of prestige. It shows customers that the company takes security seriously, and will follow the best practices set forth by an internationally recognized organization such as the ISO. It shows due diligence.
So really the ISO audit made us a stronger company. There are a few more things we have to do to gain access to some systems, and we might just have to wear a stupid ID badge around once in awhile, but that’s worth a strong security framework.
You know how else an ISO certification looks good? The same reason a CISSP certification looks good on your resume: it shows a dedication to the profession of security. Customers like companies that are ISO certified, and companies like individuals that are CISSP certified.
Oh, and what is a security framework? Think of it as protecting your home. The framework to protect my own home consists of an alarm system with triggers at every window and door. There are only three egress points and each one is bolted or has a sliding security bar. Carefully hidden out of plain sight are two guns accessible only to those who know the location. Each door has a different window to see whoever is at the door.
For a company, a security framework is a set of protective measures that include people, business goals, and processes. They all have to come together to make a stronger security foundation within the organization. It’s funny how people are the most important part of a security framework, more so than the technical, administrative, or physical controls. But at the same time, people are also the weakest part of a company because they have access to SO much, and the ability to do the most damage (accidentally or intentionally).
Note: We passed our ISO 27001 certification!