ISO 27001 compliance as prima facie evidence of good faith action


PPT – ISO 27001 compliance as prima facie evidence of good faith action PowerPoint presentation | free to download - id: 42cd84-YmJjM


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

ISO 27001 compliance as prima facie evidence of good faith action


ISO 27001 compliance as prima facie evidence of good faith action Spring 2010 - IPOL Mark Thompson-Kolar MSI 2011 Tailored/HCI * ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 30
Provided by: MarkThomp1
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ISO 27001 compliance as prima facie evidence of good faith action

ISO 27001 compliance as prima facie evidence of
good faith action Spring 2010 - IPOL Mark
Thompson-Kolar MSI 2011 Tailored/HCI
The Breach Problem
  • Records with sensitive personal information (PII)
    in security breaches in U.S. since 2005 gt 346
    million (not all reported!)
  • U.S. population 307 million.
  • More than 1 breach per resident.
  • PII - identifiable data, usually includes social
    security number, credit card nos., with names,
    addresses. ... biometric.

Sources Privacy rights Clearinghouse, March 13,
2010 U.S. Census Bureau estimate, July 2009
Breaches Not Going Away
  • Breaches will keep happening.
  • You cannot anticipate every internal and
    external threat, nor can you predict when an
    employee will prove dishonest or capable of a
    major mistake. No security system is bulletproof.
    ... The question is not 'if' your data will be
    comprised, it is 'when.'

Image from Datarati Actionable Insights
Source Tedder, K. January 2010. A First Data
White Paper Don't Wait for a Data Compromise.
U.S. Info Security Regulatory Framework
  • Regulations
  • Sarbanes-Oxley
  • Gramm-Leach-Bliley
  • FTC Act 5
  • Information covered
  • Health records
  • Corporate financial
  • Consumers' credit
  • Personal financial
  • Deceptive practices

Breach Examples ChoicePoint
  • ChoicePoint, a large data broker based in
    Atlanta, Ga.
  • 800-plus cases of identity theft resulting from
    theft of data.
  • Violations alleged - Fair Credit Reporting Act
    and FTC Act 5.
  • 2006 settles FTC breach charges
  • 10 million in civil penalties
  • 5 million for consumer redress

Source FTC news release
Breach Examples TJX
  • The TJX Cos. Inc, major discount retailer
  • 455,000 consumers' PII taken in 2005-06.
  • FTC alleged TJX failed to use reasonable and
    appropriate security measures to prevent
    unauthorized access to PII.
  • Banks claimed tens of millions of dollars in
    fraudulent charges made on the cards.
  • Company had passed a checklist-style audit under
    Payment Card Industry Data Security Standards.

Source FTC news release
Breach Examples Dave Buster's
  • March 25, 2010
  • Dave Busters, Inc. restaurants
  • FTC charges company left consumers credit and
    debit card information vulnerable to hackers -
    130,000 cards.
  • Failed to take reasonable steps to secure this
    sensitive PII on its network.
  • Several hundred thousand dollars in fraudulent

Source FTC news release
Security in Settlements
  • ChoicePoint required by FTC to
  • Establish and maintain a comprehensive
    information security program.
  • Company must obtain audits by an independent,
    third-party security professional every other
    year for 20 years.

Source FTC news release
Security in Settlements
  • TJX required by FTC to
  • ...Establish and maintain a comprehensive
    security program reasonably designed to protect
    the security, confidentiality, and integrity of
    personal information it collects from or about
  • Security program must contain
    administrative, technical, and physical
    safeguards appropriate to each companys size,
    the nature of its activities, and the sensitivity
    of the personal information it collects.

Source FTC news release
Security in Settlements
  • Dave Buster's required by FTC to
  • Put in place a comprehensive information security
  • Establish and maintain a program designed to
    protect the security, confidentiality, and
    integrity of customers' PII.
  • Requires company to obtain independent,
    professional audits, every other year for 10

Source FTC news release
Seeing a Trend
  • Recent Dave Buster's settlement is FTCs 27th
    case challenging faulty data security practices
    by organizations that handle sensitive consumer
  • Settlements fairly consistent in what breached
    companies must do.
  • Primary point improve processes by establishing
    a comprehensive information security program.

Consideration for Good Actors
  • Data breaches of PII will continue.
  • Settlements require improvement processes, not
  • How to get companies to do well-regarded
    improvement processes sooner, not later?
  • Reward for doing right thing
  • Consistent, up-front prima facie consideration
    of such steps as evidence of good faith action if
    breach occurred.

ISO 27001 Suggestion
  • Need a very highly regarded data security
  • ISO 27001 would be superb choice.
  • There are others, outside scope of this
    presentation one other that might make sense
  • CObiT - Control Objectives for Information and
    related Technology, a set of best practices for
    IT management.
  • COSO - The Committee of Sponsoring Organizations
    of the Treadway Commission Control Objectives.)

Source Solutionary
About ISO 27001 ( Family)
  • Collection of interrelated data security
  • Developed by Switzerland-based NGO (International
    Organization for Standardization).
  • ISO is global network that identifies what
    International Standards are required by business,
    government and society, develops them in
    partnership with the sectors that will put them
    to use ...

Source International Organization for
ISO 27001 Overview
  • 27001 respected as a comprehensive framework.
  • Aka (ISMS) Information Security Management
  • Establishes risk management processes
  • Some data more vital to protect.
  • Must examine what information you have.
  • Encourages continual improvement to business
    practices - very important as security
    vulnerability environment never stops changing.

Source International Organization for
ISO 27001 Certifications
  • March 2010
  • The total worldwide companies that had achieved
    ISO 27001 certification was 6,385.
  • In U.S., just 95 of them were located in the U.S.

Sources International Register of ISMS
Certificates, National Geophysical Data Center
ISO 27001 Strengths
  • Utilizes Plan-Do-Check-Act methodology
  • PLAN. Clause 4 expects firm to plan the
    establishment of organizations ISMS.
  • DO. Clause 5 expects firm to implement, operate,
    and maintain its ISMS.
  • CHECK. Clauses 6 and 7 expect firm to monitor,
    measure, audit, review ISMS.
  • ACT. Clause 8 expects company to take corrective
    and preventive actions, and continually improve
    the ISMS.

Source JBW Group International
Additional ISO 27001 Strengths
  • More on Plan-Do-Check-Act methodology
  • Works with variety of regulations and kinds of
    information. Company must know all relevant
    legal, regulatory, industry standards and
    contractual requirements that affect the
    business's use of information assets.
  • Outlines 11 control areas, 39 control objectives
    and 133 specific controls.
  • NOT a checklist standard. Process driven.
  • IS risk-assessment driven standard.

Source JBW Group International
ISO 27001 Risk Assessment
  • When organizations implement ISO 27001, not only
    do they safeguard assets through best practice
    controls, they empower their organization with a
    risk-assessment methodology that assures the
    proper treatment of all risks ... (this) allows
    an organization to be ever responsive to new
    risks and to address each risk in a manner most
    suitable to their organization at the time.

Source Barry L. Kouns, security consultant and
principal with SQM-Advisors consultants
ISO 27001 Due Diligence
  • Due diligence - corporate officers operate in
    line with accepted business practices and follow
    all relevant laws and other regulatory
  • ISO 27001's guidelines, evaluation criteria,
    reference standards help companies practice DD
  • Developers should be prepared to show they have
    used security processes at least as thorough and
    demanding as those of equivalent ISO 27001 rated
    systems. This will establish due diligence ...

Source Edward H. Freeman, data security
ISO 27001 Regulatory Enforcement
  • Looking back at the regulatory settlements ...
  • Trends in enforcement actions, and what they
    impose in the way of security program
    requirements look a lot like clauses 4-8 of ISO

Source Patrick Sullivan, JBW Group International
TJX Settlement ISO 27001
  • Settlement Establish and maintain a
    comprehensive security program ... contain
    administrative, technical, and physical
    safeguards appropriate to each companys size,
    the nature of its activities, and the sensitivity
    of PII it collects.
  • ISO 27001 - Clause 4 Define an ISMS policy in
    terms of the characteristics of the business, the
    organization, its location, assets and technology
    that ... takes business and legal or regulatory
    requirements as well as contractual security
    obligations into account ... aligns with the
    organizations strategic risk management context.

Sources FTC, CQR Payments
TJX Settlement ISO 27001
  • Settlement Identify internal and external risks
    to the security and confidentiality of personal
    information and assess the safeguards already in
  • 27001 - Clause 4 Identify, analyze and evaluate
    the risks select control objectives and control
    for the treatment of risks.

Sources FTC, CQR Payments
TJX Settlement ISO 27001
  • Settlement Evaluate and adjust information
    security programs to reflect results of
  • 27001 - Clause 4 Conduct internal ISMS audits at
    planned intervals and update security plans to
    take into account the findings of monitoring and
    reviewing activities.

Sources FTC, CQR Payments
TJX Settlement ISO 27001
  • Settlement Designate an employee or employees to
    coordinate information security program.
  • 27001 - Clause 5 Explicitly states the
    management responsibility for the ISMS and
    details the necessary requirements pertaining to
    management commitment and resource management,
    including provision of resources as well as
    training, awareness and competence.

Sources FTC, CQR Payments
ISO 27001 Isn't Perfect
  • Some criticisms
  • It focuses on certifying the process by which
    you determine which controls should be in place
    not that the controls actually are in place.
  • Without significant testing to validate that the
    technical controls are operating as planned it
    can lead to a false sense of security.
  • It doesn't include controls guidance for software
    applications a major source of risk.
  • Success is in implementation. Adherence to
    Plan-Do-Check-Act lets businesses avoid these

Source John Verry, Pivot Point Security
Reasons to Favor ISO 27001
  • Respected globally as a solid framework.
  • Employs risk management process.
  • Supports company's due diligence efforts.
  • Improves corporate processes.
  • Has clear points of connection with U.S. law and
    effective in multi-agency regulatory framework.
  • Handles variety of information types.
  • Use growing worldwide makes sense to use as
    businesses global.

  • Is ISO 27001 only viable option for prima facie
  • No.
  • But it's one that makes good sense.

  • Thank you!