Social Engineering – If you don’t work in either the security or IT industry, you may wonder what the term means and if it forms any real threat to you organisation. If you have heard the term, then assuming it is an IT issue in isolation, would be a mistake.
Social engineering can be likened to hacking attacks against information systems where a tool is used to probe those systems to exploit vulnerability.
After reading a discussion on Linkedin in the Lexcel group, entitled, “The Death of Lexcel” and asking the legal brains on Deferolaw.com what they thought about this, I thought it might be interesting to have a look at Lexcel in the context of ISO 27001.
Rumours of the Death of Lexcel have been somewhat exaggerated.
The reason for this is that we have noticed an increased interest and uptake in this accreditation in the legal professions and so the discussion topic intrigued me as I wondered if there was any correlation. Whilst they are not competing accreditations, I can see some areas where there is a definite relationship.
Incidentally, whilst I thought it was a great attention grabbing topic headline, the Death of Lexcel would appear to be somewhat exaggerated…
ISO 27001 potentially maps across some areas and a practice with Lexcel may have the ‘nucleus’ to build on for this accreditation.
The Lexcel standard is very practice and client-focussed and has lots of mandated parts and talks about Risk Management – but this is related more to clients and elements such as indemnity insurance rather than the risk-based ISO 27001 standard – which has a focus on security of information assets within a business. Still it may not be such a huge leap. (See below)
Why legal practices are considering ISO 27001 seems to be that they see it giving a competitive advantage when competing for tenders. This is especially when competing HMG-related ones, such as NHS, as they are now being asked question on how they provide information security within their practice. Indeed, the Panel of Practices looking after the NHS Litigation Authority consist of 10 firms but only one has ISO 27001, but that landscape is changing.
By ‘having the badge’ it will save time and money when having to individually specify how a practice handles security to meet the client’s requirements, when they can just say ‘see the badge’!
Understandably there is a growing unease about the increasing enforcement action being taken by the ICO with respect to Data Protection and privacy – fines and penalties
An ounce of prevention worth a pound of cure
up to a max. £500k plus possible custodial sentences are not good publicity for any organisation. For a legal practice, the nature of the data they hold is so sensitive any lapse that was mandatorily disclosed, would be disastrous and a headline writer’s dream.
Lexcel and ISO27001
Lexcel – Overview (v4 – v5 released Oct 11, compliance from July 2012)
All Lexcel Elements below are MANDATORY
√ Law Society’s International Practice Management Standard
√ Objectives of Standard:
√ Emphasis on continuous improvement – just as ISO27001 has with its PDCA process
√ Standard consists mostly of mandatory requirements – policies, processes, procedures and plans – each policy and plan has an ‘owner’ – good start for many of the policies below are required for ISO27001
√ Documented review at least annually – Audits and reviews are part of the ISO27001 ISMS
√ A practice being any organisation subject to the standard – including partnerships, LLPs, sole practices, incorporated law firms and legal departments
√ The Lexcel Office provides guidance on application of the standard
√ Lexcel has elements of ISO9000, IiP and is a readily-translated quality standard for the legal profession
√ Risk reduction tool in terms of Indemnity Insurance claims – ISO27001 can reduce overall risks even further
Lexcel – Structures & Policies (Mandated)
√ Risk Management Policy – strategic, operational and regulatory risks – required and mandated in ISO27001
√ Quality Policy
√ Anti-money Laundering Policy to comply with legislation – this would be part of ISO27001 Section 15 on Compliance
√ H&S Policy
√ Community & Social Responsibility
√ NEW V5 – Outsourcing Policy & Social Media Policy – policies that would also be required in ISO27001, with Outsourcing being part of a 3rd Party Management Policy in ISO27001 terms
Lexcel – Strategy, Provision of Services & Marketing
√ Documented marketing and business plan
√ Documentation of service offering and a required 6 monthly review (audit) – internal audit is very important within ISO27001
√ BCP – Section 14 of ISO27001 on Business Continuity Management (possible requirement also for BS25999 that BJ are also considering)
Lexcel – Information Management & Facilities
√ Information Management:
√ Facilities: – Much of this is covered off in Section 9 of ISO27001
Lexcel – People Management – all classic Section 8 of the ISO
√ Recruitment plan and procedures (references, vetting etc)
√ Induction Training
√ Training and Development Policy
Lexcel – Supervision and Operational Risk Management
√ Written description of management structure with R&R – ISO Section 6 Organisation
√ Active supervision of all staff – monitoring, Section 10
√ Process to check all legal work files for ‘inactivity’ – auditing
√ Regular independent file reviews – auditing again
√ Designation of one overall Risk Manager – similar to the position within the company of a director level individual with responsibility for Information Security within the business as in the ISO
√ Annual analysis of risk assessment data – annual review of risk register and possible re-assessment of risk as per ISO
Lexcel – Client Care – ISO Dealing with Customers Section 6
√ Client Care Policy
√ Record of Standing Terms of Business with Clients
√ Written Complaints Handling Procedure
√ Monitor Client Satisfaction
Also Sections on Financial Management & File and Case Management
Other referenced documents: Solicitor’s Code of Conduct (Rule 2) and by implication the Solicitors Regulation Authority (SRA) Chapter 7 Management of Business
In an era where flexibility and mobility is the key, there seems to be a growing acceptance by companies (or is it a sense of inevitability) that staff should be allowed to use their own devices to do their work on – BYOD. Whether this is using a PC at home or using their Smartphones, Tablets and Laptops on the move, there is no question staff are doing it either with or without the blessing of their company. A recent BBC article on BYOD quoted a survey by Avanade (a business technology company) in which it was found that 88% of executives said employees used their own devices for business purposes (http://www.bbc.co.uk/news/business-17017570). Another survey found that while 48% of employers would never allow BYOD, 57% agreed that some staff used personal devices without consent.
So what, might you ask?
My PC at work is slow and takes an age to open an email and if I try to do two things at once it just freezes or my boss needs this by tomorrow and I’ll be damned if I’m staying behind again tonight.
When faced with such challenges is it any wonder that staff want to take advantage of their state of the art device that provides functionality and performance a company ICT manager can only dream of. The appeal to companies is there also, productivity improves and staff are content but at what price? Companies that allow BYOD should be under no illusion that it does not come without risk. By allowing staff to use their own devices, companies are in effect relinquishing control of how their information (sensitive or otherwise) is imported and exported from their business networks and are also allowing the connection of untrusted devices. Thereby, increasing the risk of malware attacks, data compromise and perhaps more worryingly exposing the business to reputational harm or costly fines in the event of a data protection breach. Is there any managing director or senior partner who would welcome the scrutiny of the Information Commissioners Officer?
So what is the answer? The straight forward answer is not to allow it and I am not going to advocate the use of BYOD here. There are number of reasons why you shouldn’t and perhaps only one reason why you should. While employee satisfaction is clearly important the main advantage to employers comes down to cost. By allowing BYOD there are potential savings in ICT infrastructure, as in effect you are passing (somewhat unfairly) the burden of upgrades to your staff. You could even offer staff an annual bonus for using their own devices and to share the cost of upgrading and still save money. A very convincing argument in favour of BYOD was also presented on ZDNet (http://www.zdnet.com/blog/virtualization/byod-the-inevitable-reality/3953) although I would disagree (obviously) with the views on security and argue that this is where governance comes in (see below).
However, as I said earlier if you do so you relinquish control which in my view will always be too high a price. Now some will argue that as soon as you provide staff with a Smartphone or Laptop you lose control of these devices the second they walk off the premises so why worry about using BYOD. However, I would contend that this is where governance comes in. Issuing staff with company owned devices means you determine (among others):
And with governance and compliance checking you can ensure that the above points are always maintained and that the device is used in accordance with your companies acceptable use policies. Can you honestly say your staff will be as vigilant in protecting their own devices, have a look at this regarding passwords on mobile phones (http://www.scmagazineuk.com/consumers-failing-to-take-mobile-security-seriously-says-sophos/article/209294/). You may also want to consider that your staff will also probably let their friends and family use their devices but will be less inclined to do so with a company owned device.
To support my view I have a challenge for you. Take a look at the advice for an effective cyber defence provided by the UK Government’s Centre for the Protection of Critical National Infrastructure (http://www.cpni.gov.uk/advice/infosec/Critical-controls) and see how allowing BYOD compares against the advice provided. You might also want to see how your organisation’s ICT infrastructure meets the listed controls while you’re on, particularly if you are holding large volumes of customer personal data.
So should/can BYOD work for you? My answer is no on both counts. My advice is organisations that want to protect their own information and that of their clients should even consider implementing an information security management system. Such as that provided by the International Standards Organisation 27001 standard, which provides a structured series of controls a part of which will assist organisations in implementing a business-supporting and secure ICT programme.
However and despite my claim I wouldn’t advocate the use of BYOD, if you find yourself in a position where you have no choice. There are some steps you can take to reduce the risk (if only slightly) of BYOD:
Consider compliance checking on devices to ensure the above is occurring;
Consider what support options the company might offer for the devices.
Dave Wharton, Senior Security Consultant, Advent IM
Cloud - stormy weather or plain sailing?
We have recently posted a Cloud discussion and some top tips on our general security blog. This is aimed at all businesses, not specifically the legal professions. We wanted to help organisations understand the key questions they need to be asking of potential Cloud providers, sweeping away some of the myths – as we see them and generally just create a little more clarity to allow for quality decision making.
Cloud computing is an exciting opportunity for many organsations and we want to make sure that they do it safely and fully armed with knowlege.
If you would like to read the blog then please head over to our main blog at www.adventim.wordpress.com or you can pick up a copy to print if you need it on our Scribd feed. www.scribd.com/advent_im
Advent IM Ltd – the UKs leading independent, holistic security consultancy, today announced the launch of their new outsourced security service; MySecurityManager.
Many businesses and organisations understand the need for robust security management. Given the amount of column inches, both in print and online, devoted to data security breaches alone; it isn’t difficult to appreciate the importance of good, well managed policy. We know that part of the solution can come from the use of technology, but technology only works at its optimum level when it is part of a solid strategy, which in turn is part of an organisation’s culture.
The cost of creating or maintaining a full time Security Manager role within an organisation can be challenging. Often the expertise required to build, implement and educate-in good policy is not available to many SME’s. But risk appetite is not generally commensurate with budget so what is an SME to do?
Advent IM Ltd has today introduced packaged solutions to suit most organisational security management needs. This selection of outsourced security packages, are a mixture of onsite presence, project management and email support. Because they are scalable and flexible, the service you buy will be appropriate to your organisation’s needs, therefore offering excellent value for a business where budget is not currently available to resource a full time Security Manager. Being a fixed price means that there are no nasty surprises or hidden costs.
The benefits of using such a service include; a pool of experts with many years’ experience – this level of expertise may normally be beyond budget; no need to recruit or train; no National Insurance; no sick pay; no holiday pay and many other important cost savings.
Advent IM’s Managing Director,Mike Gillespie said,
“Now every business can benefit from the huge amount of expertise that our consultancy clients have long had access to and benefitted from. Offering flexibility mixed with capability, MySecurityManager
is a must for any organisation that seeks an efficient and effective means of closing that security knowledge gap”
Details of the service can be found on the Advent IM website http://www.advent-im.co.uk/mysecuritymanager.aspx or by contacting the team.
ISO 27001 – We have some new dates for Introduction to Information Security 1 day course and the Lead Auditor 5 day course, both running in 2012.
If you have an encrypted business laptop, does that mean it’s totally safe and therefore if you lose it, then it doesn’t really matter because of the encryption?
