A joint international standards committee is working with experts around the world on a set of information systems incident management and investigation standards. The standards aim to reduce the risk of loss from security incidents both in on-premises installations and in the cloud. The standards deal with establishing incident response teams, managing incidents, and dealing with post event – or forensic – activity.
We all know the benefits of IT systems and how they allow business and government to deliver better services faster and more cheaply. These systems empower us to do things like online banking or easily select the cheapest flights or the best restaurants. As these information systems move to mobile devices and cloud computing, the ubiquity and scale of these services further enhances our lives and capabilities.
From a management perspective, the power of information systems also brings with it an added burden of responsibility. If you manage a business (or government agency), you still have a responsibility to manage your services appropriately and protect your business assets and customer information – even as your business becomes increasingly digital and takes advantage of mobile and cloud based services.
Recently, we have seen an increase in the number of security incidents that have threatened information systems around the world. While IT firewalls, anti-malware software, and frequent patching of software all help to reduce the risk of such attacks, they do not guarantee protection. In addition, it is still the responsibility of management to ensure that the necessary controls and processes are in place to minimise the risk and deal with the consequences of such information security incidents.
To assist businesses and government to deal with information systems security incidents, several international standards are being revised or introduced. The diagram (courtesy of ISO) shows the standards in development on the right hand side – from the ISO/IEC 27035 draft international standards on Information security incident management through to ISO/IEC draft international standard (DIS) 30121, Governance of digital forensic risk framework. Note that most of these standards are still in progress – and thus in the ''draft' stage.
Event and incident management
In information systems, an 'information security event' is an 'occurrence indicating a possible breach of information security, policy, or failure of controls'. Many of these events will be of little consequence and therefore will require no further intervention. However, a repeating occurrence of such events or a particularly suspicious event will cause the event(s) to be escalated to the status of 'information security incident', which needs to be quickly dealt with.
The draft standards look at the preparation to deal with such incidents – including policy support from management and the establishment of an incident response team, and communication with outside teams such as government agencies. Topics such as detection, reporting, assessment, and decision-making are covered so that any incidents can be dealt with quickly and the damage minimised.
Investigation, evidence, and forensic governance
The emphasis of security standards is to protect services, systems, and information whereas the emphasis of forensic standards is to manage the digital evidence in such a way that the event is preserved and the risk of reoccurrence is minimised. Digital evidence informs both the improvement of compromised systems and the prosecution of violators.
However, in some cases, evidence may be obscured by security mechanisms such as encryption and sanitisation. ISO/IEC 27040 DIS Storage security addresses data storage security to enhance the integrity of data, but still use it appropriately during security incident investigation. Sometimes material found during the investigation phase must not be disclosed and editing or redaction may be required – ISO/IEC 27038 DIS Specifications for digital redaction discusses these issues.
ISO/IEC 30121 DIS Governance of digital forensic risk framework is a governance standard that provides best practice guidance for organisations preparing for investigation.
Organisations of any kind face both internal and external factors and influences that can lead to legal actions and placement of demands on the Information Technology and related Information Systems to disclose digital evidence. International standardisation in these areas is helpful for governing bodies to help them ascertain if appropriate measures are being undertaken to manage the risk. Legal action may be the result of an uncertain, unplanned, or unexpected event or it may occur as a planned course of action against employees, competitors, or service suppliers. Whether a risk is significant or not will depend on the level of risk and the organisation's risk attitude, but the preparation is both protective and responsive. Because it is almost certain that digital evidence will be discovered and therefore subject to legal disclosure, organisations should plan and develop capability to deal with such legal actions before they occur.
ISO/IEC 30121 DIS advocates five minimalist strategies to ready an organisation for digital investigation.
- The Archival strategy that requires an organisation to establish a comprehensive archival retention of information properties. Archival processes are to be structured, complete, efficient, secure, and to maintain the integrity of data.
- The Discovery strategy that requires an organisation to establish efficient and effective information retrieval capabilities.
- The Disclosure strategy that requires an organisation to establish criteria for the securing and disclosing of information.
- The Digital forensic capability strategy that requires an organisation to adopt policies and plans to assure the preservation of digital evidence and the retention of and/or access to digital forensic skills. Such planning would include the relevant contacts of qualified investigators.
- The Risk compliance strategy that requires an organisation to assure that the level of risk remains within the organisation's risk criteria.
Threats to information systems can come from many places including malicious code, rogue employees, and natural disasters. It is impossible to guarantee total protection of information systems and therefore every organisation needs a responsible and efficient way of dealing with such incidents.
As can be seen from the above, the world of international standards is helping organisations to more easily deal with such incidents through a structured and planned approach.
This article was written by Geoff Clarke, Regional Standards Manager at Microsoft and Professor Brian Cusack, Director, Digital Forensic Research Laboratories, Auckland University of Technology. It provides information on the International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) subcommittee (SC) that covers information technology (IT) security techniques, ISO/IEC joint technical committee (JTC) 1/SC 27, and on the working group (WG) that covers the governance of IT, ISO/IEC JTC 1/WG 8.
Note: You can order ISO standards from www.standards.co.nz, or call 0800 782 632 during business hours, or email email@example.com. Members of Standards New Zealand receive a 20% discount on all NZS and AS/NZS standards, and a 10% discount on all international standards. Visit our membership page for more information.
Note: Standards New Zealand is the official New Zealand representative to the International Organization for Standardization (ISO) and, via the New Zealand National Committee, the International Electrotechnical Commission (IEC) as well as the Pacific Area Standards Congress. Through our membership of these bodies, we are able to share our expertise and knowledge in a number of areas, as well as ensure that New Zealand interests are considered. We also ensure that information about offshore Standards development and publications is made available to the local market.