WikiLeaks Lessons: What Exactly is Information Security?

Thursday, January 20, 2011

Dejan Kosutic


Nowadays WikiLeaks is a hot story for a good reason - it is not very common for confidential documents of the world's most powerful government to be published on the Internet. And some of these documents are, to put it mildly, embarrassing.

Here I am not going to write about whether it was legal for WikiLeaks to publish such information or not, whether the information should have been made public because of the public interest or not, what is going to happen to its founder (at the time of writing this article Julian Assange was in custody) etc.

The problem is - if WikiLeaks is going to be shut down, a new WikiLeaks will appear. In other words, the threat of leaking information to the public is constantly increasing. (By the way, before he was jailed, Julian Assange had announced he would publish incriminating information about a major U.S. bank and its malpractice.)

I want to touch here on the corporate point of view - what if we are the next target of WikiLeaks or its clone? How to ensure the security of our information and prevent the damage of such a large incident?

Simple example

But how does information security look like in practice? Let's take a simple example - for instance, you leave your laptop frequently in your car, on the back seat. Chances are, sooner or later it will get stolen.

What can you do to decrease that risk? First of all, you can make a rule (by writing a procedure or a policy) that laptops cannot be left in a car unattended, or that you have to park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong password and encrypting your data.

Further, you can require your employees to sign a statement by which they are legally responsible for the damage that may occur. But all these measures may remain ineffective if you didn't explain the rules to your employees through a short training.

So what can you conclude from this example? Information security is never a single security measure, it is always more of them together. And the measures are not only IT-related, but also involve organizational issues, human resources management, physical security and legal protection.

The problem is - this was an example of a single laptop, with no insider threat. Now consider how complex it is to protect the information in your company, where the information is archived not only on your PCs, but also on various servers; not only in your desk drawers but also on all your mobile phones; not only on USB memory sticks but also in the heads of all employees. And you may have a very disgruntled employee.

Seems like an impossible task? Difficult - yes, but not impossible.

How to approach it

What you need to solve this complex problem is a framework. The good news is that such frameworks already exist in the form of standards - mostly widespread is ISO 27001, the leading international standard for information security management, but there are also others - COBIT, NIST SP 800 series, PCI DSS etc.

I'm going to focus here on ISO 27001 - I think it gives you good ground for building the information security system because it offers a catalogue of 133 security controls, and offers flexibility to apply only those controls that are really needed in relation to risks.

But its best feature is that it defines a management framework for controlling and directing the security issues, therefore achieving that security management becomes a part of the overall management in an organization.

In short - this standard enables you to take into account all the information in various forms, all the risks, and gives you a path to carefully resolve each potential problem and keep your information safe.

Consequences for business

So, should the corporations be afraid that their information will leak to the public? If they are doing something illegal or unethical, they certainly should.

However, for companies operating legally, if they want to protect their business, they cannot think only in terms of return on investment, market share, core competence, and long term vision.

Their strategy must also take into account the security issues, since having insecure information can cost them much more than for example a failed launch of a new product.

By security I mean not only physical security because it is simply not enough anymore - the technology makes it possible for information to leak through various means.

What is needed is a comprehensive approach to information security - it doesn't matter whether you use ISO 27001, COBIT or some other framework, as long as you do it systematically. And it is not a one-time effort, it is a continuous operation.

And yes - it is not something your IT guys can do alone - it is something the whole company has to participate in, starting from the executive board.

*   *   *

Complete ISO 27001/ BS-25999-2 Webinar Schedule:

FREE WEBINAR - January 26 - ISO 27001 Benefits: How to Obtain Management Support

February 2, February 14 - ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control

February 15, February 21 - ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS

FREE WEBINAR - February 16 - ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?

February 16, February 22 - Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2

February 16, February 23 - ISO 27001 Lead Auditor Course Preparation Training

February 17, February 23 - BS 25999-2 Foundations Part 1: Business Impact Analysis

February 22, March 7 - ISO 27001 Foundations Part 3: Annex A Overview

FREE WEBINAR - February 23 - ISO 27001: An Overview of ISMS Implementation Process

February 24, March 9 - BS 25999-2 Foundations Part 2: Business Continuity Strategy

March 8, March 21 - Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

FREE WEBINAR - March 9 - BS 25999-2: An Overview of BCM Implementation Process

March 9, March 22 - How to Become ISO 27001 / BS 25999-2 Consultant

March 10, March 23 - BS 25999-2 Foundations Part 3: Business Continuity Planning

March 22, April 4 - Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

FREE WEBINAR - March 23 - ISO 27001 Implementation: How to Make It Easier Using ISO 9001

March 23, April 6 - ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

March 24, April 18 - How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

April 5, April 19 - ISO 27001 A.6 & A.8: Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

April 5, April 20 - ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

FREE WEBINAR - April 6 - ISO 27001/BS 25999-2: The Certification Process

April 6, April 19 - ISO 27001 A.7: Asset Management and Classification

Cross posted from ISO 27001 & BS 25999 blog -

Possibly Related Articles:
Network Access Control
Compliance Security Strategies ISO 27001 WikiLeaks BS 25999-2 Information Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.