Apr 28 2017

Why is ISO 27001 so important to our public-sector clients?

ISO 27001

What is ISO 27001?

ISO/IEC 27001 is the de facto international specification for managing information security.

Organisations that are ISO 27001 certified have a comprehensive management system that provides assurance of the confidentiality, integrity and availability of data and information they handle.

The policies, processes and procedures that make up this management system are scrutinised and tested annually by independent 3rd party auditors who have the power to withdraw the certification if things aren’t up to scratch.

S8080 have been ISO 27001 certified since 2015, but many of the security controls have been in place since 2001 when we first achieved the ISO 9001 quality standard.

Confidentiality, integrity and availability?

When we handle any type of data for our clients, which can range from paper based records through to immense databases of confidential information, there are three ways we need to care for it.

  • Confidentiality – we will keep the data secure and ensure only those who are supposed to access it, can access it
  • Integrity – we will make sure the data in our care is correct and accurate and does not become corrupted or contaminated
  • Availability – we will ensure that the data can be accessed when it needs to be accessed

Why is ISO 27001 so important?

This all sounds very simple when written down in three bullet points, but consider how things could go wrong with each one. We’ve all shuddered at the stories of data loss, ICO fines and the ensuing PR nightmare. It’s happened to the biggest organisations in the world.

We’ve helped organisations urgently unpick the mess of a compromised site… their previous agencies weren’t focused on security aspects and these poor clients had some very stressful days as a result. Enough said!

  • For example, if your website collects information using an online form, is it encrypted as it’s being sent to the webserver? What about when it’s stored? Or is it in a format that anyone can see?
  • When was your website built? Is your CMS up to date with the latest security patches or could rogue code be injected destroying your website and data? Has it ever been penetration tested to see if hackers could access the administration area, deface your site and download your confidential databases?
  • What happens if your hosting goes down? Is it back up in a matter of minutes or will it take hours or even days? If you site becomes unavailable at 10pm on a Sunday evening, who is going to fix it, and when?
  • What could a disgruntled ex-employee or contractor do to your systems? When was the last time you audited user access rights on your CMS? Or do you all share the same login?

How do our clients benefit from ISO 27001?

Each of these scenarios, and many, many more have considered and addressed in a detailed risk assessment and specific policies, procedures, checklists and guidelines have been written to protect against the issues identified.

Our public-sector clients are confident that the digital systems we design and build for them are secure and comply with legal and regulatory requirements.  They know that our approach to systems design and development follows international best practice, is up to date and is continuously improving.

They have seen our business continuity and disaster recovery plans that explain that even if our offices are razed to the ground, their systems will be unaffected, their project managers will be immediately available and our development team will be up and running within 3 hours.

They know their information assets are being well managed by people and processes that are regularly tested by the most stringent information security auditors in the country.

But at the end of the day, for most of S8080’s clients, it’s just one thing less they have to worry about.

May 21 2015

S8080’s information security standard ISO/IEC 27001

 S8080-ISO-27001

Early last year, after completing yet another information security questionnaire as part of a public sector website tender, we made the decision to add ISO/IEC 27001 certification to our suite of ‘ISO’s’.

We currently hold 9001 for quality management, 14001 for environmental management and 18001 for occupational health and safety management. These combine into what is called an Integrated Management System and every year we are audited over a period of several days to make sure we comply with each of these strict international standards.

27001 is the best-known standard for providing a detailed set of bullet-proof requirements for an information security management system (ISMS).

During our day-to-day activities, developing websites for our clients and performing our general ‘running a busy business’ duties, we interact with a variety of information assets, with various degrees of confidentiality. Our 27001 ISMS helps us manage these information assets providing assurance of its confidentiality, integrity and availability.

As we have been working with high profile public sector clients for about 15 years, it turned out we had most of what we needed for 27001 already in place. We just needed to spend time formalising all of the policies and procedure to satisfy the audit team.

We passed with flying colours and received our certificate last month.

Why is this important?

We’ve gone to great lengths to ensure confidential things stay confidential.

Everything from the secure coding standards we work to, how our network infrastructure is designed and monitored, our hosting and our disaster recovery plans, through to how our team use mobile devices for their S8080 email accounts has been considered, risk-assessed and hardened.

It’s all a bit James Bond, but it means our clients have one less thing to worry about.

Jul 7 2009

Freebie of the month – protect yourself from e-Crime

Our good friends over at e-Crime Wales have just launched a brand new and totally free ‘Preventing eCrime for Dummies’ book that you can download here.

‘Preventing e-Crime for Dummies’ explains how to identify the many threats and scams that can damage your business and provides practical steps and advice to minimise the risks. If you have been a victim, this guide shows you where and how to report the incident.

Discover how to:

  • Identify different threats and scams
  • Protect your home and business
  • Protect your IT network
  • Report an e-Crime

Get over to e-Crime Wales now and grab yourself a copy and while you are there, they are also offering a free personalised IT Security Policy, helping you outline and enforce the general rules that you should follow to minimise risks in your organisation.

They have paid the legal people to write this so you don’t have the expense. Happy days!

Jan 8 2009

OpenID in the browser

Imagine a world where you only had to remember one set of login details for any internet site you might want to visit. And imagine a world where you don’t have to go through a tedious signup process every time you want to use a new website. Sounds refreshing, doesn’t it? Welcome to the world of OpenID.

OpenID eliminates the need for multiple logins; no more juggling of different login details for every website you visit. Here’s how it works:

  • You simply sign up to an OpenID provider who you trust, and in return they give you an OpenID URL. For instance, “http://yourname.myopenid.com”.
  • Then, when you come across a website (let’s call it example.com) you want to sign up to, you just enter your OpenID address.
  • Example.com then goes to your OpenID address, to check you are who you say you are (I’m leaving out some of the techy-behind-the-scenes stuff here).
  • If you’re logged into your OpenID provider, you’ll be asked to confirm you want access to example.com, and if you’re not logged in, you’ll be prompted to do so and then asked to confirm.
  • Control is passed back to example.com, who now know who you are. Optionally, you can get your OpenID provider to send profile data to example.com (your name, website, e-mail, etc) to save you having to enter them yourself.
  • And you’re done! In future, if you want to visit example.com, you’ll be logged in automatically provided you’re logged into your OpenID provider.

OpenID is an open, free standard, which means it’s good for everyone: cheaper for businesses to implement (and less hassle managing passwords/accounts), and it means users get less frustrated and have less to remember. However, it’s still a work in progress, and still in the ‘adoption phase’ – but lots of big names are lending support, such as Google, IBM, Microsoft, VeriSign and Yahoo!.

Whilst OpenID is a fantastic idea, and adoption is clearly on the rise, it’s still not quite as easy for users as it could be. Sites implement logins in different ways (sometimes the OpenID option on a login form is a somewhat hidden), and the whole process is a little bit more clunky than it could be. O’Reilly have a really interesting article on OpenID in the browser which discusses whether your browser could be the key to the whole process.

Imagine if your web browser really knew who you were on the web. Just as you login to your computer, what if when you fired up your browser, it said “Hello Dave” and asked you to “unlock it” as well … In doing so you become securely logged into your OpenID provider (or maybe more than one of them) and as you move around the web your browser takes care of automatically logging you into the sites that you want to be, asking you about others, and helping you register with new ones using your OpenID.

A Locked OpenID Browser

It’s a great idea, and I’m looking forward to seeing what develops in this area.

If you want to get your own OpenID, be sure to check out OpenID.net, who have an introduction to OpenID, a guide to where to get an OpenID  and a guide to the sites which currently accept OpenID.

Finally, this video from myVidoop explains OpenID in a really easy-to-understand way, and entertaining to boot – well worth viewing: