By: David Norfolk, Practice Leader - Development, Bloor Research
Published: 5th December 2012
Copyright Bloor Research © 2012
A new ISO standard (SO/IEC 27032:2012 Information technology - Security techniques - Guidelines for cybersecurity) promises to assist developers with assuring the integrity of online transactions and protect any information (especially personal and financial information) exchanged over the Internet. It should even help web designers to design 'safe' websites that minimise any risk to your computer when browsing websites.
However, this won't be simply a matter of 'following standards' even though I have considerable confidence in the utility of ISO's 27000 series of standards from way back when they were first formulated as an industry initiative from retailers such as Marks and Spencers.
ISO/IEC 27032 looks like a useful guide to what is fashionably called cybersecurity on the Internet - always remembering that most of this is simply good security practice anyway, covered by other ISO 27000 standards, and nothing much specific to web applications. However, web applications may expose any poorly addressed security issues you may have to a wider audience.
The availability of a security standard doesn't excuse you from doing a risk/threat analysis, formulating security policies and introducing effective security awareness training for all staff. However, it helps you develop a curriculum for your security training courses, establish baseline security and identify holes in your understanding of security. Then, you can look at the specific threats facing you and decide whether they are adequately addressed by your baseline security or whether you need to take special measures. Baseline security (such as not sharing passwords, encrypting personal data on the wire and so on) isn't up for discussion but it may need to be extended to address specific threats with serious business consequences. However, beware of security for its own sake - if security isn't addressing a likely threat or defined business risk, then it can be a business overhead, stop people working efficiently and even call the idea of security itself into disrepute. Security is ultimately a 'people thing' and you will only achieve effective security if people buy into its necessity as a business enabler. If you follow ISO 27000, for example, even informally, PCI compliance shouldn't be difficult - and convincing the business that PCI compliance is essential to taking in money via credit cards should be pretty easy.
The main benefits of formally complying with ISO 27000 standards are probably that this tells your employees and business partners that you really are serious about security; and that it gives all concerned a common language and basis of understanding for discussing mutual security.
My main concern is that Internet security is a holistic thing. With interconnected computers you may be compromised by your connections - even if your own security is impeccable (and whose is), a mass of poorly protected computers in a botnet could be used for a DDOS attack that might still cause you problems. So, I'd like ISO 27032 as widely disseminated as possible - and it costs money, which may discourage smaller businesses from reading it. I would think that sponsoring free distribution of ISO 27000 standards to UK, plc might be a good use of government money, although I suppose some people only value what they pay for.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: electronicdawn Ltd.