20

Exchanges of information

Control objective A.13.2 exists to prevent loss, modification or misuse of information exchanged either within or between organizations. Such exchanges of information should also comply with any relevant legislation.

Information transfer policies and procedures

Control 13.2.1 of ISO27002 says the organization should put in place formal policies, procedures and controls that protect the exchange of infor- mation through the use of any communications facilities, including letter, e-mail, voice, facsimile and video communications facilities. The risks asso- ciated with these methods of communication have been discussed earlier in this book and are summarized here. E-mails can go astray or be intercepted and are also a widely used medium for harassment, information leakage, and so on. One could be overheard while talking on a mobile phone in a public place, such as on a train. Answering machines can be overheard by someone physically present in the room as the caller leaves a message. Unauthorized access to dial-in voicemail systems (phone hacking) is a clear danger, as is unauthorized dial-in to teleconferences. Facsimiles and e-mails can accidentally be sent to the wrong destination and the wrong person.

So, information security could be compromised by any of these events. It could also be compromised by the theft or disappearance of critical mobile phones or by the failure of communications facilities (whether through overload, interruption or mechanical failure or even through failure to iden- tify and pay appropriate service provider invoices in due time). Information can also be compromised if unauthorized users can access it. A smartphone with an e-mail box on it exposes potentially confidential information to an attacker; a mobile phone that carries a list of pre-programmed contact tele- phone numbers can, in the wrong hands, reveal sensitive information.

IT GOVERNANCE260

There should therefore be a clear, formal policy, procedures and controls within the ISMS to protect information exchanges through all possible routes and setting out to employees what is expected of them when using any of these communications methods. These requirements should be part of the training for all staff. Users of mobile phones should receive a mini- restatement of the current version of the procedure when they are issued with corporate mobile phones. Secure use of social media should be covered in staff awareness training.

The measures should include the following:

● There should be procedures designed to protect exchanged information from interception, copying, modification, misrouteing and destruction. Subject to the risk assessment, these are likely to include technological controls such as digital watermarking or encryption and other crypto- graphic techniques to protect confidentiality, integrity and authenticity, etc. The organization’s policy should link the method of protection to the level of classification and should have regard to any applicable legal requirements.

● We have already discussed the need for procedures to protect against malware, and the organizational policy on information exchange should reference the anti-malware policy and controls, just as it should reference the acceptable use policies and the formal guidelines for the retention and disposal of information. Sensitive documents should not be printed to, or left on, widely accessible printers or fax machines. The usual way to deal with this is for there to be a small number of personal (or otherwise supervised), dedicated fax machines and printers to which sensitive infor- mation can be printed.

● The dangers of wireless communications should be clearly identified and the policy and controls implemented in this regard clearly referenced in the statement of applicability (SoA).

● The acceptable use policies and any external party agreements for use of the organization’s facilities should set out clearly the responsibilities not to compromise the organization through harassment, obscene messages, defamation, impersonation, the forwarding of chain e-mails, unauthor- ized purchases, etc.

● Remind staff that they should not reveal confidential information when using mobile or fixed phones other than from secure locations. Public places, open offices, offices with thin walls, competitors’ premises and

EXCHANGES OF INFORMATION 261

crowded trains are all places from – or to – which confidential informa- tion should not be communicated. The best way to do this is to avoid having these sorts of conversations other than from a secure location. In fact, the same rules apply to confidential discussions: they really should only take place in secure rooms that do have soundproofed walls. Subject to the risk assessment, there are many conversations that should not take place until the designated discussion venue has been swept for bugging and other espionage devices.

● Avoid using communications equipment that may be compromised; tele- phone systems in competitors’ premises may be wire-tapped or have conversations otherwise recorded. Many telephone calls to and from investment banks and other institutions are automatically recorded (‘for training purposes’). Mobile phones can be hacked and messages inter- cepted.

● Messages containing sensitive information should not be left on answer- ing machines or voicemail systems where they might be overheard or replayed by unauthorized persons, or the messages re-routed to an inap- propriate person or stored in some communal database. It is even possible that a caller might misdial and leave a compromising message on an unknown voicemail system.

● E-mail messages are easily misrouted or intercepted. The three most common problems are, first inadvertently choosing an incorrect recipient from the cached list in Outlook ‘To’ fields, second, inadvertently includ- ing a list of external recipients in the ‘copy to’ field rather than using ‘BCC’, and, third, inadvertently replying to ‘all’ rather than to the origi- nal sender alone with information that is intended only for that individual. Those in a position to commit these errors with sensitive information should be trained to review the e-mail addresses in the ‘To’ and ‘Copy to’ boxes before they hit ‘Send’. Where there is a risk of interception, then e-mail encryption is the only answer. There is some personal data, such as personally identifiable information (‘PII’) that can legally only be trans- mitted when encrypted.

● Equally embarrassing can be the dispatch of an electronic document that contains sensitive changes that can easily be revealed to the recipient through Word’s ‘Show’ menu. Sensitive documents should either have all changes accepted prior to dispatch or, better still, should be converted to .pdf format prior to dispatch.

IT GOVERNANCE262

● E-mails are not reviewed and approved before despatch; this means they could provide grounds for legal action in respect of slander, libel, misrepresentation, etc.

Staff training should include awareness of what corporate messaging systems may NOT be used for: anything illegal, potentially damaging to the organi- zation, or which might undermine the credibility or reputation of the organization. There should therefore also be appropriate rules about archiv- ing and storing of electronic messages, so that the organization has vital evidence available to it as and when it might need it.

Bear in mind that most communication channels also provide channels for the unauthorized exfiltration of valuable or sensitive data, and for the import of malware and unauthorized software. The management challenge is to find constructive ways of accessing the communication channel with- out exposing the organization to unnecessary risks.

Agreements on information transfers

Control 13.2.2 of ISO27002 says the organization should have (primarily) formal agreements for the electronic or manual exchange of information (including personal data) and software between organizations. These might include escrow agreements, which are particularly important where one organization relies on the software developed by another and there is even the slightest chance that the developer might go out of business at some point.

The sensitivity classification of the data to be exchanged should govern the security conditions to be included in the agreement. Where necessary (that is, where there is uncertainty about the appropriate level of protec- tion), a risk assessment should be conducted. The issues that should be addressed in inter-organizational agreements for information exchange do depend on the sensitivity of the information. Information exchange agree- ments should reference any of the relevant policies and procedures that the organization applies to information exchange and could, according to clause 13.2.2 of ISO27002, include:

● identification of who is responsible for controlling and notifying trans- mission, dispatch and receipt on either side of the agreement;

● notification procedures to ensure that the other side knows that sensitive information has been dispatched or received, and associated (primarily technical) controls to ensure traceability and non-repudiation;

EXCHANGES OF INFORMATION 263

● minimum technical standards for packaging and transmission;

● courier identification procedures;

● responsibilities and liabilities if data are lost or there are information security incidents;

● the agreed labelling system, to ensure that the appropriate protection required is immediately obvious and provided; the preferred system should (practically) be the same as that used by the receiving organization internally, as this will ensure that there is consistency of understanding;

● where relevant, responsibilities for information and software ownership, and for data protection, software copyright and ownership and similar issues;

● where relevant, technical standards for recording and reading informa- tion and software;

● any special controls (such as cryptographic) that may be necessary for particularly sensitive information;

● the concept of a chain of custody is helpful when considering how to safeguard critical information that is being moved between two entities with possible stops en route.

The person(s) responsible within the organization for the maintenance, dispatch and receipt of such information and software should be asked to draft the procedures; it may be necessary after that to ensure that the proce- dures are made as practical as possible.

E-mail and social media

E-mail is a substantial and fundamentally important subject in the Information Age but electronic communication goes far beyond that. The policy aspects of controls A.13.2.1 and A.13.2.4 have therefore been addressed together in this book, and this next section will cover all the issues surrounding e-mail, social media and their usage.

ISO27002 says the organization should develop and implement a policy, and put in place controls, to reduce the security risks created by e-mail. Obviously, the degree to which these controls will be required will be dictated by the findings of a risk assessment.

E-mail has completely replaced telexes and is well on the way to replac- ing faxes and traditional, or ‘snail’, mail. Key differences between e-mail and

IT GOVERNANCE264

snail mail are the speed of the former, its message structure, informality, ease of misdirection, ease of duplication, ease of interception and the ease with which it can carry attachments. This means that there are a number of issues to be considered around the headings of security risk and user policies.

Internet access sits alongside e-mail as an issue that is directly related to the activities of individual employees, and there are similarities between some of the control principles in each area. This chapter therefore also deals with internet acceptable use policies (AUPs).

Security risks in e-mail

ISO27002 identifies a number of security risks in e-mail. These include:

●● vulnerability of messages to unauthorized access, to unauthorized modi- fication and to denial-of-service attacks;

●● vulnerability of messages to error such as incorrect addressing, misdirec- tion or just the unreliability of the internet;

●● issues around instant messaging and file sharing;

●● legal issues, such as potential need for proof of origin, dispatch and receipt;

●● uncontrolled remote user and internet access to e-mail accounts.

More important than any of these is the risk to the company that e-mail sent between organizations by individual members of staff may lead to unau- thorized exposure of confidential or sensitive information and a breach of confidentiality, leading to bad publicity and possibly legal action. There is already case history to show that organizations can be exposed to libel writs as a result of what a staff member has written in an e-mail message, proba- bly informally and for internal distribution only. There is also the requirement for organizations to ensure that confidential information that may affect share prices is not leaked and that Stock Exchange regulations are all observed.

Organizations should draw up clear policies on the use of e-mail. These should be included in the ISMS, and all members of staff should be required, as part of the formal user access statement, to agree to abide by them. The first decision that the organization has to make relates to the private use of e-mail facilities by employees. The fact is that e-mail use is now so ubiqui- tous that it is virtually impossible to prevent employees from using a work

EXCHANGES OF INFORMATION 265

e-mail facility for private communications; attempts to stop this can be very difficult to enforce and so it is more practical to concentrate on controlling the risks.

An e-mail policy should set out:

●● Employee responsibility not to compromise the company, forbidding the use of company e-mail for sending defamatory e-mails, or for harass- ment, unauthorized purchases or the publishing of views and opinions about suppliers, partners or customers of the organization.

●● All e-mails should have an automatic footer that contains the legal disclaimer, with the addition of a statement to the effect that the views expressed in the e-mail are those of the sender alone and do not reflect the views of the organization.

●● There may need to be a legal statement in respect of the processing of the recipient’s personal data and there may be legal requirements to include company registration information.

●● That e-mail is not to be used to communicate sensitive information with specific classifications.

●● That e-mail attachments should be appropriately protected, using (where necessary) cryptographic controls of some sort.

●● How to respond to viruses and hoax virus messages.

●● The incident reporting procedure and the requirement not to pass on hoax virus messages should be included in the e-mail policy.

●● A clear procedure around e-mail inbox sizes is required. As e-mail is increasingly recognized as a record of corporate communication and a record of possible wrongdoing, so organizations need to develop method- ologies that enable them to manage their e-mail records effectively. These procedures need to be in line with both statutory and regulatory data retention requirements and evidential guidelines. E-mail inbox manage- ment procedures that limit mail inbox sizes and encourage employees to destroy e-mails they no longer wish to retain may fall foul of regulatory data retention requirements and run counter to the information security requirement that information be available in line with business require- ments. Technological solutions, such as single-instance e-mail storage, are a practical way of dealing intelligently with this challenge.

●● That e-mail may not be used to purchase anything on behalf of the organ- ization without specific prior authorization, and then only in accordance with the organization’s current policy on purchasing.

IT GOVERNANCE266

●● That the corporate e-mail address may not be used for personal purchases or any other personal transactions.

Organizational purchasing policy does need to take into account the ease with which purchases can be made by e-mail and lay down very specific guidelines for staff on this issue. Where e-mail is to be used between organi- zations as part of the purchasing process, the two organizations should document the basis on which trading will occur and precisely what weight is to be attached to e-mails. For instance, it might need to be agreed in a heads of agreement document that e-mails will not constitute an implied contract between the organizations and require that all contracts continue to be made in writing, signed and sent by post or fax. The passage, in the United Kingdom, of the Companies Act 2006, which made the use of e-mail in the procurement process legal, makes it even more important that these issues are dealt with.

Spam

Spam is a significant e-mail issue. Spam originates outside the organization and exists in such quantity that it can restrict the availability of information, as well as consuming expensive bandwidth. The organization does therefore need to develop appropriate controls to deal with it. These controls need to take into account the possibility that not all spam is genuinely unwanted; some spam is legitimate and useful marketing communication. Moreover, much standard e-commerce information – such as purchase receipts, down- loadable documents and other automated services – can be identified as spam by spam filters that are set too widely, and organizations need to consider their information availability requirements alongside their band- width and other requirements.

The organization’s spam controls therefore need to be a combination of internet gateway restriction (a software or outsourced solution), user train- ing (encompassing both configuration of spam filters, use of white lists and due caution with e-mail addresses) and pressure on the ISP.

Misuse of the internet

There are a number of issues associated with employees surfing the net during work hours and from organizational facilities. Seventy-eight per cent

EXCHANGES OF INFORMATION 267

of respondents to the FBI/CSI 2002 survey detected employee abuse of inter- net privileges. Each of these issues has implications for the confidentiality, integrity or availability of information.

Employee productivity can be significantly reduced by the time demanded by the wide range of interesting activity, from stock markets to games to chat rooms and Facebook, that is available on the internet. Some research suggests that 30–40 per cent of employee internet activity is not work related. Network traffic can be significantly affected, with resulting reduced business performance, by the combination of recreational surfing by employ- ees and bandwidth-intensive activities such as accessing streaming video and audio, MP3 downloads, image downloads, sharing digital photographs (such as holiday snaps), social networking sites such as Facebook, etc. The bandwidth put in and paid for by the organization is designed for organiza- tional use, not for individual benefit.

As we have already stated, the internet is wild; allowing employee access to the internet allows all sorts of malware to access the organizational system in return. There is a discussion of how an organization’s defences can be breached in the section in Chapter 21 on e-commerce security.

Recreational surfing can lead employees to access inappropriate sites, such as pornographic sites (apparently something of the order of 70 per cent of the UK’s internet porn traffic occurs between 9 am and 5 pm) and sites promoting violence, discrimination and all sorts of other inappropriate matters. They can also access sites that will download illegal or pirated soft- ware, pirated games, pirated videos or pirated music or hacking tools. The organization with the network through which such downloads are made could find itself inadvertently liable for the criminal behaviour of its employ- ees. Free access to the internet can lead to lawsuits, harassment charges (sexual harassment charges can arise from objectionable or sexually explicit material being brought into the workplace by one employee and being seen by another, even where the other person was not meant to see it) and even criminal prosecution (an employee downloading illegal material, or forward- ing it from the organization’s computers, might create just such a risk).

Clearly, organizations that find themselves forced to dismiss employees for accessing illegal or offensive material can be severely damaged by the resulting negative publicity, not least because the dismissal could in the United Kingdom, under a number of circumstances, be ruled by an indus- trial tribunal to be ‘unfair’.

Organizations should counter these risks by a combination of surf control technology and a well-designed and enforced acceptable use policy (AUP).

IT GOVERNANCE268

Surf control, or filtering, technology is widely available and can be installed both on organizational networks and on individual workstations. The soft- ware package should be chosen in the light of the AUP; the AUP should not be built around the limitations of the chosen package. An appropriate pack- age should allow the organization to impose different restrictions at different times of day (eg possibly slightly more lenient outside normal work hours) and for different user groups (eg possibly slightly more lenient for senior managers or research staff). It should allow blocking of specific sites, as well as broader categories or groups of sites, so that restrictions can be focused in the light of business needs, rather than over-blocking in a way that goes against business needs.

The package should also work effectively across the entire inbound and outbound communication channel. It should be capable of applying the organization’s selected security controls to e-mail, instant messaging, Internet Relay Chat, chat boards and blog sites, Facebook, peer-to-peer networking and other social media sites.

The package’s reporting tools should enable the organization to know when and how many unauthorized site access attempts there are, and by whom, so that the individual concerned can be helped to comply. The pack- age must be interoperable with the organization’s chosen firewall. It must provide centralized, scalable control so that it can support a growing organ- ization. It must also be capable of handling daily updates, so that newly identified unacceptable websites can be easily barred.

While there is further discussion of the legal issues surrounding data security later in this book (and readers should refer to it, as well as to their professional advisers, for additional information), it is appropriate at this point to state that an AUP that will comply with the relevant legislation must:

●● be in writing;

●● be clearly communicated to all employees;

●● set out permissible use of both internet and e-mail – eg for business purposes only;

●● specify what uses are prohibited – eg downloading offensive, porno- graphic or illegal material;

●● state what monitoring (if any) will take place;

●● set out acceptable online behaviours;

●● specify which online areas are prohibited – eg pornographic or hate sites;

EXCHANGES OF INFORMATION 269

●● set out privacy rules in relation to other users, and in respect of the employer’s right to monitor the employees’ activity;

●● set out the likely disciplinary consequences of breaching the AUP.

One site worth visiting for more information is: www.iwf.org.uk (archived at https://perma.cc/VUM2-HCZB), which is the site of the Internet Watch Foundation, set up in 1996 by UK internet service providers (ISPs) to tackle criminal content on the internet, to provide a hotline for reporting illegal content and to advise internet users on how to restrict access to harmful or offensive content.

Internet acceptable use policy

An internet AUP should combine statements on use of the internet and use of e-mail. E-mail issues were addressed earlier in this chapter. Variations to what is set out below will depend on the conclusion that the organization reaches regarding private usage of its internet facilities; this statement reflects a far-reaching restriction, and not all employers will consider all its components necessary. It is important that, as for all other components of the ISMS, the organization adopts and develops an AUP that reflects in detail the culture of the organization but that also provides the level of security required by a risk assessment:

●● General statement: this should start off with a reminder about the dangers of the internet and say that the company will not be liable for any mate- rial viewed or downloaded. It should continue by saying that use of the internet must be consistent with the organization’s standards of business conduct and must occur as part of the normal execution of the employ- ee’s job responsibilities. Any breach of the AUP may lead to disciplinary action and possibly termination of employment. Illegal activities may also be reported to the appropriate authorities.

●● Organizational user IDs or websites (or e-mail accounts) should only be used for organizationally sanctioned communication.

●● Use of internet, intranet, e-mail and instant messaging may be subject to monitoring for reasons of security and/or network management and users may have their usage of these resources subjected to limitations.

●● The distribution of any information through the internet (including by e-mail, instant messaging systems and any other computer-based systems)

IT GOVERNANCE270

may be scrutinized by the organization, and the organization reserves the right to determine the suitability of the information.

●● The use of organizational computer resources is subject to (English or Scottish) law and any abuse will be dealt with appropriately.

●● Users shall not visit internet sites that contain obscene, hateful or other objectionable material, shall not attempt to bypass organizational surf control technology and shall not make or post indecent remarks, propos- als or materials on the internet.

●● Users shall not solicit e-mails that are unrelated to business activity or that are for personal gain, shall not send or receive any material that is obscene or defamatory or that is intended to annoy, harass or intimidate another person, and shall not present personal opinions as those of the company.

●● Users may not upload, download or otherwise transmit commercial soft- ware or any copyrighted materials belonging to the company or any third parties, may not reveal or publicize confidential information (refer explic- itly to the information classification levels selected by the organization) and shall not send confidential e-mails without the level of encryption required in terms of the specified policy in the ISMS.

●● Users shall not seek to avoid and shall uphold all malware prevention policies of the organization, shall not intentionally interfere in the normal operation of the network or take any steps that substantially hinder others in their use of the network, and shall not examine, change or use another person’s files or any other information asset unless they have explicit permission.

●● Users shall not carry out any other inappropriate activity as identified from time to time by the organization and shall not waste time or resources on non-company business. This includes downloading from social networking sites, bandwidth-intensive content such as streaming video and MP3 music files, sharing digital photographs, etc.

The AUP should, if possible, be developed in a way that involves staff from within the organization; certainly, all staff will need to be trained to ensure that it is understood. The training activity should be detailed and ongoing and should include notifying employees of changes to the policy and its implementation. All employees should accept the AUP at the time that they sign the user access statement (control A.8.1.3). Copies of the AUP should also be prominently posted in any employee resource centre or staff internet

EXCHANGES OF INFORMATION 271