Data Breach Response: The importance of information security certifications

In every corner of the business world, people measure performance to benchmarks and standards. Information security is no different. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt explains why certification for recognised information security standards supports an effective response to data breaches.

The reasons why

All businesses aspire to following the core targets of information security, namely to maintain:

Confidentiality, and prevent unauthorized disclosure of information;

Integrity, and prevent unauthorized change or deletion of data; and

Availability, and maintain accessibility of data to authorized users.

This is a nice statement in mission statements and policies, but the path to accomplishing this target is complex. Industry standards provide a management and operational framework to design, implement and improve protocols, processes and procedures to achieve information security. Certification of having achieved the required standard is a badge of quality that gives reassurance to others in respect of standards of information security. This has a positive benefit to all stakeholders in your business – customers, suppliers, employees, and even regulators.

Information security certification is also a mitigating factor in the context of investigation by regulators after a data breach has occurred. This demonstrates that the business had shown proper forethought and planning, and had taken reasonable measures to adopt and follow industry guidelines on information security. Additionally, the framework and processes of industry standards assist in the data breach response itself. Proper processes will involve proper monitoring systems, which will provide accurate, timely information that helps with the incident response, triage and assessment.

Standards bodies

The two key international standard setting bodies for information security are ISO and IEC. ISO stands for International Organisation for Standardisation, an independent, non-governmental international organization with a membership of 165 national standards bodies covering most aspects of manufacturing and technology. IEC stands for International Electrotechnical Commission, a global, not-for-profit membership organization that develops standards for energy infrastructure, and electrical and electronic products.

Certification is conducted by reputable trade bodies that assess the systems and processes of a business against those standards. So a business would not be ISO certified; rather, a business would be certified to ISO standards.

ISO/IEC 27000 series

The ISO/IEC 27000 series is a series of international standards for information security. The most common industry standard for information security in Asia is the ISO/IEC 27001. The purpose of ISO/IEC 27001 is to outline how to put in place, maintain and improve an information security management system. It also includes information security risk assessment and response frameworks. The requirements are generic and apply to all organizations of any size or type.

Other relevant standards in the ISO/IEC 27000 series include:

• ISO/IEC 27002, which has a stronger focus on security controls, rather than general frameworks.
   
• ISO/IEC 27035, which focusses on security incident management.
   
• ISO/IEC 27701, which focusses on management systems and processes for personal identifiable information.

Information security controls

Controls are the granular means of implementing information security management systems. Information security controls will be categorized according to type or objective. The common classifications for types of control are:

• Physical: Security controls that relate to the physical environment in which information and data are stored. An example is physical security controls for access to premises or other locations containing information and data.
   
• Administrative: Security controls that relate to policies and practices. An example is a business’ policy in respect of incident response or information security training.
   
• Technical: Security controls that relate to software processes. An example is an IT security policy and process governing administrator and user authentication and access controls.

The common classifications for the objectives of information security controls are:

• Preventative: Controls directed at preventing an incident. An example is controls in respect of password management.
   
• Detective: Controls directed at identifying and assessing an incident. An example is controls in respect of monitoring and logging of incidents.
   
• Corrective: Controls directed at mitigating the effects of an incident. An example is a business continuity plan.

Effective information security controls in service to a properly implemented and maintained information security management system, provide a strong foundation for an effective data breach response.

Closing thoughts

The success of a data breach response fundamentally depends on the preparation and readiness of the business for handling a data breach. If a business has not given forethought to a data breach response, then its response will be an afterthought, and that form of hindsight will be punished. Information security certification to ISO/IEC or equivalent standards is the benchmark for readiness in this regard. Certification is an essential element in respect of mitigating your responsibility and liability for data breach. Gaining and maintaining certification are a key part of your approach to data breach response. So, get certified now!

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.