So here we are in the first month of 2014, gym memberships have been bought, new leaves have been turned and so many resolutions have been made and broken that it is hard to keep track of just what is what any more.
A new year, a chance to for a new start and in the spirit of all of the keep fit guru’s spamming YouTube we would like to share our super-hot secret, number one tip for data security.
Whisper it quietly; integrity and availability are just as important as confidentiality when it comes to information security.
That’s right, information “security” isn’t always about how well protected your information is.
Imagine this scenario if you will. You are scheduled for an operation. Nothing serious, you are just getting an investigative procedure done that involves a local anaesthetic. Just before you are falling asleep you hear the nurse say to the doctor,
“We can’t find the patient’s file”
And the doctor nonchalantly replies
“That’s ok. This is bound to be our kidney donor.”
This scenario is obviously very improbable but it highlights why I feel that at different times differing priorities for information can emerge. You can bet that most people wouldn’t care who had access to their medical file (i.e. confidential) in the story above. Me? I would want every person in the room to have it, in triplicate!
Afterwards I would prefer my medical history to be kept secret but at that moment in time the balance has swung very much in the favour of ‘availability’. Making sure my medical file is in the hands of the doctor.
‘Integrity’ is something that anyone who has even administered a system or database is always wary about. Tracking the changes to data base entries and making sure users have the correct read and write access. The only thing worse than manually restoring rows, is not being able to.
Again in our hospital case above, what use would my medical records be if they didn’t contain the latest information? Why am I in this hospital?
Not being able to access information or it being incorrect when you do access it can be caused by many things, poor investment in infrastructure causing hardware failure, poor training amongst system admin leading to incorrect data entry, carelessness amongst staff.
The list is literally endless and it can only be combatted by 2 ways.
1 Examining your risk
2 Putting a continuity plan in place
Examining your risk is vital, what happens if we fail to invest in our IT infrastructure and our systems go down? Our data will be in accessible!
In two instances before Christmas it meant banking chaos in both Ireland and the UK. Customers of Natwest and Royal Bank of Scotland were unable to pay using debit or credit cards on Cyber Monday, the busiest day of the year for online shopping. Later in December a similar issue hit customers of Allied Irish Banks. Both of these issues have been attributed to lack of investment. RBS Chief Executive Ross McEwan perhaps explained it best when he said:
“For decades, RBS failed to invest properly in its systems. I’m sorry for the inconvenience we caused our customers. We know we have to do better.”
Air traffic control is another industry where data’s confidentiality is balanced alongside its availability. You can listen into hundreds of air traffic control operators right now; you can track the movement of planes through the sky via dozens of online sites.
However in early December this system failed when systems required by the air traffic controllers weren’t available. The National Air Traffic Control Service (Nats) failed to change over between night and daytime logistical arrangements. This failure meant that day time air traffic controllers could not access the information needed to safely guide planes through the sky and resulted in hundreds of cancelled flights and even more delays throughout Ireland, the UK and Europe.
The south east of the UK where there is a heavy concentration of very busy airports was the worst affected. This resulted in delays of up to four hours, worldwide. People looking to fly in or out of this area were waiting until after six that evening when the issue was resolved. Worse still even when this issue had been fixed the delays were still being felt two days later.
Thankfully this outage didn’t result in a loss of life, unlike the case on the 26th of October, 1992 when London’s Ambulance Services changed the system that was handling their inbound calls.
LAS CAD went live on Monday morning with 81 known bugs and 4 primary flaws. The system did not function when given incomplete data regarding ambulances status, normal errors in day to day use caused catastrophic problems for the software, the entire GUI was not displayed on the screen at the same time and finally the system stored information even after it was no longer need causing memory to fill up and eventually crash.
Immediately the morning rush caused the system to come under strain, with repeated system crashes and information unavailable, callers were being kept on-hold in the system for up to 30 minutes. By Monday evening the integrity of information was being compromised as newer calls replaced older calls in the system. By Tuesday afternoon the entire system had to be shut down as operators swapped back to pen and paper, contacting ambulances directly and computerised call answering.
This status quo held for 7 further days, until the 4th of November 1992 when at 2am the entire system crashed and could not be fixed via a reboot. The backup system also failed to kick in leaving the emergency services in disarray. A fall back to an entirely pen and paper based emergency response system was put in place but this was not before two people had lost their lives. A 14 year old boy died of an asthma attack during his 45 minute wait and an 83 year old man lost his life whilst waiting for an ambulance that never came.
This loss of life need not have happened. Business continuity should be an important part of every Information Security system. You need to ensure that your organisation is not solely fixated on keep key information confidential, but also understands requirements around the integrity and availability of its information. In order to this you have to look at what impact losing vital systems, computers and infrastructure may have on your business. You may not have people’s lives depending on you but what would your business do if they lost all of their financial information? Crashed hard drives, failed backups are all too common.
Great information security is about risk analysis and mitigation and the irony is that sometimes the best way to keep your organisation’s information secure is to make sure it’s always available and accurate, and confidentiality may be very far down the list. After all what use is data if it is inaccurate and inaccessible?
Michael Brophy | www.certificationeurope.com | @CertEurope_
Michael Brophy is Founder and CEO of Certification Europe which was founded in 2001 with Head Quarters in Dublin, Ireland. In 2012 Certification Europe Limited opened their London operation which, along with offices in Belfast, Turkey, Japan and Italy, is a group of accredited certification bodies which provides ISO Certification and Inspection services to organisations globally.
Michael is a graduate of the University of Ulster and the Universidad de Zaragoza (Spain), with a Master in European Policy and Regulation at Lancaster University, and is one of Ireland’s leading authorities on standardisation. Michael has a wealth of experience in Information Security and Business Continuity Management Systems implementation for Government, military and various business sectors (pharmaceutical, telco, financial, IT and security printing sectors).
Michael has particular expertise in the field of electronic signatures; developing national legislation and national regulatory bodies to govern the use and legal basis for electronic signatures. He has previously advised on the establishment of standards at a national and international level, and he would be viewed as one of Ireland’s leading authorities on standardisation and has served on various EU Commission committees.
Certification Europe is the only Irish accredited certification body operating in the field of Business Continuity standards, it was the first accredited industry player in Ireland to offer Information Security and IT Service Management Systems assurance schemes, and it is a world leader in Energy Management System certification.
Michael is also Chair of the Association of Accredited Certification Bodies (AACB).
Other articles from Certification Europe include:
– Chasing Shadow IT
– Humans are the weakest part of your information security system
– A Chain Is Only As Strong As Its Weakest Link