Boston, Berlin, Baghdad and Bora Bora 

 
Download Article

Information security standards are meant to apply universally. (It is an indicator of our lack of knowledge of astrophysics that we refer to anything that applies everywhere on Planet Earth as being universal.) The best known of these standards are ISO 27001/2, Information technology—Security techniques—Information security management systems—Requirements1 and Information technology—Security techniques—Code of practice for information security management.2 These standards are meant to be applicable to “all [emphasis added] types of organizations (e.g., commercial enterprises, government agencies, nonprofit organizations…). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented [information security management system] within the context of the organization’s overall business risks.”3

It is questionable whether any standard or, for that matter, any concept of security is applicable to all organizations in all corners of the world, without consideration of national and regional differences. Stated simply, are the perception and the reality of information security the same in Boston, Berlin, Baghdad and Bora Bora? I am not imputing in any way that there are national attributes that would affect security in their countries. But I do believe that there are differences of custom, law, communications, politics and history that make the realization of a Platonic ideal4 of information security unachievable.

CIA

To complicate matters, there is no globally accepted definition of information security.5 A minimal definition, referred to, if not always accepted, is that information security consists of confidentiality, integrity and availability (CIA). While many would argue that there is more to security than CIA, if those three security objectives are not the same everywhere, there is no reason to continue to search for universal meaning in this sphere.

ISO 27001 presents a caveat to universality: “within the context of the organization’s overall business risks.” Thus, one organization in a high-risk field (say banking or the military) might interpret CIA differently from one with lower risk. Clearly, the need for continuous availability in a financial institution in Boston (population 575,000) is greater than that of any organization in Bora Bora6 (population 9,000), its economy dominated by tourism. Is the distinction only between the tolerance for downtime in an urban bank and a remote island’s hotels, or is there a real difference in the culture of security in a Polynesian paradise and that of a New England (USA) metropolis? Neither case is provable, but neither can be dismissed, either. Just to admit the possibility of differences cuts into the case for universality.

Data integrity7 is an elusive universal goal. Authorized manipulation of data is always affected by who is doing the authorizing and who is doing the manipulating, so that integrity is suspect everywhere, including Berlin and Baghdad. But, one cannot equate the security requirements in peaceful Berlin with those in a city like Baghdad, rent by war. The accuracy and consistency of information are subject to stresses in a war zone that are unlike those elsewhere.

With confidentiality, the C in CIA, we come to the starkest example of a difference in social norms affecting a global consensus on information security. Privacy is a cousin to confidentiality; privacy cannot be accomplished if confidentiality cannot be assured. The weakest control statement in all of ISO 27001/2 deals with this subject: “Data protection and privacy shall be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses.” Thus, explicitly, there is no universal meaning for privacy—and, by extension, for confidentiality—but rather reliance on necessarily local laws, regulations and contracts. In the US, where Boston is located, privacy is limited to industry verticals, primarily financial services8 and health care.9 In most of Europe, including Berlin, privacy is a clearly stated fundamental right across society.10 If C, I and A mean different things in different places, what then is the universality of information security?

So What?

This is all an interesting philosophical discussion, but what of it? The importance is that multinational companies and those organizations that do business internationally cannot presume that dictates for the security of information resources will be perceived or interpreted in the same way in all locations in which they have interests. The burden is on the management of those organizations to state their own policy, standards and procedures and not simply to adopt international standards, i.e., ISO 27001/2, as their own.

Moreover, consistent metrics are needed to assess compliance with those organizations’ standards. Measurement of the effectiveness of security has long been a conundrum; the absence of breaches is not necessarily indicative of the presence of security. With access to an organization’s databases available globally, information security is no better than the implementation of standards wherever the interpretation of those standards is the most lax.

With regard to ISO 27002, compliance is measured through the process of certification described in ISO 27001. The closest equivalent for measuring compliance with an organization’s own standards is the audit process. Still, auditors live within their social milieu. Audit independence implies that the auditor is not personally involved with the controls. Independence cannot assure that two auditors, one in Boston and the other in Baghdad, will look at the same implementation of security and reach the same conclusions. They are human and work within their own personal and societal biases.

Cultural Bias

Since the ISO standards were also crafted by human beings, are there cultural biases embedded in them? ISO 27001/2 was derived from a British standard.11 Although there have been major improvements to the standards over time, there are still significant passages from BS 7799 that appear in ISO 27002. The original was written by a committee of Britons, some of whom are personal acquaintances. Fine fellows all, but they could not help but see the world, and the security of the information in that world, through the lens of the society in which they were raised and live. It is a testament to their work that it has resonated with so many people in such far-flung places for so long.

International security standards imply a global consensus on the meaning of security—one that is not clear, for example, between democracies and dictatorships, large and small economies, or so-called first- and third-world nations. Governments prefer security standards so that they can enforce uniformity within their jurisdictions. Unfortunately, they are not quite so fond of standards emanating from other jurisdictions. In the private sector, the need for consistency in global affairs works against national standards. The inherent dialectic between localism and universality is, as I have been saying, unresolved.

The more generic international standards are, the less “standard” they are in implementation. The more prescriptive they are, the more difficult it is to make them work in specific instances. Security standards are established to deal with a wide range of potential exposures; a given organization may not need to address them all. Moreover, the funding required for broad-based adoption of security standards may work against achievement of any standardization. If universality of information security standards is ultimately an unattainable goal, organizations should seek to impose, monitor and audit compliance with those of their own making.

Endnotes

1 International Organization for Standardization, ISO/IEC 27001:2005, Information technology—Security techniques—Information security management systems— Requirements, 2005
2 International Organization for Standardization, ISO/IEC 27002:2005, Information technology—Security techniques—Code of practice for information security management, 2005
3 Op cit, ISO 27001, p. 1
4 The Greek philosopher Plato described a dual reality, that of the material world and the transcendent realm of forms. Thus, for the purposes of information security, there is security as we find it in the world we perceive and an ultimate, universal expression of security. This duality has been argued through the centuries. The philosophic issue is whether a universally applicable concept of information security can be separated from the world as we experience it.
5 I have discussed this question in a previous ISACA Journal column, “IS Security Matters?,” vol. 2, 2010.
6 No slight intended to the good people of Bora Bora, but the alliteration does lend itself to its choice as a representative small nation.
7 Defined as “accuracy and consistency of stored data, indicated by an absence of any alteration in data between two updates of a data record,” Business Dictionary, www.businessdictionary.com/definition/data-integrity. html
8 US Congress, Financial Services Modernization Act, (better known as the Gramm-Leach-Bliley Act), USA, 1999
9 US Congress, Health Insurance Portability and Accountability Act (HIPAA), USA, 1996
10 European Parliament and of the Council, Directive 95/46/EC (better known as the European Privacy Directive), 1995
11 British Standards Institute, BS 7799, 1995. In fact, the ISO standards still retain codesignation as BS 7799.

Steven J. Ross, CISA, CISSP, MBCP
is executive principal of Risk Masters Inc. He can be reached at stross@riskmastersinc.com.

Steve Ross will be presenting Creating a Culture of Security at this year’s Information Security and Risk Management Conference in Las Vegas, Nevada, USA. Register now at www.isaca.org/isrm.


Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.