Ultimate Deal Security Part 7: Information Security - A wider holistic lens

A narrow lens leads to a wide risk

The flow of information through businesses - your business as an advisor, and Ansarada’s business - is a wider issue than 1s-and-0s flowing across wires. It is bigger than cybersecurity, and it is bigger than  features within the Virtual Data Room. Again and again, experts in information security state that a narrow lens causes risk.

This 2016 report by Deloitte University Press states:

“False sense of security. Many business unit and C-suite executives think compliance equals security, especially in highly regulated industries. In Deloitte CISO Labs, 79 percent of CISOs report spending time with business leaders who think cyber risk is a technical problem or a compliance exercise.11 However, being compliant with regulations does not address all cyber risk or make an organization secure, and that mindset can create an organizational culture that has a very narrow and inadequate understanding of cyber risk.“
 

Consider this range of questions to understand a wider lens:

• The people in customer service at your VDR provider - how are they hired, checked, trained, and retrained? How are exits handled?
• How is sensitive data handled at your VDR provider in terms of viewing this when supporting you on the phone? How is this agreed, monitored and audited? How is printed material handled?
• What are the systems for monitoring the staff at your provider, to ensure no-one can inappropriately access live data? Or to prevent technical or non-technical users using their privileged position to use your information for insider trading or similar?
• Putting aside the security of the actual VDR system itself, what are the internal network systems at the VDR provider for the day-to-day work done by sales, marketing and engineering? Do they protect against an attacker getting onto the network and laptops, and launching an attack into the Data Room from there?
• What is the culture and process for physically securing buildings, laptops and screens?
• What is the process for tracking any kind of information leakage by absolutely anyone/any cause and learning from that? What are the most common user mistakes - from the VDR provider team in how they do their roles, or the end user (buy side/sell-side) - and how can we mitigate or prevent these risks?
• How do we create a culture where everyone at all levels of the organization reports concerns immediately, without fear?
• What processes are in place for selecting systems that the customer service team uses to interact with you? Are those channels secure? Are we clear on how to use them securely?

Unless you consider every avenue of information leakage, you are not protected.
 

Waving the shiny certificate!

Surely, the solution for any advisor  considering vendors is this:

Check they have ISO27001 or similar. Check they have it; check it’s up to date.

Doesn't that handle the problem? No. Not at all.

ISO27001 is about a scope of your business. It begins by asking, ‘how much of your business is covered by this certificate?’, then working to that scope.

If the scope is just live production systems, you’ve already ruled out 90% of the areas that cause information leakage.

With a narrow scope, you haven’t answered most of the questions that really matter. If the production systems are secure from cyber attack, but the VDR’s customer service team is telling their trading friends about your deal, then you are not secure.

Some vendors narrow the scope of their ISO 27001 or any other ISMS (Information Security Management System) they use. Why?

They do that for at least 3 reasons:

1. Firstly, they want to wave that shiny certificate in your direction.
2. Secondly, the effort of even beginning with a wide scope that covers all your business takes a lot of determination, effort, training and cost.
3. Thirdly, the effort of maintaining the certification if you take a wide scope.

So the lens narrows, the scope narrows, and with it, your protection narrows.
 

Narrowing Part 1: Just get it!

Let's look at the first motivation for narrowing scope:  getting the ‘shiny certificate’ to wave at vendors.

This motivation is freely admitted by those in the security industry. This isn’t a dirty secret hidden away, this is well known problem:

• This cyber blog states about ISO 27001 scope specifically: “Often companies try to cheat here by defining their scope to narrow just for the sake of getting the certificate.“
• This well-known ISO 27001 site lists 23 reasons for descoping that they see occurring, including:
  • Lack of time – there’s an urgent need to “get certified” and a certificate is all that matters right now.
  • To cut corners and give the appearance of being concerned about information security, while spending the least amount possible to do so.

Narrowing Part 2: Wide scope is hard and costly to get

There is the cost of initially getting the certification (which is going up), and this is heavily influenced by scope, leading many to narrow scope.

As stated here:

“The cost will vary depending on the size of the organization, the number of employees, geographic location, and scope. We have to determine if it is going to apply to the entire organization or just a particular part of the organization. That's another important part of the ISMS and ISO 27001 standard; it doesn't necessarily have to apply to the entire organization.”

For 50 years, ISACA has been a risk and information governance community. They note:

“In addition to the previously mentioned cost savings, the organization that wants to have a step-by-step approach to ISO compliance can adopt a corporate scheme, which envisages that the scope of compliance can be restricted to a specific division, business unit, and type of service or physical location. The adoption of a corporate scheme will save time and allow the organization to realize the benefit of ISO 27001 certification. In addition, once successful compliance has been achieved for a limited, but relevant, scope, the corporate scheme can be expanded to other divisions or locations.”

This ISO 27001 audit service states:

“The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.“
 

Narrowing Part 3: Wide scope is hard and costly to maintain

The ongoing maintenance of a wide scope is even harder than the setup. The consultancy Advisera cautions: “If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with your Information Security Management System (ISMS) has just begun.”

Controls

ISO 27001 describes 114 controls split into 14 categories (you can see the list here). Which controls are needed depends on how wide your scope is, your attitude to risk, and relevance. For example, if you don’t outsource, you probably don’t need the outsourcing control.
 

So what can you as an advisor do to be confident?

If any vendor says they are ISO 27001 compliant, insist on 3 things:

• Certificate: You can say you are ‘compliant’ because you try to stick to the standard, but certification is what counts. Insist on proof of a recent audit and certification.
• Scope statement: Insist on the scope statement. If it is anything other than the whole business (i.e. if it is just engineering or production systems), be sceptical. Be very cautious indeed.
• List of controls applied (and not applied):  Which of the 114 controls does this provider apply and which do they not apply? And ask them why the ones they didn't apply were excluded.

This approach can help you not just with VDR systems, but any system where security is of particular concern to you.
 

Ansarada: A wide scope, 113 controls, 11 years

Ansarada’s ISO 27001 scope is the entire business. Everything we do.

We apply 113 of the 114 controls. The only one we don’t apply pertains to outsourcing because we don’t outsource core functions.

We’ve held our certification for 11 years and we are audited by top tier audited Lloyds Register Quality Assurance.