Welcome to the Whittington & Associates
e-Newsletter!
Visit and bookmark our web
site.
Our newsletters provide guidance on ISO 9001,
AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO
14001,
ISO 27001, ISO 20000, and related ISO
standards, as well as, Six Sigma.
If you have any questions about the articles
appearing in this issue, or you want to suggest
topics for future issues, please let us
know.
ISO 19772:2009 for Data Security
Security is perhaps one of the greatest
concerns of millions of users that routinely
exchange data over the Internet or store
information in computers which may be
accessed by unauthorized parties.
To protect the confidentiality and integrity
of data being transferred or stored, ISO and
the International Electrotechnical Commission
(IEC) jointly developed a new standard that
defines authenticated encryption mechanisms
that provide an optimum level of security.
ISO 19772:2009, Information technology -
Security
techniques - Authenticated encryption,
specifies six encryption methods (based on a
block cipher algorithm) that can be used to
ensure:
Data confidentiality (protecting against
unauthorized disclosure of data)
Data integrity (enabling recipients to
verify that the data has not been modified)
Data origin authentication (helping
recipients to verify the identity of the data
originator).
The standard takes the specific security
needs of different operations into account.
For instance, while encryption may be used to
prevent eavesdropping when data is being
exchanged, message authentication codes or
digital signatures are ideal for protecting
data from being modified.
The mechanisms specified in the standard have
been designed to maximize the level of
security and provide efficient processing of
data for optimum results. The mechanisms can
be applied to ensure the integrity of data
even when not encrypted (e.g., to prevent
modifications of e-mail addresses, sequence
numbers, etc.).
ISO 19772 is expected to give users
confidence that their data is safe. Not only
will it be useful for protecting information,
but also for furthering the development of
online transactions and e-businesses, and
other applications involving sensitive data.
All six encryption methods specified in ISO
19772 require the originator and the
recipient of the protected data to share a
secret key. Key management is outside the
scope of the ISO 19772 standard. Key
management techniques are defined in the ISO
11770 standards family:
ISO 11770-1:1996 Information technology - Security techniques
- Key management - Part 1: Framework
ISO 11770-2:2008 Information technology - Security techniques
- Key management - Part 2: Mechanisms using
symmetric techniques
ISO 11770-3:2008 Information technology - Security techniques
- Key management - Part 3: Mechanisms using
asymmetric techniques
ISO 11770-4:2006 Information technology - Security techniques
- Key management - Part 4: Mechanisms based
on weak secrets
Note: We offer courses on Information
Security Management Systems based on ISO
27001, Information technology - Security
techniques - Information security management
systems - Requirements:
2008 will likely be remembered as a
tumultuous year for corporations and
consumers alike. Fear, uncertainty, and doubt
seized global financial markets; corporate
giants toppled with alarming regularity; and
many who previously lived in abundance found
providing for just the essentials to be
difficult.
Among the headlines of economic
woes came reports of some of the largest data
breaches in history. These events served as a
reminder that, in addition to our markets,
the safety and security of our information
could not be assumed either.
Verizon's 2009 Data Breach Investigations
Report covers this chaotic period in history
from the viewpoint of their forensic
investigators. The 90 confirmed breaches
within their 2008 caseload included an
astounding 285 million compromised records.
These records have a compelling story to
tell, and the pages of their report are
dedicated to relaying it.
Who is behind data breaches?
74% resulted from external sources.
Most data
breaches continue to originate from external
sources. Though still a third of the sample,
breaches linked to business partners fell
slightly for the first time in years. The
median size of breaches caused by insiders is
still the highest, but the predominance of
total records lost was attributed to
outsiders. 91 percent of all compromised
records were linked to organized criminal
groups.
20% were caused by insiders.
32% implicated business partners.
39% involved multiple parties.
How do breaches occur?
In the more successful breaches, the attacker
exploited some mistake committed by the
victim, hacked into the network, and
installed malware on a system to collect
data. 98 percent of all records breached
included at least one of these attributes.
Unauthorized access via default credentials
(usually third-party remote access) and SQL
injection (against web applications) were the
top types of hacking. The percentage of
customized malware used in these attacks more
than doubled in 2008. Privilege misuse was
fairly common, but not many breaches from
physical attacks were observed last year.
67% were aided by significant errors).
64% resulted from hacking.
38% utilized malware.
22% involved privilege misuse.
9% occurred via physical attacks.
What commonalities exist?
69% were discovered by a third party.
Only 17 percent of attacks were designated to
be highly difficult, yet they accounted for
95 percent of the total records breached. So,
while hackers prefer soft targets, they do
seem to know where best to apply the pressure
when motivated. Most of these incidents do
not require difficult or expensive
preventive controls. Mistakes and oversight
hinder security efforts more than a lack of
resources.
81% of victims were not Payment Card Industry
(PCI) compliant.
83% of attacks were not highly difficult.
87% were considered avoidable through simple
or intermediate controls.
99.9% of records were compromised from
servers and applications.
Where should mitigation efforts be
focused?
The best defense against data breaches is, in
theory, quite simple; don't retain data.
Since that is not realistic for many
organizations, the next best thing is to
retain only what is required for business or
legal reasons, to know where it lives and
flows, and to protect it diligently.
The majority of breaches still occur because
basic controls were not in place or because
those that were present were not consistently
implemented across the organization. If
obvious weaknesses are left exposed, chances
are the attacker will exploit them. It is
much less likely that they will expend the
time and effort if none are readily apparent.
A very large proportion of attackers gain
access to enterprise networks via default,
shared, or stolen credentials. Furthermore,
organizations seem to have little visibility
into this problem. It's certainly best to
prevent such incidents in the first place,
but a second line of defense is to review
accounts for signs of abuse or anomalies. SQL
injection was also an oft-used means of
breaching corporate data last year.
Secure development, code review, application
testing, etc. are all considered beneficial
in light of this finding. Whatever the
sophistication and aggressiveness of attacks,
the ability to detect a breach when it occurs
is a huge stumbling block for most
organizations. Whether the deficiency lies in
technology or process, the result is the
same-during the last five years, few victims
discover their own breaches. Fewer still
discover them in a timely manner.
1. Ensure essential controls are met.
2. Find, track, and assess data.
3. Collect and monitor event logs.
4. Audit user accounts and credentials.
5. Test and review web applications.
When reviewing responses to audit
nonconformities, you should look for
correction, root cause analysis, and then
corrective action. The ANSI-ASQ National
Accreditation Board (ANAB) that accredits
certification bodies (CBs) knows the proper
corrective action process.
When ANAB was experiencing less than adequate
responses to nonconformities they issued
during audits of certification bodies, they
issued a "Heads Up" to their auditors to
provide guidance on evaluating corrective
action responses.
Guidance:
ANAB said that nonconformity responses should
be reviewed in three parts; correction, root
cause analysis and corrective action. In
reviewing the three parts, they look for a
plan, and then evidence that the plan is
being implemented. In some cases, the CB may
take action and not provide a plan; that is
acceptable as long as the following guidance
is met.
Correction - To be fully accepted,
the response must include the following
components:
1. The extent of the nonconformity has been
determined and contained.
The nonconformity has been corrected and the
response is written in the past tense, e.g.,
the missing record was found (not will be
found). The CB has examined the system to see
if there are other examples that need
correction (extent of the issue) and have
addressed the extent in their response. The
response should include the evidence ANAB
found and any other evidence the CB may have
found.
2. If correction cannot be immediate, a plan
to correct the NCR may be appropriate, and
include identification of responsible parties
for the actions and a schedule (dates) for
implementation.
3. If applicable, all parties involved have
been informed of the problem (identify
internally affected parties, auditors,
customers, etc).
4. Evidence that the correction was
implemented or evidence that the plan is
being implemented.
Root Cause Analysis - To be fully
accepted, the response must follow the
following guidance:
5. The Root Cause refrains from simply
repeating the finding or the direct cause.
6. The Root Cause is a brief expression of
fact that attempts to neither explain the
situation away nor rationalize the condition.
7. A well thought out Direct Cause has been
determined along with a well thought out
analysis to determine the true root cause,
e.g., someone did not follow a process would
be direct cause;
determining why someone did not follow a
process would lead to the true root cause.
8. The root cause statement must focus on a
single issue. If more than one cause is
identified, for instance training and
inadequate work instructions, then two
Corrective Action plans must be submitted.
9. The Root Cause statement addresses a
fundamental issue without any obvious "why"
questions remaining. If a "why" question can
reasonably be asked about the root cause
analysis, this indicates that the analysis
did not go far enough.
Corrective Action - To be fully
accepted, the response must include the
following components:
10. The corrective action, or corrective
action plan, addresses the root cause(s)
determined in the root cause analysis.
11. In order to accept the plan, it shall
include actions to address the root cause(s),
identification of responsible parties for the
actions, and a schedule (dates) for
implementation.
12. In order to accept the evidence of
implementation, enough evidence is provided
to show the plan is being implemented as
outlined in the response (and on schedule).
Evidence in full is not required to close the
nonconformity; some evidence may be reviewed
during future assessment when verifying the
corrective actions.
You can see the ANAB communication at Heads
Up 137.
Ten Audit Questions
The Automotive Industry Action Group (AIAG)
publishes a monthly newsletter titled,
Quality Standards and Tools. Their May and
June issues included articles
written by Craig Cochran that describe his
"10 Essential Audit Questions".
The author suggests ten important questions
to ask during an audit to determine the
effectiveness of the management system and
the overall performance of the organization:
1. How do you contribute to the achievement
of your organization's objectives?
2. What happens if your products (or
materials or supplies) are nonconforming?
3. How do you access product requirements?
4. How are problems prevented?
5. How do you use data on customer
perceptions?
6. How are customer complaints handled?
7. How does top management review the
organization's performance?
8. What evidence can you provide of continual
improvement?
9. How are training needs determined?
10. What's the most important thing about
your job?
Craig explains the significance of these
questions in his two-part article in the May
2009 and June
2009 issues of Quality Standards and Tools.
ANAB's Bill of Rights
Third-party accredited certification is a
professional relationship between a client being
certified, the certification body (CB), the
CB's auditors, the accreditation body (AB),
and the AB's assessors. In the United States,
the recognized AB for management systems
certification is the ANSI-ASQ National
Accreditation Board (ANAB).
These parties all contribute to the integrity
of accredited certification and continual
improvement based on processes that assure
capability, competence, and impartiality.
From time to time, a certified client may be
dissatisfied with the services of a CB or CB
auditor. Options include leaving one CB for
another. However, continual improvement
also applies to CBs and CB auditors.
Therefore, certified clients are encouraged
to provide
feedback to ANAB whenever they sense
inadequacy with their CB.
Client Bill of Rights and
Responsibilities
As a result, ANAB recently published a Client
Bill of Rights and Responsibilities, which
says a certification client has a right to
expect:
That the audit team assigned to the audit
has the collective competence with regard to
the processes or services that the client
lists in its scope of certification.
The audit team to perform a thorough audit of
the processes that support the management
system, and to collect through interviews of
personnel, observation, and review of
documents the objective evidence necessary to
determine conformance or nonconformance
to the requirements of the relevant
standard(s).
That no auditor will consult with or provide
solutions to the client.
To be made aware that disagreements with an
auditor's "interpretation" in documented
findings related to the applicable
standard(s) may be disputed and/or appealed to
the CB through a formal process. If this
process is not resolved to the satisfaction
of the
client, the appeal may be elevated to ANAB as
a complaint for further consideration.
The auditor or CB to recommend more frequent
surveillance visits when routine
scheduled surveillance identifies numerous
findings indicating the client is not
self-managing its management system processes
adequately.
The auditor or CB to add additional audit
time to the next surveillance or recertification
audit if findings require verification of
implementation and effectiveness to ensure
there is no reduction to the required audit
duration times.
To receive its certificate in a timely manner
after successful audit finding resolution,
review, acceptance, and closure.
That at the opening meeting, the CB disclose
the ANAB complaint process in addition
to the CB's complaint and appeals processes.
The CB to disclose the Client Bill of Rights
and Responsibilities at the opening meeting
of every visit.
Furthermore, the client has a Responsibility:
To respond to audit findings in a timely
manner and sincerely seek to implement
immediate correction, discover the root cause
that leads to effective corrective action
and can also result in preventive action, and
thus encourage true continual improvement.
To notify ANAB through the ANAB complaint
process when they replace their CB
with another because of dissatisfaction.
ISO/IEC 17021, the International Standard
that applies to management systems CBs,
includes a principle on Responsibility
(clause 4.4), which states:
The client organization, not the
certification body, has the responsibility
for conformity
with the requirements for certification.
The certification body has the responsibility
to assess sufficient objective evidence
upon which to base a certification decision.
Based on audit conclusions, it makes a
decision to grant certification if there is
sufficient evidence of conformity, or not to
grant certification if there is not
sufficient evidence of conformity.
When all the parties involved understand and
execute their responsibilities, accredited
certification achieves its purpose of
providing confidence that a management
system fulfills specified requirements.
Whittington & Associates provides training, consulting and auditing services for
management systems based on
ISO 9001, ISO/TS16949, ISO/TS 29001, TL 9000, AS9100, ASS9110, AS9120, ISO 13485,
ISO 27001, ISO 20000, and ISO 14001.
