ISO 27001 compliance as prima facie evidence of good faith action in data security
University of Michigan School of Information
Security breaches of personal information by businesses remain a fact of life. As of March 13, 2010, the total number of records containing sensitive personal information involved in security breaches in the U.S. since the beginning of 2005 was more than 346 million, according to the Privacy Rights Clearinghouse (Privacy Rights Clearinghouse, 2010). This figure amounts to more than one breach per U.S. citizen, given a Census Bureau population estimate of 307 million in July 2009. Sadly, this breach figure is below the total number, because not all breaches are reported, according to the Clearinghouse.
Breaches will continue to occur despite efforts to prevent them, experts say. "You cannot anticipate every internal and external threat, nor can you predict when an employee will prove dishonest or capable of a major mistake. No security system is bulletproof, and there is never a shortage of motivated, educated individuals capable of exploiting your every vulnerability. Prepare your mindset: The question is not 'if' your data will be comprised, it is 'when'" (Tedder, 2010).
State and federal lawmakers and regulators, vigilant about protecting citizens' personal information, include this understanding in their handling of regulations and laws. Some have taken steps to provide protection for companies that adhere to an industry standard. An example comes in the form of the state of Nevada including a safe harbor shield for businesses that are breached when they are using data encryption technology and are in compliance with the Payment Card Industry Data Security Standard (Hunton & Williams, 2009).
Safe harbor protection helps businesses in the event of a breach; in fact, it offers them too much safety. Two extremely large personal information data breaches occurred at companies that had evidence of being PCI DSS compliant. These were the well publicized losses of personal information at The TJX Companies Inc., where 455,000 consumers' personal information was taken in 2005 and 2006 (FTC, March 27, 2008), and at grocery retailer Hannaford Brothers Co., where cyber thieves breached company systems and stole personal data of nearly 4.2 million customers in 2008 (Walden, Southwell, & Goodman, 2008).
The PCI DSS standard contains inherent weaknesses that make it ill-suited for use as a legal or regulatory standard, and those weaknesses make it simultaneously a very poor match for safe harbor provisions. One is hard-pressed to imagine TJX or Hannaford protected by safe harbor provisions, given the scope of damage caused in their breaches. These weaknesses in PCI DSS will be explored briefly, later in this paper.
Because all standards have weaknesses, in both approach and application, and because breaches will continue to happen even to well designed and strenuously defended systems, it is important that businesses be encouraged to adhere to a very robust data security standard. Regulators could wisely encourage such adherence by treating compliance with a strong standard, such as ISO 27001, to be prima facie evidence of good faith operation in secure data handling; regulations should explicitly identify 27001 as an accepted means of indicating that a company is carrying out its duty in good faith to keep personal data secure (A Dictionary of Law, Oxford University Press, 2009). While not providing a safe harbor per se, it would benefit compliant businesses when dealing with regulators or the judical system in the aftermath of a data loss.
Several standards might conceivably be chosen for such regulatory special status. This paper will examine specifically why 27001 (and its related 2700X and 28000 family of standards) makes a good candidate for special consideration. It is respected as a solid framework that employs risk management processes, is used worldwide, is useful for due diligence, has the effect of improving corporate processes and data protections, and has clear points of connection with U.S. law and regulatory actions. The standard encourages better business practices, which is a major key in protecting private data in an evolving security environment.
As of March 2010, the total number of companies that had achieved ISO 27001 certification—also known as Information Security Management Systems—stood at 6,385; however, just 95 of them were located in the U.S., according to the International Register of ISMS Certificates.
Because implementation sets up ongoing processes that treat information security as part of companywide risk management, the standard can be costly to plan for, implement and maintain. However, it carries a well merited positive reputation. "ISO 27001 reassures customers, employees, and suppliers that information security is a serious concern for the organizations with whom they deal. Such organizations have in place predefined state-of-the-art processes to deal with information security threats and issues (Freeman, 2007).
"The international mutual recognition certification scheme for ISO 27001 makes it the touchstone for comprehensive and verifiable information security management practices," said Barry L. Kouns, security consultant and principal with SQM-Advisors, a security, quality and management consulting firm. 'When organizations implement ISO 27001, not only do they safeguard assets through best practice controls, they empower their organization with a risk assessment methodology that assures the proper treatment of all risks to the business. ... The risk assessment methodology allows an organization to be ever responsive to new risks and to address each risk in a manner most suitable to their organization at the time" (Parry, 2006).
ISO 27001's comprehensive framework and management system drives compliance with multiple information security and privacy requirements.
"The ISO 27001 Plan-Do-Check-Act methodology requires capture and analysis of all relevant legal, regulatory, industry standards and contractual requirements that affect the business use of information assets (people, processes, technologies, data) within scope of implementation. The management system requirements specification requires harmonization of the information security compliance processes with the character and objectives of the business" (JBW Group International, Services Risk, 2009). ISO 27001 outlines 11 control areas, 39 control objectives and 133 specific controls for implementing a comprehensive Information Security Management System (JBW Group International, Executive Update, 2009).
Nonetheless, it is far more than a "checklist" standard. The combination of a broad, risk-management approach with specific controls brings the effect of ongoing betterment of the business (Tomhave, 2005).
One way of looking at a company's efforts to protect its customers' privacy is through examination of the firm's efforts at due diligence, meaning corporate officers operate in line with accepted business practices and follow all relevant laws and other regulatory requirements.
According to consultant Edward H. Freeman: "The guidelines and evaluation criteria for ISO 27001 provide useful reference standards, designed to establish specific requirements and procedures that provide effective security to all parties. Developers should be prepared to show they have used security processes at least as thorough and demanding as those of equivalent ISO 27001 rated systems. This will establish due diligence ..." (2007).
Further examination shows that 27001's explicit "Plan-Do-Check-Act" approach addresses key elements of legal standards, says privacy expert Thomas J. Smedinghoff. "Compliance with an international standard does not itself confer immunity from legal obligations ... but compliance with a recognized standard that essentially matches the legal requirements for security, represents the latest thinking on the subject, (and) is developed cross-industry and internationally ... may help demonstrate the level of legal compliance that regulators and courts are looking for" (Smedinghoff, 2009).
This line of thought continues in the close connection 27001 has with U.S. Federal Sentencing Guidelines, according to consulting firm JBW Group International:
"Chapter 8, Part B2 Section 1 of the United States Federal Sentencing Commission Guidelines Manual (Federal Sentencing Guidelines), Sentencing of Organizations, establishes the framework for an effective ethics and compliance program. ... The criteria set forth in Ch8.B2.1 have become the accepted framework for developing, implementing and managing compliance programs in U.S. organizations. ... ISO 27001: 2005 Information technology—Security techniques—Information security management systems—Requirements, and the associated standards provide a detailed framework and set of requirements for ensuring appropriate incorporation of the Federal Sentencing Guidelines ethics and compliance program criteria into an organization's security program though the implementation, operation, management, evaluation and continual improvement of an information security management system (ISMS)" (JBW Group International, Federal Sentencing).
ISO 27001 takes the concept of a comprehensive standard well beyond an industry best practices approach but aligns a compliant organization with federal guidelines, which is an excellent indication of the company's desire to operate in good faith in complete adherence to legal requirements. This thought is emphasized by ISO 27001 expert Patrick Sullivan. "It's important to stress ... that the defense isn't just that you have a bunch of controls that are considered 'best practices,' but that you have identifiable, documented and effective (information security risk) management accountabilities and processes that direct the application, operation and evaluation of those controls" (Sullivan e-mail, 2010).
Taking the argument onward from legal guidelines and directly into privacy regulations, it is easy to note echoes of 27001 in federal statutes. "Legislation in the U.S. such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) as well as several international laws and regulations borrow heavily from ISO 27001" (JBW Group International, About Information Assurance).
It takes little heavy lifting to link sections of the standards to aspects of some key regulations. "For example, the new ISO 27001 Information Security standard maps directly to Sarbanes Oxley #404 Internal Controls. As an indication, SOX 404 (a) (1) covers management responsibility to maintain an adequate internal control structure, which maps to ISO 27001 Section 5 Management Responsibility. Similarly, 404 (a) (2) covers an assessment of internal control effectiveness, which maps to ISO 27001 Section 7 Management Review Of ISMS" (Wolcott Group, 2007).
Enforcement actions regarding breached companies also contain wording evoking 27001. According to Sullivan, "... Look at the trends in enforcement actions, and what they impose in the way of security program requirements; it begins to look a lot like clauses 4-8 of ISO 27001" (Sullivan e-mail, 2010).
The 2008 FTC action involving TJX's major breach illustrates this point.
"The settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The settlement ... (requires the retailer) to contain administrative, technical, and physical safeguards appropriate to each company's size, the nature of its activities, and the sensitivity of the personal information it collects" (FTC-TJX, 2008).
Now compare with ISO 27001: Clause 4, which requires that an organization "define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that (i) includes a framework for setting objectives and establishes ... principles for action, (ii) takes business and legal or regulatory requirements as well as contractual security obligations into account, (iii) (and) aligns with the organization's strategic risk management context" (CQR Payments). While the wording differs, the similar meaning is evident.
Here are other specifics from the TJX consent order, compared directly to requirements in 27001 Clauses 4 and 5 (and the related ISO supply-chain information-security standard 28000):
•Consent order (CO): Designate an employee or employees to coordinate the information security program; 27001: Clause 5: Explicitly states the management responsibility for the ISMS and details the necessary requirements pertaining to management commitment and resource management, including provision of resources as well as training, awareness and competence.
•CO: Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
27001: Clause 4: Identify, analyze and evaluate the risks; select control objectives and control for the treatment of risks.
•CO: Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
27001: Clause 4: Formulate and implement a risk treatment plan, implement the selected controls, and define how to measure the effectiveness of the selected controls.
•CO: Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs;
27001: Clause 4: Undertake regular reviews of the effectiveness of the ISMS, review risk assessments at planned intervals taking into account any relevant changes of internal and external factors, conduct internal ISMS audits at planned intervals and update security plans to take into account the findings of monitoring and reviewing activities;
•CO: Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies;
ISO/PAS 28000:2005: The specification for security management systems for the supply chain gives organizations the requirements for establishing, implementing, maintaining and improving a management system for the security of the supply chain.
(FTC-TJX, 2008; CQR Payment Solutions; and Piersall & Williams, 2006)
ISO 27001 makes sense as a strong contender as a standard that would provide a business operating in good faith important prima facie consideration by regulators and courts if the company were to incur a breach of customers' private information. It is worth asking why there has not been movement in the courts to treat it as such. According to Kevin P. Kalinich, national managing director for insurance giant Aon in Chicago: "The lack of details in security regulations, such as SOX, HIPPA and GLBA, have been a deterrent to litigation to date. The security frameworks often used to comply with federal guidelines, 27001 (formerly ISO 17799), and the Control Objectives for IT and Related Technology from the IT Governance Institute have not yet been sanctioned by court decisions. In fact, there have been lawsuits that have sought to establish a precedent of such security frameworks, but they have been settled out of court" (Kalinich, 2008).
It also is worth examining how ISO 27001 offers organizations significantly different and superior practices to protect information, compared with the PCI DSS standard that enjoys a privileged status in some legislation but has been involved in huge thefts of data. By putting PCI DSS into statutes, lawmakers are placing an obviously less-secure standard ? one created by a specific industry for a single type of information and that functions essentially as a "checklist" for compliance ? into a priviliged regulatory position.
"PCI is basic security. It is a necessary baseline, but not sufficient (floor ? not the ceiling!). PCI is also about cardholder data security, not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality, and not integrity and availability" (Chukavin, 2009).
Security expert Ken Stasiak, founder and CEO of SecureState LLC, adds ISO 27001's strength to this reasoning: "The PCI standard, as a compliance-based approach, is concerned with one type of data, credit cards. ISO 27001 is the only framework that is security focused and designed for all data. ISO is the best approach to satisfy all existing compliance and should handle new compliance" (Stasiak, 2008).
Hannaford Brothers and TJX both claimed compliance with PCI, but their relationship with PCI compliance points out additional problems with that standard.
Hannaford received PCI certification on Feb. 27, 2008, and had been certified as meeting the standard in 2007 (McGlasson, 2008). Hanniford had compliance with PCI despite significant security problems; this would be far less likely to happen to an ISO 27001-compliant firm because the processes and measurements of 27001 are so comprehensive. " 'A PCI Assessment is a "point in time" assessment,' (says David Taylor, president of the PCI Security Vendors Alliance). 'Things can change in the network, and elsewhere in the systems and procedures that cause the company to "fall out of' compliance." This is why a company cannot expect that a once-a-year assessment protects them (like an insurance policy) for a whole year' " (McGlasson, 2008).
Similarly, TJX ? which the FTC determined failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks ? had passed a PCI DSS audit (FTC, 2008). "One PCI DSS auditor, who requested anonymity because he is involved in the TJX investigation, said the Framingham, Mass.-based retail giant was also the victim of lax auditing. ... The auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems. 'They had no network monitoring and no logs, and they had unencrypted data. But this wasn't picked up by the auditor. They passed the Level 1 inspection and shouldn't have' " (Brenner, 2007).
While poor auditing can happen at any business, the rigors involved in the risk management security approach of ISO 27001 makes such a grievous lapse as the one that occurred at TJX unlikely at a company maintaining ongoing compliance with 27001.
Another concern that clearly indicates the philosophical and practical differences between 27001 and PCI DSS comes from the underlying goals of PCI and ISO 27001. As essentially a "checklist" standard, PCI doesn't by its nature drive business improvement the way 27001 does.
"Unfortunately, the notion of PCI compliance has become abstracted from actual security. Merchants can game the system to become 'compliant' without necessarily improving the safety of card data. ... Despite mandating a variety of security mechanisms and regular audits, our investigation shows that (PCI) ... can be manipulated so merchants seem compliant without actually making their data stores more secure" (Conry-Murray, 2008).
Said security consultant Kouns, "While a technical security control may provide protection for a time, a well-established risk assessment methodology will provide the means for an organization to protect their business at all times" (Parry, 2006).
The point in these examples, far from just beating up on PCI DSS for its weaknesses, is to show clearly why ISO 27001 is a superior standard to PCI DSS, and to emphasize that as lawmakers write standards into law, they would be better off invoking 27001.
Beyond that, in cases where no data security standard is specified by law, regulators would be wise to take businesses' compliance with 27001 as prima facie evidence of good faith efforts to protect private information from data breaches.
Chronology of Data Breaches. March 19, 2010. Privacy Rights Clearinghouse. http://www.privacyrights.org/ar/ChronDataBreaches.htm#Total.
Tedder, K. January 2010. A First Data White Paper: Don't Wait for a Data Compromise. https://www.firstdata.com/en_us/insights/data-compromise?cmpid=PaidSearch:ThoughtLeadership:Data_Compromise:data_breach&utm_source=adwords&utm_medium=cpc&utm_term=data_breach&utm_content=Phrase&utm_campaign=Risk_Management&gclid=CKCdyZqixaACFRXxDAodCXyaaQ.
Hunton & Williams LLP. June 17, 2009. Client Alert: Nevada Updates Encryption Law and Mandates PCI DSS Compliance. http://www.huntonprivacyblog.com/2009/06/ articles/information-security/nevada-updates-encryption-law-and-mandates-pci-dss-compliance/ Oxford University Press. 2009. A Dictionary of Law. Via Mirlyn, University of Michigan libraries.
Freeman, E.H. Sept./Oct. 2007. Holistic Information Security: ISO 27001 and Due Care. Information Systems Security. Vol. 16, Iss. 5; p. 291.
JBW Group International. 2009. Services: Risk Management and Compliance. http://www.jbwgroup.com/services_risk.html.
JBW Group International. 2009. An Executive Update, Executive Update Volume 2 Number 2 April 2009. http://www.jbwgroup.com/informationassurance_updates.html.
Tomhave, B.L. Aug. 16, 2005. Alphabet Soup: Making Sense of Models, Frameworks, and Methodologies, v2.0, http%3A%2F%2Ffalcon.secureconsulting.net%2Fpapers 2FAlphabet_Soup_v2.doc.
Smedinghoff, T. J. SA Conference 2009. Information Security Law: The Emerging Global Standard for Compliance. PowerPoint presentation 4/22/2009. www.wildman.com/article/Information_Security_Law_-_The_Emerging_Global_Standard_for_Compliance_-_Tom_Smedinghoff_RSA_2009.pdf.
JBW Group International. Federal Sentencing Guidelines for Effective Ethics and Compliance Programs and ISMS Requirements Alignment. p. 1. ISO-Sentencing Guidelines Mapping.pdf.
Patrick Sullivan, JBW Group International, Minneapolis, Minn. March 19, 2010. E-mail to Mark Thompson-Kolar (used with permission).
JBW Group International. About Information Assurance & Security: Frequently Asked Questions. http://www.jbwgroup.com/informationassurance_faqs.html.
Wolcott Group. March 2007. Raising the Standard of Information Security Governance with ISO 27001. p. 3. www.wolcottgroup.com/documents/WG_ISO27001PoV_0607C2.pdf.
Federal Trade Commission. March 27, 2008. Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data. http://www.ftc.gov/opa/2008/03/datasec.shtm.
CQR Payment Solutions. White Paper: ISO 27001 in detail. http://www.cqrpayments.com/
Piersall, C., & Williams, N. January-February 2006. ISO/PAS 28000 applies management system approach to security of global supply chains. ISO Management Systems. www.iso.org/iso/supply.pdf.
Kalinich, K. P. March 26, 2008. Legal exposures to the Maxx: Insurance for Breaches of Data Privacy and Information Security, Aon Corp. pp. 16-17, http://aon.mediaroom.com/file.php/252/Privacy+and+Security+White+Paper+2008.doc.
Chukavin, A. November 2009. PCI DSS Myths 2009: Fiction and Reality. http://www.slideshare.net/anton_chuvakin/pci-dss-myths-2009-myths-and-reality (slide).
Stasiak, K. Food Marketing Institute. March 2008. Information Security Best Practices & Security Breaches. http://www.docstoc.com/docs/18340816/Information-Security-Breach.
McGlasson, L. April 4, 2008. Hannaford Data Breach May be "Tip of the Iceberg." BankInfoSecurity.com. http://www.bankinfosecurity.com/articles.php?art_id=810.
Brenner, B. Nov. 5, 2007. Don't blame PCI DSS for TJX troubles, IT pros say. SearchSecurity.com. http://searchsecurity.techtarget.com/news/article/ 0,289142,sid14_gci1280854,00.html.
Conry-Murray, A. Feb. 23, 2008. PCI and the Circle of Blame. InformationWeek. http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=206800867&pgno=1&queryText=&isPrev=
Parry, P. 2006. Information Security Paramount Concern for CEOs – Especially Now. BSI Management Systems. www.efortresses.com/refdocs/BSI-News-Release-08-2006.pdf.