Transcript – ISO/IEC 27001 Information Security for Loyalty Schemes

KN: Katarzyna Nawrocka, „On Loyalty Schemes at Night”..

The security of the loyalty programme management software developed by i360 is one of the main pillars of our growth. Today, I am delighted to welcome Rafał Malon, with whom I will be discussing the key challenges in ensuring information security. Good evening.

.

RM: Good evening.

.

KN: Rafale, we’re going to be talking about information security. But before we do, I’d like to ask you to tell us what the Malon Group, of which you’re the CEO, does.

.

RM: Yes. We specialise in implementation projects, consultancy projects and training programmes relating to management systems. In the broadest sense. There are a great many management systems on the market. We cannot say that we specialise in any one in particular; we support businesses that wish to achieve certain outcomes and results that these management systems provide. This includes, amongst other things, ultimately obtaining a certificate confirming that their operations comply with a specific management system or management standard.

.

KN: As for this certificate, I’m asking because, off-camera, we had the pleasure of discussing the fact that you’ve had audits both yesterday and today – some behind you and some ahead of you. So I take it that this is how you operate – you check what the safety assurance system is like at these companies?

.

RM: Yes, we assess the current situation within companies and, if we identify any discrepancies or gaps in relation to the standards and the requirements set out within them, we then launch a project aimed at ensuring compliance. In other words, we implement all these requirements, and the solutions that stem from them, into the day-to-day running of the organisation. So, once we have identified any gaps or discrepancies, we carry out all the necessary measures to ensure compliance. Next, of course, we must verify whether this has already been achieved before an independent body arrives to check whether compliance is, in fact, in place or not.

.

KN: The website of the company you run shows us just how many different areas you cover. We’ll also find plenty of abbreviations there that we could demystify today and explain to our viewers, so that they can navigate them and understand them.

.

RM: I suppose the key term used there – though it’s hard to call it an abbreviation – is, of course, ISO. ISO refers to the standards and specifications issued by the International Organisation for Standardisation, which is very often referred to simply as ISO. Alongside this committee, or rather, this committee often collaborates with other committees such as the IEC. This is the committee responsible for standardisation at an international level in the fields of electronics and electrical engineering. One such example of a standard issued by both of these standardisation committees – that is, by ISO and the IEC – is ISO 27001, which sets out the requirements for an information security management system. However, there is a very large number of standards setting out requirements for management systems. Of course, these organisations do not deal solely with management systems, nor are they limited to standardisation in this field. They also deal with standardisation in areas such as technical matters relating to products, processes and services – in fact, virtually everything imaginable. As an organisation, ISO has already published several thousand standards that are recognised worldwide. On our website, you can also find many other abbreviations and terms. These very often stem from the nature of a particular standard, or serve as a way of identifying it, setting out the requirements that must be met by a given organisation. Other abbreviations or terms that you may come across on our website relate to information security. Of course, there is also the term ‘GDPR’. The GDPR, which you have already discussed in one of the episodes.

.

KN: Let me just interrupt you for a moment to say that we’ll post a link to this episode below so that our viewers can watch it too. And I’m really glad you’ve seen it.

.

RM: Of course, absolutely. Yes, the GDPR – and, of course, not just the GDPR, but also our entire national legislation – is also linked to information security, which is, of course, geared towards the protection of personal data. But we have other terms as well. One term that comes up is „TISax” – is an assessment method, an assessment system developed by the German association of manufacturers in the automotive sector, the aim of which is, in fact, to ensure certain standards for information processing and data processing, and to guarantee their security specifically within the automotive sector. Specific to the automotive sector. This standard is entirely consistent with the aforementioned ISO 27001, as it is, in fact, based on that standard. It has simply been expanded to include these specific features. There are many other terms as well. These include, for example, standards developed by various associations. Take the TAPA standards, for instance – these are supply chain security standards. They cover security in road transport, for a start, as well as security in warehousing. All these abbreviations and terms are explained in detail on our website. There are so many of them that we wouldn’t be able to list them all here.

.

KN: Just to make it clear, we’ll show you a chart in a moment with these abbreviations and explanations.

.

Of course.

.

KN: Nowadays, a loyalty scheme cannot function without an IT system. How can the developers of such a scheme ensure security?

.

RM: Yes, the concept of security and information security is a very broad one here. We must bear in mind that, in traditional parlance, the term ‘security’ is very often understood to mean solely confidentiality, which is in fact just one aspect – one of the three main aspects – as we also have to deal with the other two, which are equally important: availability and integrity. After all, what’s the point of having highly secure data if, for example, the system operators of this loyalty scheme cannot access it because it is too heavily secured? So availability is just as important, as we would be unable to carry out our core business activities. And then there is integrity, understood in the broadest sense as the reliability, consistency and non-repudiation of this information. What’s the point of having information available to those who need it to carry out their professional or official duties, or to participants in these loyalty programmes so that they can access, for example, information about their account? What is the point of having this access, or of ensuring confidentiality – that is, protecting this information from outsiders and third parties – if, for example, the information in the system is distorted, unreliable or inconsistent? You get out what you put in. So, in reality, all three of these aspects must be guaranteed.

.

KN: So we have security, integrity and availability.

.

We have confidentiality, availability and integrity.

.

KN: Thank you for clarifying that.

.

RM: And now, when we’re actually developing this type of software – in fact, even at the stage where we’re defining its functionalities – the company has already defined those security-related functionalities, those features that this software should have, aimed at ensuring security in precisely these three aspects. Availability, confidentiality and integrity. Why at this stage? Because it is essential to avoid a situation where the programme is developed – a superb system is created – and only then do we add certain security functionalities and elements to it. This must be planned for at the pre-design stage. It must then be incorporated during the design phase, when all these functionalities are defined in great detail. And, of course, during the subsequent stages of software development and maintenance. So what has been done – and what should always be done – is to pay attention at this very stage, when we are only just approaching the subject, rather than waiting until the programme or system is ready.

.

KN: There is no need to convince anyone of the importance of security. But what are the main components of such a system?

.

RM: Yes. As I have already mentioned, these are the three fundamental aspects of information security: confidentiality, availability and integrity of that information. However, if we now focus on the specific requirements that must be met here, these are set out in the ISO/IEC 27001 standard. We explained these terms and abbreviations right at the start. They simply indicate who issued the standard. And now this standard has its own structure of requirements. This structure of requirements is characteristic of all recently published ISO standards that focus on any kind of management system. They follow a 10-point structure. This structure has grouped the requirements into appropriate thematic blocks. First and foremost, the sections listed are those requirements that must be met in order to understand the organisation, so that the organisation can understand itself, its environment and, indeed, its context. All external and internal factors that have, or may have, an impact on the management system, as well as the interested parties. And the requirements and expectations of these interested parties, which should be met within the framework of this very management system. With this information, we can then proceed to the risk assessment. A risk assessment both from the perspective of information security and in terms of the information security management system’s ability to achieve its objectives. So we have the next stage, whilst all these issues are covered within this planning phase. In other words, we are really only just preparing to define our management system. Having established the foundations, we move on to implementation; that is, based on the results of the risk assessment, we have identified what changes need to be made within our organisation. Naturally, we also take into account the requirements of the ISO 27001 standard. With all this information, we draw up security policies, procedures and guidelines. In essence, we define the internal regulations we must comply with. Whilst, of course, also taking into account the requirements of those stakeholders I mentioned earlier, as well as the relevant legislation. Let’s remember that, after all, legislation on the protection of personal data is very important in the case of loyalty programmes, as a great deal of such data is processed there. Once we have implemented what we planned – that is, we have a plan and the internal regulations resulting from this planning process – we must then put in place mechanisms that will allow us to determine whether what we are doing actually complies with what we set out to do. So we need to put verification mechanisms in place, such as internal audits. This approach verifies the compliance and effectiveness of the management system, but we also need to look a little more closely – we must verify the effectiveness of the individual safeguards we have implemented as part of this system. In other words, we check whether the backup copy we created in accordance with the backup policy actually enables us to recover, for example, the system or the resources covered by that backup copy. There is a great deal that could be said about assessing the effectiveness of these security measures. I would also refer you to a very worthwhile read on this subject: the ISO 27001 standard. Among the activities aimed at verifying this system, there is another measure that is very important for management systems – a process characteristic of ISO-compliant management systems known as the top management review. In other words, from time to time, on a regular and planned basis, top management must examine the outcomes achieved by the system and the results of individual actions – their own actions. And it must determine whether this system remains useful to it, whether it is appropriate to the situation in which the company finds itself, and whether it meets its expectations. And, of course, what is characteristic – and I will repeat this again for all ISO systems – is continuous improvement. It cannot be the case that, once a system has been introduced, it provides us with such safety that we no longer need to do anything about it.

.

KN: Let me ask: is that precisely the aim of these audits – to check whether a given system is adequate, but also to see how we can improve it?

.

RM: Yes, that too, of course. That is certainly the role and purpose of these internal audits. However, let us bear in mind that these opportunities for improvement should also stem, for example, from the information we gather from our wider environment. Technology is evolving; we should keep pace with that technology, and we should ensure that our security measures are appropriate and effective in light of these technological developments. So this continuous improvement is, in fact, something that must be implemented by the organisation. We must constantly develop our system; we must simply keep improving.

.

KN: Rafale, how would you describe the role of information security management within a company?

.

RM: It is becoming increasingly important, if I may put it that way. Why? It is clear how the way businesses operate – or, more generally speaking, the way organisations operate – has changed over the years. Just think of how much information is currently being processed, not least because, to a very large extent, this data is processed electronically. Given that we have an ever-increasing amount of this data, we must also ensure it is properly secured. After all, we are not focusing solely on personal data – which has been the most high-profile issue for some time now, namely the GDPR and the protection of personal data – but when discussing information security, we must identify all information that is significant to the organisation from the perspective of strategy, development, from a business perspective – such as trade secrets. And it is precisely this information that we should protect. Protect, as I mentioned, by ensuring appropriate confidentiality so that this data does not fall into the hands of people who are not authorised to access this information or these data. But also to ensure that staff responsible for specific areas have access to it so that they can carry out their work. And, once again, as we’ve already discussed, we have: confidentiality, availability, and also integrity – so that the data and information we use in our operations are reliable, consistent, accurate and not distorted, ensuring that the results of our activities are of the appropriate quality. And the results will always be commensurate with the input we have.

.

KN: Let’s move on, then, to the objectives of ISO 27001.

.

RM: Yes. Objectives and standards set out the requirements for an information security management system. And there is more that could be said here about what the objectives of this information security management system are. I would put this proactive approach to management at the top of the list. Namely, the approach I have already mentioned. First and foremost, we should identify what could go wrong within our organisation. We need to identify all possible vulnerabilities, all possible breaches and incidents relating to information security. And then do everything we can to counteract them. Naturally, our first priority should be to eliminate these threats, but if we are unable to do so – because, after all, we have to carry on with our business operations – then we simply cannot. If we wanted to protect ourselves completely, we would simply have to cease trading. That would not be consistent with our business objectives, so at this stage, if we are unable to eliminate them, let us reduce the level of risk – in other words, let us put measures in place that will, first and foremost, reduce the likelihood of these adverse situations occurring. And if there is nothing more we can do here either, then let us at least consider what we can do to minimise the consequences should this undesirable event materialise. Finally, if we are unable to do anything further, we must simply accept a certain level of risk. This is a proactive approach – this is what we should focus on above all else. However, of course, there is also another objective of this system. When an undesirable event does occur – because only those who do nothing make no mistakes – If they do occur, we need to have a properly prepared response in place. What might such a response look like? Let’s consider, for example, situations that receive a lot of media attention. A fire in a server room somewhere, or a data breach somewhere. So let us have procedures in place which will allow us, in the first instance at least, to restore operations to normal as quickly as possible – that is, to activate our business continuity plans in this regard – and in the second instance, let us endeavour to minimise the impact of the incident that has occurred. If data is leaked, we must ensure that the people affected by that data – for example, if it is personal data – do not suffer the consequences. Or, at the very least, that we minimise any harm that might befall them. So this response – this reactive, post-event approach – is certainly also essential from the perspective of an information security management system.

.

KN: I’d like to offer a brief summary, because we’re at risk precisely because we’re taking action and because technology is advancing – as you’ve already mentioned. Well, that shouldn’t stop us from taking action, provided we have a very well-prepared contingency plan.

.

RM: Yes, you could put it that way, certainly. But let’s remember that a contingency plan is a last resort, and we should, above all, focus our efforts on prevention – in other words, on ensuring that it doesn’t happen in the first place.

.

KN: To ensure that this plan is not implemented.

.

RM: Yes, because let’s just consider, for example, i360’s operations – the portal itself that we have. After all, this portal serves some very significant clients, and it also manages the loyalty programmes for those very clients. It is, after all, vital that neither the reputation of these clients nor, ultimately, that of i360 is damaged. So a great deal of effort has been put into this – and continues to be put in – primarily to prevent incidents from occurring in the first place. And that is, without a doubt, the fundamental objective of the information security management system. But of course we also have contingency plans in place in case something goes wrong – for example, if the system were to become unavailable – to ensure that its full functionality can be restored as quickly as possible, so that the business objectives of both i360’s clients and i360 itself are maintained.

.

KN: Let us also clarify whether the ISO standard applies to the software or only to the manufacturer.

.

RM: It is true that one might infer from my earlier comments that the standard applies to software, but under no circumstances does it apply solely to software-related issues as they arise at i360. In this case, the company has adopted the view that the ISO 27001 standard applies to all of its operations. This means that it also applies to activities relating to the design, development and maintenance of this software, as well as its delivery to business partners. However, the standard has a broader scope, as it also covers, for example, information constituting trade secrets, as well as the personal data of employees working for the company and its associates. In fact, it covers all data and information relevant to the company’s operations that must be processed in order for the organisation to function at all and achieve its business objectives.

.

KN: Rafał, I’m wondering whether, now that I have ISO certification, I can feel safe and sleep soundly. What I mean is, we need to clarify whether we can equate ISO certification with secure software.

.

RM: That would be ideal, but of course it isn’t. Why? The standard sets out requirements. These form a kind of framework that still needs to be fulfilled. So, when implementing an information security management system, we must meet these requirements, but in a way that is specific to us. A way that is specific to the size of our organisation and the complexity of our assets. In fact, all kinds of resources and information that we use in our operations. Can we say that having a certificate – well, because we must also mention that certificates of compliance with this standard are issued by various certification bodies – is enough? Take i360, for example: it has held this certificate for several years now from one of the most recognisable and reputable certification bodies. And at this point, it cannot under any circumstances be said that this certificate proves that this standard is the highest, or that nothing bad can happen to us. Firstly, an audit is always carried out using a sampling method; in other words, the auditor who visits verifies a certain sample based on, for example, documents, records or interviews with staff. This means that they do not carry out a comprehensive inspection. They carry out an investigation; they conduct an audit. Secondly – let’s bear in mind what I’ve said. It’s not the case that once a system has been implemented, once we’ve put it in place, we’re done with it, we can rest on our laurels, and nothing bad will ever happen again. Not at all. Everything is constantly changing. Our environment is changing. Technological developments – and I’d like to emphasise this point – mean that we must not merely keep up, but should strive to stay one step ahead. So, in line with the requirements of the standards themselves, we must constantly improve and develop our system in order to prevent undesirable situations from arising; and yet, unfortunately, it often happens that something does occur, as I mentioned. And that is when these response plans come into play.

.

KN: And how long does it take to implement a security system like this? Perhaps you could explain, step by step, how it’s done and how long it takes.

.

RM: Of course. It obviously also depends on the size of the organisation, as the situation will be different for a small firm with just a few employees, a single location and most of the data it processes – perhaps even still in paper form these days. It will be quite different, when we have a multi-site organisation, with a larger workforce, where such volumes of data are processed – as is the case with i360, for example – and this data consists of personal data classified as ‘special categories’ which are indeed subject to this specific level of protection. So at this stage, it all depends. How short could the implementation period for such a system be? To be honest, it would depend on the extent to which the organisation already meets the requirements of the ISO 27001 standard from the outset. It is precisely for this purpose that an initial audit and a gap analysis are carried out first, so that we can identify what is in place and what is missing. Once an inventory has been carried out, and based on this information, we are then able to determine how quickly this process can be completed. Of course, it is also possible to outline a preliminary framework for such a project based on certain key information – the organisation’s specifications – but the project schedule can only be finalised in detail following this preliminary audit.

.

KN: I asked you to explain it step by step, so can we safely say that this first step is precisely this stock-taking exercise?

.

RM: Yes, that initial audit, that gap analysis, that inventory. Exactly. Next, you need to ensure that the staff involved in this project are aware of what’s going on and have the necessary knowledge – in other words, give them a bit of an overview of what we’ll be doing and the direction we’ll be taking. And, as I mentioned later, we need to plan the system – that is, to consider the organisation’s context, define it, and identify all the external and internal factors that do or may affect our system and our organisation. Identify the interested parties – that is, those stakeholders who may present us with certain requirements, or who may have a role to play in our information security management system. And, with regard to this data, carry out a risk assessment – an information security risk assessment, or what we refer to as a ‘systemic’ risk assessment – to determine what could go wrong that might prevent our system from achieving the planned outcomes. Once we have carried out this risk assessment, based on these results and taking into account the requirements of the ISO 27001 standard – particularly the security requirements set out in Annex A of that standard – we draw up the necessary internal regulations; that is, we introduce procedures and policies and guidelines to ensure that it is clearly defined exactly how things are to be carried out, so that the level of security is adequate. This ensures that the level of risk does not exceed the acceptable risk level. Once the documentation has been drawn up and implemented – and this is where the entire team, in fact, plays a very significant role, as does senior management, because it is always their responsibility to ensure that staff, that the company’s employees, are engaged in this process, that they are aware of the threats, and aware of how important it is to apply these information security regulations, a cycle of training and a range of activities must simply be provided to ensure this awareness. And once we have achieved this – although in reality it is a continuous process, it never ceases – of maintaining and developing this awareness – we can proceed to check whether, as it currently stands, the system meets the requirements of the ISO 27001 standard and, if this is the organisation’s objective, whether we are ready to undergo this external audit, this certification audit. Once the results indicate that this is indeed possible, and that when the external auditors arrive there will be no embarrassment or slip-ups, then of course these auditors are invited, and they come to they carry out the acceptance of the system; that is, as I mentioned, they use a sampling method to verify the system’s compliance. They verify whether the system is achieving its planned objectives and whether the planned results are being achieved. And if everything is in order, the certification body awards the relevant certificate.

.

KN: And that is precisely the final step – the acceptance process. But as we keep saying, this is not a process that ever ends, because we have to keep improving it.

.

RM: Yes. And this is where the role of the certification body actually comes in handy, so to speak, as it exercises constant oversight of the system. ‘Constant’ might be too strong a word, but at least it is carried out on a regular basis. It visits periodically to carry out so-called verification audits and supervisory audits. It checks whether anything has gone wrong in the meantime, whether the system is indeed still being maintained and improved as it should be, or whether something has gone wrong.

.

KN: Rafale, what role does the certification body play in this whole process?

.

RM: The role of the certification body in this case is to carry out an independent – fully independent – verification of compliance to ascertain whether the management system that has been implemented meets the requirements of ISO 27001 and whether the system is effective. This is because these audits are carried out to check both the compliance and the effectiveness of the system – in other words, whether the system is achieving its intended objectives. The certification body, as I have mentioned and would like to emphasise – an independent body – carries out a verification audit. The first is known as a certification audit. The certificate of compliance awarded as a result is valid for a period of three years. We are, of course, referring to ISO 27001 certificates. It is awarded for a period of three years; however, the validity of this certificate is maintained only if the company to which it has been awarded undergoes periodic surveillance audits, i.e. the certifying body’s auditors are granted access and permitted to carry out such a surveillance audit after a period of twelve months and a further 12 months of the management system’s operation. After these three years have elapsed, but before the certificate expires, the company must decide whether to renew, reinstate or extend the certificate – whichever term we choose to use here. And if the decision is to proceed, a recertification audit is then carried out, which marks the start of a further three-year cycle for maintaining this certificate. From there on, the process is exactly the same: further surveillance audits, followed by another recertification after three years – because it is worth noting that this management system at i360 was actually certified several years ago, and if we were to compare this system with what it was before and what it is now, the changes are truly radical. Yet the standard itself has not changed.

.

KN: All right, then. So we’ve now implemented the ISO 27001 standard, passed the audit and received the certificate. What next? Is a certificate like this valid for life?

.

RM: Yes. And as I did indeed mention, it is awarded for a period of three years. At the end of those three years, the company decides whether to extend the validity of the certificate and undergo recertification, or not. However, I would like to touch on one more important point here: what to do. Well, we’ve implemented it and been certified – what can we do with it now? Because talking about continuous improvement can sound a bit hollow, but what should we actually do as part of this continuous improvement? Here, too, we have tools provided by ISO – the International Organisation for Standardisation – such as other standards in this series. ISO 27002, in turn, sets out how the security measures outlined in the annex to ISO 27001 can be implemented. Methods of implementation and ways to develop the security measures actually used within the company. It makes for good reading and provides useful material on precisely how we could improve our information security management system. But let’s bear in mind that once a certificate has been awarded, this does not mean it will remain valid forever. Every certificate states its expiry date. So if we want to check whether our business partner holds a valid certificate, we should look at the certificate itself – we should ask them to show it to us – because we’ll be able to see until when it was valid, or until when it remains valid. Unfortunately, in this day and age, when progress is truly so rapid, we must bear in mind that if we obtained a certificate five years ago and it was valid for a period of, say, three years – until, let’s say, 2019, then a great deal could have changed during those two or three years.

.

KN: And finally, I get the impression that you’ve answered my last question. That’s because I wanted to ask in which directions a company that has successfully achieved such certification should develop?

.

RM: Yes. As I mentioned, you can use the tools available, but the most important thing here is to monitor our environment and the developments taking place. To identify whether there are any new vulnerabilities. Vulnerabilities that could be exploited by threats, thereby leading to an undesirable event, a security incident or a breach of personal data – as I mentioned, a topic that’s currently receiving quite a lot of media attention. So let’s bear in mind that this improvement involves not only responding to the changes that are taking place, but also paying attention to how we can use this system to deliver business results and achieve business objectives. In other words, what could we streamline or perhaps speed up to ensure that our business actually grows? One such example is business continuity plans and what has recently been done within the company. The time taken to resume operations in the event of network infrastructure problems has been significantly reduced. In other words, the recovery time has been drastically shortened should the risk of a failure – in this instance – actually materialise. The solutions that have been implemented have reduced this time by a factor of two or even three. This demonstrates that, following such an undesirable incident, the company is able to recover and return to normal operations two or three times faster.

.

KN: Rafale, thank you very much for the interesting conversation and for clearing up all my doubts.

.

RM: Thank you.

.

KN: I’m saying to you: see you later.

.

RM: See you later.

.

KN: And I’d like to invite you all to the next episode.

.