Laptop RoamingAccounting Firms’ Security ExposedFebruary 2006 was not a great month for Ernst & Young in the US, who admitted to having had a number of laptops stolen after being confronted by journalists. A high profile casualty of the laptop thefts was Sun Microsystems’ CEO, Scott McNealy, whose personal information (including Social Security number) was compromised. Of the machines reported as stolen, some were taken from a conference room whilst the E&Y auditors were out at lunch whilst the laptop with McNealy’s information was stolen from a car belonging to an E&Y employee. Closer to home were further revelations in February after the Secretary of State for The Department of Trade and Industry (DTI) reported that 21 laptops had been stolen from DTI buildings over the last 12 months (as well as a monitor and 8 data projectors!) and the Office of the Deputy Prime Minister disclosed that five laptops had been stolen from buildings the Department occupied in the previous 12 months. According to the web site www.juststolen.net, as many as 1 in 10 of all laptops are half-inched during their lifetime, so these reports do not seem all that surprising. They also go a long way to demonstrating the need for using encryption on hard drives, ensuring that the sensitive data (like email) on the computer exist in an area on the disk that is inaccessible to those who don’t hold the decryption keys. Even if a theft never happens, this provides a great assurance that a prudent control is in place. Many security-savvy people also make use of laptop locks. Whilst not completely unbreakable (think bolt-cutters), it’s yet another layer of security that can act as a deterrent to thieves on the lookout for an easy target. These are just a few controls that should be considered as part of a broader strategy, and the embarrassing predicaments provide further examples where the Information Security Standard, ISO 27001 (also known as BS 7799), would have saved many blushes. With the worldwide number of companies holding the certification now well over 2000, including the company I work for, incidents like these should be on the decline. Proof that well-managed security controls really do work is illustrated by the recent announcement by APACS that the amount of money lost through credit card fraud fell for the first time in a decade following the roll out of chip and PIN. To provide a balanced view, E&Y is not the only red-faced accounting firm in America when it comes to security lapses. Anti-Virus company McAfee had to advise 9,000 current and former employees that a CD holding their names and Social Security numbers went missing after a member of staff at McAfee's auditor, Deloitte & Touche, left the unencrypted CD in an aeroplane seat-back pocket. Needless to say that all parties involved will have everything crossed that the CD doesn’t fall into the hands of identity thieves. Information Security Professional Institute LaunchedAn interesting development in the security industry is the recent launch of a professional institute for information security practitioners. Whilst the concept of such an institute is familiar to those in the accounting field, the lead in security until now had not been firmly seized. The Institute for Information Security Professionals (IISP) is a UK-based body addressing the profession on a global basis, and its aim is to act as a governing body for the industry. This incorporates managing qualifications, structured mentoring programmes and providing a platform for lobbying. Recent years have seen new security legislation such as the Payment Card Industry Security Standard and Sarbanes-Oxley impact organisations like never before. The resulting need to engage Information Security Professionals has consequently become more common. The question is: Just how do such professionals prove that they have the expertise? Enter the IISP. After attending the launch of the IISP in London, I caught up with Chief Executive Nick Coleman. He confirmed that a major goal of the Institute is to ensure that professionals are independently verified by evidence of their purported expertise. This will include vetting of IISP applicants’ experience and qualifications. The IISP is supported by big and small names in the industry from around the world. These include UBS, National Hi-Tech Crime Unit, IBM, HP and the DTI. Over the years that I’ve worked in the IT field, I have encountered a number of individuals from various industries who admit freely that they have ‘blagged’ their way into positions which they have held. Many of these people eventually get found out, but many others continue to hold down important positions and in the Information Security arena this is plain dangerous. The industry has been crying out for something like the IISP for a long time to help weed out these impostors. Alan Phillips MBCS |