Bibliographic information of ‘Deutsche Bibliothek’ (German Library)

The ‘Deutsche Bibliothek’ lists this publication in the German National Library; detailed bibliographic data is retrievable on the Internet at www.dnb.de.

© 2017 Jacqueline Naumann

The work at hand is copyright protected in its entirety. All rights reserved, in particular the right of translation, presentation, reproduction, duplication on photomechanical media.

Production and Publishing House: BoD - Books on Demand GmbH, Norderstedt, Germany.

ISBN 978-3-7528-5765-8

German First Edition, 2017

Translation to English, 2018

Author: Jacqueline Naumann

Book cover: Corina Liebmann

Illustration: Florentine Naumann

Translation: Übersetzungsbüro SCHNELLÜBERSETZER GmbH

Kurzüberblick

1. Introduction
2. Appointment as ISO
3. Expectations of interested parties
4. Verwaltung der Werte
5. Risk analysis
6. SoA
7. Human Resources Security
8. Information security incidents
9. Supplier relationships
10. Malware
11. Logging
12. Backup
13. Screen lock
14. Entry control
15. Disposal
16. Software Development
17. Documented business processes
18. Contact with public authorities
19. Safe development
20. User registration and deregistration
21. Privacy
22. Utilities
23. Uninterruptible power supply
24. Passwords
25. Devices and operational means
26. Physical and environmental security
27. Monitoring
28. Internal audit
29. Management evaluation
30. Closing statement

Dear reader,

Thank you for selecting this book.

Information security is currently a hot topic that has picked up speed, in particular due to the new IT Security Act.

Dear Information Security Officer, I hope that this book can offer you the succour you need to tackle your new tasks diligently and enthusiastically.

Yours sincerely, Jacqueline Naumann

Trainer, Consultant, Auditor of iXactly IT and System Consulting

iXactly is your service provider for seminars, consultancy and audits for your ISMS.

Gostritzer Straße 61, 01217 Dresden, Germany

Many thanks

to Florentine Naumann for the illustrations in the book!

Inhalt

1. Introduction
   • 1.1 Get acquainted with the ISO in the book at hand
   • 1.2 Anonymity
   • 1.3 Symbolism of the sword
2. Appointment as ISO
   • 2.1 Real life example: Black Peter - the blame-the-other one game
   • 2.2 Your remit as ISO
   • 2.3 Real life example: New job with ISO role
   • 2.4 Real life example: ISO without being appointed
   • 2.5 Your remit as ISO
3. Expectations of interested parties
   • 3.1 Real life example: Small print in the contract
   • 3.2 Your remit as ISO
4. Verwaltung der Werte
   • 4.1 Real life example: Multifunctional device
   • 4.2 Your remit as ISO
   • 4.3 Real life example: Numbered tables
   • 4.4 Your remit as ISO
5. Risk analysis
   • 5.1 Real life example: Compliance lawyer
   • 5.2 Your remit as ISO
   • 5.3 Real life example: Risk: Local admin accounts
   • 5.4 Your remit as ISO
6. SoA
   • 6.1 Real life example: No SoA for the Auditor
   • 6.2 Ihre Aufgabe als ISB
7. Human Resources Security
   • 7.1 Real life example: Job specifications
   • 7.2 Your remit as ISO
   • 7.3 Real life example: Video Streaming
   • 7.4 Your remit as ISO
8. Information security incidents
   • 8.1 Real life example: Missing Laptops
   • 8.2 Your remit as ISO
   • 8.3 The information security incident log
9. Supplier relationships
   • 9.1 Real life example: Trust is good
   • 9.2 Your remit as ISO
10. Malware
    • 10.1 Real life example: Job applicant mails
    • 10.2 Your remit as ISO
    • 10.3 Praxisbeispiel: Real life example: E-mails from the police Office
    • 10.4 Praxisbeispiel: Real life example: Fake e-mails from colleagues
    • 10.5 Your remit as ISO
11. Logging
    • 11.1 Real life example: Logging
    • 11.2 Ihre Aufgabe als ISB
    • 11.3 Real life example: Log files
    • 11.4 Your remit as ISO
12. Backup
    • 12.1 Real life example: Backup copies
    • 12.2 Your remit as ISO
    • 12.3 Real life example: Backup vault
    • 12.4 Your remit as ISO
    • 12.5 Real life example: Administrator proxy
    • 12.6 Your remit as ISO
13. Screen lock
    • 13.1 Real life example: Screen lock
    • 13.2 Your remit as ISO
14. Entry control
    • 14.1 Real life example: Nibbling landlord
    • 14.2 Your remit as ISO
    • 14.3 Real life example: Skimpy licensing
    • 14.4 Your remit as ISO
    • 14.5 Real life example: Trust in service providers
    • 14.6 Your remit as ISO
    • 14.7 Real life example: Comprehensive bunch of keys
    • 14.8 Your remit as ISO
    • 14.9 Real life example: Open barriers
    • 14.10 Your remit as ISO
    • 14.11 Real life example: Data projector not working
    • 14.12 Your remit as ISO
15. Disposal
    • 15.1 Real life example: Sale of servers on IT sales platforms
    • 15.2 Real life example: Free of charge disposal of servers
    • 15.3 Your remit as ISO
    • 15.4 Praxisbeispiel: Personalakte im blauen Sack
    • 15.5 Your remit as ISO
16. Software Development
    • 16.1 Real life example: Ban on TRY-CATCH
    • 16.2 Your remit as ISO
    • 16.3 Real life example: Tool particularly complicated
    • 16.4 Your remit as ISO
    • 16.5 Real life example: Software tested until corrupt
    • 16.6 Your remit as ISO
    • 16.7 Real life example: Qualified tester
    • 16.8 Your remit as ISO
17. Documented business processes
    • 17.1 Real life example: Database too complex
    • 17.2 Your remit as ISO
18. Contact with public authorities
    • 18.1 Real life example: Annoying Data Protection Officer
    • 18.2 Your remit as ISO
    • 18.3 Real life example: E-mail forwarding
    • 18.4 Your remit as ISO
19. Safe development
    • 19.1 Real life example: Go-Live without testing
    • 19.2 Your remit as ISO
    • 19.3 Real life example: Go-Live in the test system
    • 19.4 Your remit as ISO
20. User registration and deregistration
    • 20.1 Real life example: Who knows T34M-ADMIN2
    • 20.2 Your remit as ISO
21. Privacy
    • 21.1 Real life example: No user drives
    • 21.2 Your remit as ISO
    • 21.3 Real life example: Chat monitoring
    • 21.4 Your remit as ISO
    • 21.5 Real life example: Blind Copy mails
    • 21.6 Your remit as ISO
22. Utilities
    • 22.1 Real life example: Dripping air conditioning
    • 22.2 Your remit as ISO
    • 22.3 Real life example: Well filled cable duct
    • 22.4 Your remit as ISO
23. Uninterruptible power supply
    • 23.1 Real life example: Diesel supplies
    • 23.2 Your remit as ISO
24. Passwords
    • 24.1 Real life example: 3-digit password
    • 24.2 Your remit as ISO
    • 24.3 Real life example: Two password policies
    • 24.4 Your remit as ISO
    • 24.5 Real life example: Task sharing for passwords
    • 24.6 Your remit as ISO
25. Devices and operational means
    • 25.1 Real life example: Rolling cabinets
    • 25.2 Your remit as ISO
    • 25.3 Real life example: Weathered letter
    • 25.4 Your remit as ISO
    • 25.5 Real life example: Private PCs as a gift
    • 25.6 Your remit as ISO
26. Physical and environmental security
    • 26.1 Real life example: Misleading designation
    • 26.2 Your remit as ISO
27. Monitoring
    • 27.1 Real life example: Video surveillance
    • 27.2 Your remit as ISO
    • 27.3 Real life example: Office key with time clock function
    • 27.4 Your remit as ISO
28. Internal audit
    • 28.1 Real life example: Stolen certificate
    • 28.2 Your remit as ISO
    • 28.3 Real life example: Port scan
    • 28.4 Your remit as ISO
29. Management evaluation
    • 29.1 Real life example: Management report prepared by the ISO
    • 29.2 Your remit as ISO
30. Closing statement

Your new tasks as ISO within easy reach

Your appointment as ISO

1 Introduction

When designating or appointing the Information Security Officer (ISO), it often happens that the appointed staff member will be overwhelmed by surprise.

On the one hand there is the joy and the pride that the superiors consider the ISO capable of accomplishing this task. On the other hand there is the shock that from now on additional and above all unknown tasks will be on one’s table and that one could fail.

Most new ISOs fear that the staff just lie in wait for the new ISO to fail and remotely review and evaluate every step of the new ISO.

This book is intended for the Information Security Officer, who is very concerned about this task and wonders if he is even capable of implementing an ISMS in his organisation.

1.1 Get acquainted with the ISO in the book at
hand

The book portrays many real life examples from actual events. To ensure anonymity, I use so-called black sheep, who are blamed for all oddities.

In my book, the black sheep for our fictitious organisation called T34M is referred to as T34M-L34D. T34M is a fictitious organisation, which produces news and is one of the Critical Infrastructures (CRITIS) being forced to implement an ISMS by 2018 by the new IT Security Act.

T34M-L34D is the ISO being interviewed in the book, or who is simply conveying the facts.

During its company foundation, the organisation with pleasure replaced the letters E by 3 and A by 4, as do some aspiring hackers using 'Leetspeak'.

T34M-L34D represents hundreds of customers, colleagues, employees, and seminar participants with whom I have spoken during the last 15 years or who I simply listened to.

T34M-L34Ds narratives are real life examples that should demonstrate to the new ISO how sometimes quite curious incidents regarding information security can occur in all organisations.

T34M-BO$$ represents the top management for T34M. He has relatively little to say, since T34M-L34D as an ISO has all the tasks and topics on his table and has to work through them.

T34M-ADMIN is employed as administrator at T34M.

T34M-EXTERN is a fictitious service provider, onto whom all quotes from real service providers are foisted.

1.2 Anonymity

The numerous quotes from customers, suppliers, external service providers, former colleagues and seminar participants are anonymised. In the event that a quote appears familiar to a reader, I would like to point out that many challenges are not unique to one organisation and therefore quotes can be very similar. No reader has to worry if he thinks he recognises his words in a quote. The collected quotes extend beyond a 15 year timeline.

1.3 Symbolism of the sword

As a new ISO, you have the opportunity to pull the sword out of the stone and to herald big changes in your organisation.

Have fun reading and learning!

Roles and responsibilities in the ISMS

2 Appointment as ISO

You accomplished it. You are the new ISO in your organisation. How did you get this title?

2.1 Real life example: Black Peter - the blame-the-other one game

A conversation during a seminar regarding the appointment as ISO:

Interviewer: "How did you get your job as ISO?"

T34M-L34D: "Oh, nobody wanted to become ISO, so we played the German card game Black Peter and I lost."

T34M-L34D2: „It was nearly the same in my case.“

2.2 Your remit as ISO

Do not feel a sense of sorrow if you had a similar experience, just consider your new role as an enrichment.

ISO/IEC 27001 Chapter 7.2 Competence

Request an ISO/IEC 27001 training to prepare yourself for your new role. In Chapter 7.2, ISO 27001 requires that you have the required competence and are trained if necessary.

The training certificates will be checked by the auditor during the certification. You should forward a copy of the certificates to your HR department.

2.3 Real life example: New job with ISO role

An ISO told me how he initially got his role as ISO:

T34M-L34D: “I actually applied for a job as a web developer and was invited to an interview. The interview went quite well. In the end, I was told that if I would also take on the role of ISO in addition to the job as a web developer, I would immediately get my offer letter. I was surprised and unsettled.