At TWi, we recently achieved certification under the ISO/IEC 27001 standard (commonly known as ISO 27001). ISO 27001 is the industry-wide standard for information security management, “including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s)” (Section 1). An ISO 27001-compliant organisation implements security processes and controls that ensure confidentiality and rigorous management of its information. This includes internal information, such as personnel records, and external information, such as client data.
- Distance: The ID often works from remote locations, both literally (teleworking and/or working in globally distributed organisations) and metaphorically (they are not the owner of the information they develop).
- Depth: The ID learns and uses a deep range of company and client information.
- Breadth: The ID usually works with multiple departments across an organisation.
These three characteristics make for a complex security profile. IDs have access to information from many departments in an organisation, but do not always work in these departments or directly with them.
So how does an organisation’s adoption of ISO 27001 affect IDs?
Distance: Working Off-site or From Outsourced Locations
Some information security processes and structures are more relevant to IDs than others. For example, Section 11.2.6 of ISO 27001 provides security standards for equipment and assets off-premises. It states that, for information belonging to the company and used by employees in their work, the use of “any information storing and processing equipment outside the organization’s premises should be authorized by management”. This condition applies to equipment belonging to the organisation and privately owned by the employees. As IDs are often independent contractors, it’s not unusual for them to use their own equipment. To meet ISO 27001, then, an organisation needs someone at management level to sign off on ID’s use of their own equipment.
Section 11.2.6 is also relevant as it deals with teleworking, which is a common aspect of the ID role. The most relevant security conditions for teleworking are detailed in 6.2. Here, the standard defines teleworking as “all forms of work outside of the office, including non-traditional work environments, such as those referred to as ‘telecommuting’, ‘flexible workplace’, ‘remote work’ and ‘virtual work’ environments” (Section 6.2). Section 6.2.2 details many conditions for implementing the standards. For example, it requires careful consideration of the physical security of the teleworking site, threats of unauthorised access, the use of private equipment, and malware and firewall protection.
For a teleworker, Section 11.1.3 is also relevant. This section states that “key facilities should be sited to avoid access by the public”. While an ID may not be located on-site, the information they handle is almost always commercially or organisationally sensitive. For example, they can be working on intellectual property (IP) before that information is public. Therefore, an organisation should ensure that an ID does not work on such information in publicly-accessible spaces, such as a café, or on unsecured wi-fi.
Similarly, 11.1.3 states that “where applicable, buildings should be unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities”. So, if an ID is working from home on a project for Google, they should not put up a sign on their lawn with the words “I Work for Google Now”.
Furthermore, according to 11.1.3, “facilities should be configured to prevent confidential information or activities from being visible and audible from the outside […] Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.” For IDs to protect confidential client work, they should ideally dedicate a room to their work that is not accessible to anyone who is not authorised to access the organization’s information (such as family or housemates). For audible activities, such as meetings, they should take care to not be easily overheard, for example, by wearing headphones and working in a somewhat sound-isolated space. Similarly, they should place their computer in such a way that their screen’s content is not visible to anyone else, including others in the room – or, for example, outside the window, on the street. Screen privacy filters are available which make a screen appear black to anyone not directly viewing it; these are useful to anyone working in remote facilities. A further consequence of this condition is this material and equipment should not be left unattended (Section 11.2.6.a) and should be locked whenever it is not being used (see Section 11.2.6.c and all of Section 11.2.8).
These conditions, of course, are not specific to IDs – but they are one part of the ID’s complex security profile.
Depth: Accessing and Using Confidential Information
While IDs may often be at a physical remove from the material they work with, they still can work deeply with that material. They do not design software applications or air conditioners, nor the initial explanatory comments, rough instructions, or blueprints that accompany these designs. However, they do produce the final documentation of the uses, processes, and features of software and air conditioners. Furthermore, much of the material that they work with is either confidential, a trade secret, or IP.
This raises a security issue with the possession and dissemination of confidential information. IDs encounter sensitive confidential information in a way that others do not, when it is raw, unclear, and not yet suited for general consumption. Yet, as detailed above, IDs often access it as outsiders, and at a distance.
Section 11.2.9 details a ‘clear desk policy’ for unused information, including the sensitive information handled by IDs. If it is “on paper or on electronic storage media” then it “should be locked away […] when not required”. Computers “should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism”. Similarly, “unauthorized use of photocopiers and other reproduction technology (e.g. scanners, digital cameras) should be prevented”, and “media containing sensitive or classified information should be removed from printers immediately.”
To protect this information, IDs may also need to sign non-disclosure agreements (NDAs), the standards for which are outlined in Section 13.2.4. This section lists several conditions of interest to IDs, including that the agreement specify a duration (Section 13.2.4.b) – an important condition for IDs with only temporary relationships with the organisation. In addition, the standard requires some details on what to do with the information when the relationship has ended (Section 13.2.4.i). Furthermore, the standard provides guidance on how to keep that information separate to the ID’s equipment or network. For example, Section 6.2.2 notes that organisations can provide a virtual desktop for the ID’s work; Section 13.1.3 recommends that organisations segregate users under different domains, with different permissions for each domain.
These conditions, of course, are also not specific to IDs. Many employees use confidential information, but IDs can complicate the issue because they also frequently use it at a distance, either literally or metaphorically.
Breadth: Working Widely Across Multiple Departments
Finally, let’s consider the breadth of information that the ID role may have access to. One of the less common characteristics of the ID role is that they can work in depth with multiple departments, broadly spread across an organisation. They often don’t work closely with other IDs, instead more commonly engaging with subject matter experts such as engineers or software developers. This can make an ID’s need for permission and access unusual in the context of their organisation. It can also change throughout their employment, even when working for one client.
The following are examples of these changing needs:
- Access to network drives containing raw product data and documentation.
An ID may need access to design blueprints, test results, and application data. All of these are material for information development, as they are adapted by for documentation such as descriptive drawings, equipment dimensions, or software demonstrations.
- Access to ID applications that the department employing the ID does not usually provide.
For example, to document an Engineering department’s products, they need access to Adobe Illustrator to modify and label some of their drawings. If no-one in Engineering uses or has access to Illustrator, the ID may need special permission to use it. If they have it on their own computer, it raises issues with working from a private computer (see Distance above) or may violate a non-disclosure agreement (see Depth above).
- Access at times or locations not shared with other members of the department.
A teleworking ID cannot always come into the office and access systems on-site. They also may need a resource at a time when no-one else does, either after product development has ended (especially in a waterfall production environment) or at unusual hours, if, for example, they work in a different time zone.
ISO 27001 does not offer specific guidelines and controls for dealing with these complex security needs. However, it does provide a standard that several organisations can share, allowing any bespoke adaptations to be easily transferable from one organisation to another. At TWi, we take annual IS awareness training, sign confidentiality agreements, and, when working on client projects, often sign further NDAs. From an organisational perspective, the benefits of good information security practices are clear.