| | 27. Information Security Standard
01. ISO 27001 Information Security Standard | | | |
|---|
| ISO 27001 Information Security Standard (ISS): | | 1. Compliance with ISO 27001 Information Security Standard is used by the Information Security Manager (and Data Protection Officer) using this Information Security Management Service. | | 2. Information Security management objectives include:- | | (1) To ensure that bespoke application services do not stop and cannot be stopped. | | (2) To ensure that no single point of failure exists in any infrastructure. | | (3) To replicate equipment so the effect of a hardware failure cannot be detected by a person using a bespoke application service. | | (3) To be comfortable that business continuity is adequate to survive any hurracane, tsunami, tornado, fire, flood, gas leak or smoke. | | (3) To ensure that bespoke application services contnue when electrical power is down, when water mains are not working and when fuel shortages make travel not practical. | | (3) To be certain that in the event of a pandemic that prevents people from coming together, bespoke application services will continue without any major issues. | | (3) To build an environment that can survive a sustained distributed denial of service (DDOS) attack. |
| 2. Glossary of Terms: | | ISM means Information Security Manager as the person responsible. | | DPO means Data Protection Officer as the person responsible - jointly and severally. | | ISS means Information Security Standard as ISO 27001 and associated family of standards. | | ISMS means Information Security Management Service as the documentation application that makes it all happen. | | ICO means Information Commissioners Office as the enforcement regulator. | | GDPR means General Data Protection Regulations as the legal obligations to protect Personally Identifiable Information. | | PII means Personally Identifiable Information that is subject to data protection principles. | | PECR means Privacy and Electronic Communication Regulations as the legal obligations when dealing with marketing and sales information. |
| Information Security Management Service - Chapters: | | 1. Introduction to identify the nature roles of the parties involved. | | 2. Executive Summary as a summary of the key provisions deployed. | | 3. Glossary of the terms used to manage the BCMS. | | 4. Context of the Organisation to identify the parties and responsibilities. | | 5. Leadership as how qualified experts working with external auditors build and maintain compliance. | | 6. Planning to identify what can go wrong at the infrastructure and personal level. | | 7. Support to ensure that lines of communication are adequate when faced with physical disasters. | | 8. Operation to ensure that bespoke application services do not stop and cannot be stopped. | | 9. Performance Evaluation to audit with the help of the best industry experts in the world to identify areas for improvement. | | 10. Improvement to relentlessly and continually improve business continuity. |
| 2. Plan Do Check Act (PDCA): | | 1. Plan is covered by Context of the Organisation (4), Leadership (5), Scope of the EMS, Internal and External Issues, Needs and Expectations of Interested Parties to establish objectives and processes needed to deliver results in accordance with the Information Security policy. | | 2. Do is covered by Support (7) and Operation (8) as the implementation of the processes as planned. | | 3. Check is covered by Performance Evaluation (9) to monitor and measure processes against the Information Security policy, including its commitments, objective and operating criteria, and report the results. | | 4. Act is covered by Improvement (10) to take actions to continually improve. |
| 3. Information Security Policy: | | 1. The business is the provision of bespoke application services with continual improvements to companies in all parts of the world. The application Service Provider (ASP) is a supply chain of independent companies working in partnership who may act like and can be treated as a single company, however no one company could expect to recruit and retain the large spectrum of qualified skills and experienced knowledge that is needed to provide the bespoke application services to many companies in many countries. The business is an internet-based service to any kind of computing device without the provision of any hardware or software. Information Security factors apply to the multitude of data centers that provide the service and to the people who manage the service. | | 2. The Information Security Policy is to provide bespoke application services that do not stop and cannot be stopped. The primary business continuity principle is the use of a large number of replicated data centers where each data center houses a large number of redundant servers. In the event of a server failure, business continutes to be provided by other servers. In the event of a data center failure, business continutes to be provided by other data centers. |
| 4. Information Security Audit: | | 1. The quality audit to ISO 22301 standard shall only be conducted on chapters 4 to 10 of the BCMS. Chapters 1 to 3 are not audited and do not need to comply with any standard. | | 2. The DPO advokes Replicated Encrypted Data (RED) as a technical method to mitigate the security journey. |
| 5. Roles: | | 1. Each bespoke application service owner is responsible for their own Internet connections and all local infrastructure that may include any kind of desktop, laptop, tablet or smart phone. An owner may choose to have multiple Internet connections via different Internet Service Providers and may choose to backup using wireless mobil devices. If the ISP has a failure or power is lost, business may continue to be provided via any smart phone using the mobile network. | | 2. The application service provider is using ten distributed data centers in 2016 and expect to be using twenty replicated data centers by the end of 2017. The number of secure data centers that house racks of redundant servers will grow to one hundred before 2020. | | 3. In the event of a failure of one data center, business continues to be provided using replicated data from another data center. It is considered to be very unlikely that all distributed data centers in many countries could fail at the same time. | | 4. Business data is encrypted and replicated to each data center where the encryption means it is plausable to say that the business data does not exist on any specific place. It is considered to be very unlikely that any specific data could be lost from all data centers at the same time. | | 5. It is understood that some agencies may be able to gain access and copy any encrypted business data from any data center. It is a policy to ensure that all excessively encrypted data is always unreadable, meaningless and worthless to a criminal. It is a policy that no one person has access to the keys, methods and knowledge needed to decrypt any business data. |
| 6. Audit Planning: | | 1. Bespoke application services never stop and cannot be stopped. By design, application programs have been replaced by artificial intelligent assistant that does not have programming vulnerabilities and does not need maintenance patches. Business rules are continually improved in a knowledgebase without any downtime. | | 2. More and more secure data centers are being added and each data center houses more and more dedundant servers. While competitors consolidate servers with virtualisation, the ASP chooses to operate with a large number of highly dedicated servers that do one job and cannot be made to do anything else. Web servers run in parallel so in the event that any one web server fails, the end user will never notice as the bespoke application service continues using other web servers. Application servers run in parallel so in the event that any one application server fails, other application servers continue to provide the same bespoke application services. | | 3. All servers are powered by batteries and the batteries are continually charged by solar panels and/or wind turbines. Batteries may be topped up from mains power from time-to-time if needed. Costs are minimised by using free renewable energy for the majority of the time, but this also means a data center cannot fail if its mains power is lost. | | 4. Each data center will have at least two separate and independent high speed Internet connections. By renting space in the data centers that provide the Internet backbone, very high speed connections can be rented that eliminate ISP network issues. | | 5. Most single points of failure have been identified and redundant equipment installed to be used when needed, but no data center can be perfect. Software based networking means that people using one data center can be quickly be swithed to use another data center. All business data is replicated, so backups, recovery and restart have become obsolete. |
| 7. Disaster Planning: | | 1. In the event of a pandemnic such as the bird flu outbreak where people should not travel and congrigate in one place, then bespoke application services can continue to be provided to any kind of computer in any approved location. This could be people working from home or working in a remote office with different equipment on different networks. This may include people using their smart phones in any location to continue to access their bespoke application services. | | 2. In the event of a fuel shortage such as when fuel tanker drivers were in dispute and people could not get fuel for their cars, then business can continue from other places. Commuting can be reduced with car sharing and teams selecting alternative places of work, so long as their bespoke application services can continue to be provided. | | 3. In the event of a fire that burns the office and all equipment to the ground, then alternative equipment may be rented in a different location and business can continue using the sam bespoke application services. No constraints are placed on the computers that may be rented with any version of any operating system without the need for any software to be downloaded. | | 4. In the event of a flood where people cannot access their normal place of work, then business can continue from any other location and some people may have to work from home. An Internet connection by landline or mobile network is the only constraints on the place of work. |
| 8. What will happen: | | 1. Business continuity involves a degree of determining what changes are taking place and how will those changed impact on bespoke application service provision. By monitoring history can documenting trends, then business continuity improvements can stay one step ahead of business requirements. | | 2. The switch in retailing from physical shops to internet has have a lot of impact and will continue to impact all retailers. The switch from products to services is a more interesting evolution that has seen the reduction in manufacturing and the growth of FinTech. | | 3. Banking is evolving as cash declines to be used and payment by smart phone becomes more effective. The reduction in cash and the reduction of retail shops and the reduction of products come together with one trend influencing the others. | | 4. The reduction in the use of CD, DVD and USP storage devices is almost complete - everything is becoming online and realtime with a smart phone. The smart phone will replace the TV remote control and replace physical door keys - your smart phone is like a passport. | | 5. Physical paper documents are declining as physical signatures have been replaced with cheaper online services. In the same way as emails replaced letters, paper tickets become an icon on a smart phone and evidence is by regustered online services, rather than a signature. | | 6. The effect of these trends is very high levels of automation where business continuity is not just nice to have - its mandatory. |
| Document Control: | | 1. Document Title: ISO 27001 Information Security Standard. | | 4. Description: ISO 27001 Information Security Standard (ISS). | | 3. Keywords: ISO 27001 Information Security Standard. | | 5. Privacy: Public education service as a benefit to humanity. This is not legal advice. | | 2. Reference: 162701. | | 6. Issued: 13 Feb 2017. | | 7. Edition: 1.1. |
|
|