Audio version of the article
Most organizations today have some sort of relationship with special interest groups. They may be a customer group, supplier group, or a group that has some influence in the organization. The purpose is to ensure appropriate flow of information takes place with respect to information security among these special interest groups. A special interest group may be defined as an association of persons or organizations with an interest in, or working in, a certain field of expertise, where members cooperate / work to solve issues, generate solutions, and acquire knowledge. In our situation, this area of expertise would be information security. You must identify and document any professional associations, forums or interest groups you are part of or can be part of. Specialist forums, professional groups and even the government are examples of a special interest group. You are involved in getting knowledge about best practice, you are up to date with current best practices, that you get early warnings of alerts, advisories and patches being a part of special interest group. It can show that you got specialist information security advice and share and exchange information.
A 5.6 Contact with special interest groups
Control
The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.
Purpose
To ensure appropriate flow of information takes place with respect to information security.
Implementation guidance
Membership in special interest groups or forums should be considered as a means to:
- improve knowledge about best practices and stay up to date with relevant security information;
- ensure the understanding of the information security environment is current;
- receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities;
- gain access to specialist information security advice;
- share and exchange information about new technologies, products, services, threats or vulnerabilities;
- provide suitable liaison points when dealing with information security incidents
Other Information
Information sharing agreements can be established to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.
An Information Security Management System (ISMS) is only as good as its ability to keep up with the requirements of the business and provide adequate protection against the risks the organization is exposed to. To accomplish this, information about the environment must be evaluated constantly, but who will do this? Moreover, where can this information be found? The truth is that no one in your organization, not even dedicated teams, can do that by themselves. With the use of critical information getting broader and broader (e.g., by the use of teleworking, virtual teams, etc.), IT demands became more complex, and ISMS and security needs along with it. This means that the level of effort required to cover information related to every single security aspect of your organization would make the costs prohibitive. But, you still have to monitor this information. So, how to do it? Fortunately, ISO 27001 suggests an alternative: contact with special interest groups, control A.5.6 of Annex A of the standard.
In a general way, you can define a special interest group as an association of individuals or organizations with interest in, or acting in a specific area of knowledge, where members cooperate/work to solve problems, produce solutions, and develop knowledge. In our case, this area of knowledge would be information security. examples are manufacturers, specialized forums, and professional associations. The government is another example of a special interest group.These organisations will be able to identify security dangers that you may have ignored. As a partnership, both sides may benefit from each other’s knowledge in terms of new ideas and best practices, which is a win-win scenario. In addition, these groups may be able to provide useful suggestions or recommendations regarding security practices, procedures, or technologies that can make your system more secure while still achieving your business objectives.
An organization’s ISMS needs to keep up with business requirements and organizational risks. To cover these issues, the A.6.1.4 control from Annex A suggests the following issues for you to identify a special interest group to help you:
- Best practices adopted by the market: policies, procedures, guidelines, and checklists that you can adapt to your organization’s needs.
- Market and security trends related to your industry: laws and regulations, customers’ requirements, suppliers situations your organization has to be aware of or comply with.
- News and alerts about threats, vulnerabilities, attacks, and patches: you need these to check your defenses because it is better to learn from others’ mistakes and misfortunes than your own, isn’t it?
- News related to new technologies and products: what can you use to improve your security, or to achieve the same level with reduced costs and/or effort?
- Specialized consultancy: you may not have the expertise, or time, to make the solution or resolve the problem by yourself, so who can help you?
- Specialized support to handle information security incidents (e.g., other organizations, police, government security agencies, etc.): when you have a problem and need help to resolve it, who can help you?
- membership of special interest groups or forums should be a means to improve knowledge about best practices and stay up to date with relevant security information.
- ensure the understanding of the information security environment is current.
- receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities.
- gain access to specialist information security advice.
- share and exchange information about new technologies, products, services, threats or vulnerabilities.
- provide suitable liaison points when dealing with information security incidents.
The government as a special interest group is a unique case, because of its access to additional resources (like police, emergency services, firefighters, etc.), and, depending on the legal requirements of each country, its involvement is mandatory. Some of these issues you can identify for free (accessing the public content on the Internet, signing up for a regular newsletter, or identifying the person/job title to be in contact with a professional association or state agency), and some you have to pay for (consultant or support services). However, in the latter case, it would be recommended to establish contact with potential suppliers through your procurement process (it is always better to have a previous relationship than to call only in an emergency).
Since the information you will be working with could have a great impact on your ISMS (over management and/or security controls), you should be careful about which special interest groups you interact with, considering:
- The quality of the information provided: Not all of them have precise or updated information (some only repost news or information from other sources).
- The availability of the information: what is the update frequency of the information? If the source you use takes too much time to update its info, your organization could be exposed to a problem or risk for a longer period.
- The legitimacy of the source: Not all of them are authorized representatives of the one responsible for the information (e.g., manufacturers have specific forums to communicate with their clients or to provide patches). Another case is if security peers recognize the group as a reliable source of information.
In the cases where you have to send or receive information, be sure to verify whether there is an agreement about how the shared information will be protected. Appropriate contacts with special interest groups or other specialist security forums and professional associations must be maintained. Some of these issues may be available for free (accessing public content on the Internet, signing up for a regular newsletter, or identifying the person / job title to be in contact with a professional association or state agency), and some may require payment (consultant or support services). However, in the latter case it is recommended to establish contact with potential suppliers through the procurement process (it is always better to have a previous relationship than to call only in an emergency) and identify this as a Key Supplier rather than a SIG. IS owners can keep appropriate contacts with Special Interest Groups (SIGs) or other specialist security forums and professional associations maintained. Contact details, business cards, membership certificates, diaries of meetings etc. can provide evidence of professional contacts, particularly for information risk, security and compliance specialists. Valid contact details embedded within incident response, business continuity and disaster recovery plans provide further evidence of this control, along with notes or reports from previous incidents concerning the contacts made. In the cases where you have to send or receive information, be sure to verify whether there is an agreement about how the shared information will be protected.