A Gartner analyst has posted “a few thoughts about Amazon and the enterprise”. She starts by blasting SAS 70 for weakness and then holds up yesterday’s Amazon ISO/IEC 27001 certification announcement as a totally different standard.

I too am a fan of the ISO process and have used it for many years with many organizations. It is good news that Amazon has chosen to certify to this new standard. I also am familiar with criticisms of SAS 70 (some of which have been addressed in the new standard, SSAE 16, as I have mentioned before).

Unfortunately, the analyst at Gartner makes some glaring logical errors in her analysis of the Amazon announcement and cloud compliance. She gets it wrong and is misleading readers. Note her criticism of SAS 70:

To start with, SAS 70 Is Not Proof of Security, Continuity or Privacy Compliance (Gartner clients only). As my security colleagues Jay Heiser and French Caldwell put it, “The SAS 70 auditing report is widely misused by service providers that find it convenient to mischaracterize the program as being a form of security certification. Gartner considers this to be a deceptive and harmful practice.”

The ISO runs the same risk. Here is why:

The ISO 27001 compliance certificate gives assurance only that a management system for information security (ISMS) is in place. It does not provide a report on information security controls within the organization. That is like saying it also may not give “Proof of Security, Continuity or Privacy Compliance”.

Note that she admits this risk when her blog post concludes

Getting something like ISO 27001, which is proscriptive [sic], hopefully offers some assurance that Amazon’s stuff constitutes effective, auditable controls.

ISO 27001 is not prescriptive in the way she is hoping. More to the point: “hopefully” is not an assurance for “Amazon’s stuff”.

Technical security controls such as firewalls or log management, for example, are not within the scope of a ISO 27001 certification audit; an organization is “hoped” to have the information security controls based only the fact that a management system is in place that satisfies ISO 27001 requirements.

That is why I say it is should not be said to be prescriptive by default or implied.

This is where it can be most misleading. Management determines the scope or the limits of an ISMS for certification, similar to primary criticism of a SAS 70. A business unit or location may be isolated to be certified, which ignores residual and real risk from remaining areas of the organization. An ISO 27001 certificate may exclude everything outside a scoped area; only the isolated area thus has an adequate approach to information security management. It looks something like this (blue boxes are examples of where scope can be limited and controls omitted):

Gartner has only added confusion by giving a misleading (“hopeful”) analysis and confusing ISO 27001 with ISO 27002. The standards are most effective when people do not oversell them (do not say that 27001 is prescriptive).

I am not certain why this analyst is criticizing the same thing she is practicing. I assume she just does not realize. Maybe she has seen the AWS Statement of Applicability (SoA) and certificate and believes them to be comprehensive and complete. That would be like saying, however, SAS 70 is a great standard because she found it was done comprehensively and completely at AWS.

It is important for AWS customers to realize that the ISO 27001 certificate is under NDA right now. Those who can review it in detail should have their audit or security staff look at exactly what area and controls are in scope. A good start would be to ask for their SoA (example). Only high-level information so far is available publicly.

The ISO 27001 certification includes AWS infrastructure, data centers and services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC)

It is a step in the right direction, but achieving certification for an information security management system (in 27001 terms) is not necessarily prescriptive security for cloud compliance even if we “hope” that it is.

Those of you who are regular readers may know that I am an auditor. Experience in the field, as well as writing audit standards, definitely affects my perspective. The Gartner Vice President and analyst is neither an auditor nor a security professional:

Her prior roles have included product management, systems architecture, operations, deployment and product development.

That could also explain the difference in our views on this compliance announcement.

Edited to add: Also note how different the Amazon Web Services Blog sounds from the Gartner analysis:

SAS 70, a third party opinion on how well our controls are functioning, is often thought of as showing “depth” of security and controls because there’s a thorough investigation and testing of each defined control. ISO 27001, on the other hand, shows a lot of “breadth” because it covers a comprehensive range of well recognized information security objectives. Together, SAS 70 and ISO 27001 should give you a lot of confidence in the strength and maturity of our operating practices and procedures over information security.

They describe their SAS 70 in almost the same terms that Gartner used to describe the ISO 27001 as different. Then the two really diverge when Amazon goes so far as to say that, unlike the SAS 70, their ISO 27001 “on the other hand” is broad; it is not deep and not about each defined control. The Amazon announcement itself diffuses Gartner’s hopeful view.

UPDATE: A correction has been posted.

Audit Analytics has posted their SOX 404 – Year 6 Update report.

If you give them $185 they will show you the details behind these findings:

1) As of June 2010, adverse auditor attestations accounted for 2.4% of opinions filed for Year 6, compared to 16.9% in Year 1.
2) Adverse Management-Only Assessments account for 27.8% in Year 6, which is the lowest percentage yet compared to the previous five years.
3) The ‘Segregation of Duties’ deficiency is down from 23.9% of adverse filings in Year 1 to 11% of adverse filings in Year 6.

Larry Ponemon has released a study of 65 organizations, which he used to extrapolate that patient data breaches cost hospitals $6 billion per year

70% of healthcare organizations said that protecting patient data was a low priority; 67% of organizations said they had less than two staff members dedicated to data protection management.

A majority of healthcare organizations said they had little confidence in their ability to secure patient records. According to the study, 71% of healthcare organizations had inadequate resources to protect patient data, and 69% said that there were insufficient policies and procedures in place to prevent and detect patient data loss.

The phrase little confidence in their own ability is a loaded one. I wonder if this is a split between security experts answering anonymously versus the direction of their leadership, or unified pessimism among health care management.

I noticed something odd about the numbers. Here is another look:

• 70% of healthcare organizations said that protecting patient data was a low priority
• 67% of organizations said they had less than two staff members dedicated to data protection management
• 71% of healthcare organizations had inadequate resources to protect patient data
• 69% said that there were insufficient policies and procedures in place to prevent and detect patient data loss
• 71% of respondents did not believe the HITECH Act regulations had significantly changed the management practices of patient records

I could predict the next number in that sequence although I am neither a math whiz, nor a statistician.

70% of 65 organizations is 45. Slight deviation in the answers cold come from the same 45 over and over (and over), or from the other 20 — if you are a cup is half full person. The extrapolated $6 billion estimate gets harder to believe when the numbers run so consistently. The webinar was today. I’ll have to email him my questions.

Visa has released an updated report on security breaches. It shows clearly that, within the retail industry, level 4 franchises are being breached the vast majority of time (96-97% from January 2009 to June 2010). Restaurants and lodging/hotels make up about 35% of those breaches.

A proposed explanation for this is “Many Corporate Franchisors have traditionally fallen outside the scope of Merchant and Agent PCI DSS validation programs”. One might conclude from that statement that those who fall inside the scope of compliance are breached far less than those who are outside.

The most common breach attack vector is said to be keyloggers and memory parsers. Default accounts, mis-configured network settings (e.g. direct remote access to a database with cardholder information), and single-factor remote access also are cited as contributing factors. Web attacks are relatively low. Eight countermeasures are suggested:

• For remote access, consider two-factor authentication
• Utilize host / application / network based Intrusion Detection Systems (“IDS”). Ensure sound notification system is in place
• Utilize host / application / network based Intrusion Prevention Systems (“IPS”). Ensure sound notification system is in place
• Ensure antivirus, anti-spyware and anti-malware software are up-to-date. Ensure sound notification system is in place
• Implement file integrity monitoring to detect and alert security personnel of unauthorized file changes
• Periodically reboot Point-of-Sale systems to clear volatile memory
• Include patch management, password management and the overall security configuration
• Regular application penetration tests are essential in combating known vulnerabilities (including SQL injection, Cross-site scripting, etc.)

A new category has thus been created by Visa (Corporate Franchise Servicer) to address these breaches. It will not increase requirements for any entity already validating PCI DSS compliance.