Born of the Second World War and the ‘Space Race’ ISO standards were conceived to ensure conformity and a minimum standard for products and services – products in particular. This would allow differing countries, cultures and businesses to interact and trade more efficiently, safe in the knowledge that so long as a specific ISO standard was applied – products and services would be to the specified minimum standard.

Because “International Organization for Standardization” would have different acronyms in different languages (“IOS” in English, “OIN” in French for Organisation internationale de normalisation), its founders decided to give it a short, all-purpose name. They chose “ISO”, derived from the Greek isos, meaning “equal”.

Between 1947 and the present day, ISO has published more than 16 500 International Standards, ranging from standards for activities such as agriculture and construction, through mechanical engineering, to medical devices and information security.

ISO is a network of the national standards institutes of 163 countries, one member per country, with a Central Secretariat in Geneva, Switzerland. ISO standards are regulated in the UK by a governmental body called UKAS – United Kingdom Accreditation Service. If you don’t see the UKAS tick box and crown, don’t trust that the organisation is formally registerd.

If you didn’t know already the ISO 27000 family of standards relate to Information Security Management and specifically an Information Security Management System (ISMS).

An ISMS is: a board approved, high level information security policy describing how different types of risk relating to an organisations information assets are to be treated and identifies a set of controls (responses to/countermeasures for) that respond to each of the identified risks.

This standard, for the most part, is broken down into:

ISO 27001; which dictates how an ISMS should work not what should be in it (16 specified sections outlining how the ISMS should work).

ISO 27002; which dictates what should be in the ISMS, not how it should work (133 controls that should be in the ISMS).

As with ISO 9001, certification is performed by third-party organisations and those certified to be in conformance with ISO 27001 may publicly state that they are “ISO 27001 certified” or “ISO 27001 accredited”.

ISO 27002 compliance may be demonstrated by producing a ‘Statement of Applicability’ that specifies how the 133 controls dictated within the 27002 standard have been applied. Including any that have not – with justification for why they have not been employed.

So what does this give organisations, suppliers and consumers? Well at the end of the day it is all about confidence.

Thanks to ISO type standards NASA were able to confidently assemble spacecraft made of components from not just the US but from across the world and be sure that they would act as they were meant to within the demanding role of allowing a vessel to escape Earth’s gravitational pull.

NASA were able to procure components from suitably accredited suppliers safe in the knowledge that certain minimum standards had been met. This saved valuable time and money and allowed for an unprecedented level of concurrent activity without jeopardising safety.

It is this confidence that users of an ISO27002 compliant and/or ISO 27001 accredited partner can be assured of in relation to their information security. The standards demand the use of an ISMS to ensure that:

Such an approach ensures that you may be confident that your information is in safe hands and this is why more and more organisations insist on the ISO27001 accreditation from partners who may be handling their sensitive data. ISO27001 provides them with the confidence that you are not only providing that security now but that thanks to the use of an ISMS you will be ensuring that security on an ongoing basis and have that security independently verified.

The case for partnering with a hosting partner who can provide such confidence in relation to the security of your information and data is more critical than ever before – make sure your service provider can demonstrate their ISMS.

As opposed to the traditional route of pointing traffic directly at a server’s IP, network traffic is directed to an IP on the load balancer. It is the responsibility of the load balancer to choose which server to forward this request to. There are 2 factors which help the load balancer make this choice:

Server health checks ensure servers in a solution respond to requests sent to them. There are several methods used by load balancers to assess the health of the servers in a solution, including:

Assuming all servers are “healthy”, the load balancing strategy defines the decision making parameters. Typical strategies include:

The use of persistence and SSL offloading are common when load balancing dedicated servers as they allow more control in the solution.

Persistence, or “stickiness”, directs users back to the original server they visited with the purpose of serving stored information, such as the contents of a shopping basket or previously selected settings, again. When using persistence, be aware of the pitfalls as well as the advantages. For example, using IP based persistence often results in the user being directed back to a down server despite healthy servers being available.
Cookie based persistence (used in Layer 7 solutions) is a smarter choice and directs users to an available server when the preferred choice is unavailable.

“SSL offloading” (or acceleration) allows data travelling from user to hosted solution to be encrypted by the load balancer and not the server. Data encryption is server intensive, often affecting the capacity of the server. By offloading this role to the load balancer, data encryption will not affect the server’s ability to perform other tasks.

To ensure we make the most of the benefits of load balancing, servers within the solution must be physically separated and the degree to which you are able to do this determines how bullet proof your solution is:

Layer 4 vs Layer 7 load balancing

The following features are consistent across both platforms
Methods – Round Robin, Weighted
Health Checking – TCP Connect
Persistence – IP Based
Other features – Multi racks / suites

There are some features however that are exclusive to Layer 7 load balancing
Methods – Least Connections, URL Parsing, HTTP Headers
Health checking – Ping, Simple HTTP GET
Persistence – Cookie Based
Other features – Multiple data centres, SSL offloading

Information security is concerned with ensuring the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms – in relation to the risks or threats posed to that data ‘asset’.

So in English what does this mean to specific businesses and how can they make sure that they are maintaining the security of their information ‘assets’?

This is not a simple ‘one answer fits all’ question but one thing is sure, the key to successful information security is understanding; and in amongst a discipline that seems to epitomise ‘management speak’ through methodologies, consultants and detailed and mildly alarming ‘standards’ it is important to keep life simple.

Everything that Information Security is about, is governed by one single thing – RISK (I can hear the groans already). With this in mind, whatever your approach, it must do 3 things:

• Assess Risk
• Control Risk
• Assess Risk

You will see first and foremost that this calls for a continuous approach or system, not for a ‘one off’ risk assessment that will ensure security forever. The risks, like your business, change continuously and so must your approach.

Assess. However you set about it you must identify your ‘information assets’ and assess the risk to each in relation to confidentiality, integrity and availability. ‘Risk’ should be scored in some fashion born of assessing the impact of such an event occurring against the likelihood that such an event would occur.

Control. The Risk Assessment you have now conducted should provide you with an idea of where the greatest vulnerabilities to your organisation exist and in order to best protect your information assets it is critical to introduce controls that will reduce either (or both):

• the impact of such an event occurring
• the likelihood that such an event would occur

A simple example of such a control would be the introduction and implementation of an Information Security Policy. Depending on the complexity of the assets and the organisation this overarching policy may be broken down into more specific controls but all should be related to the assessed vulnerabilities. Further examples may be:

• Introducing Load Balancers in response to an assessed risk to Business Continuity based on the likelihood of high traffic loads ‘hitting’ a website and your solution failing due to such traffic levels.
• Partnering with a hosting provider with adequate physical security provisions in their datacentres based on the sensitive nature (and risk to business integrity) of the information they will store on your behalf.
• Selecting to employ a cross-datacentre failover solution in response to the assessed impact that a service affecting disaster would have on your business integrity and therefore, enabling Disaster Recovery via a Business Continuity Solution.

Assess. Once committed to the security of your information assets it must become part of everything that you do – you must integrate it into the way that you operate, only then can you insure constant security of your information assets; the situation and therefore, the threats, will constantly change and to this end you must change with them.

Organisations and businesses must be risk aware, not risk averse and this is born of understanding what presents a risk or vulnerability to your organisation. To this end, I would suggest that no-one knows your business like you and in order to keep information security effective, simple and cost effective it is a waste of time, effort and money to employ individuals external to your business to instigate an information security system.

They remain your information assets and you must understand, assess, control and coordinate their security – no one individual or organisation can do all of this for you in order to provide complete information security.