How should you onboard new IT systems and Software

In the context of information security, onboarding is commonly associated with the process of integrating new personnel into an organization, including the starters and leavers process. However, it is equally crucial to address the onboarding of new software and systems into the operational environment, especially when aiming for ISO 27001 certification.

When new software or systems are introduced, it is important to consider their impact on information security, in line with ISO 27001 certification requirements. This involves assessing the potential risks and ensuring that appropriate security measures are implemented to protect the organization's data and systems. By following the guidelines and best practices set forth by ISO 27001, organizations can establish a robust framework for information security and ensure that the onboarding process aligns with the certification standards.

The onboarding process for new software and systems should involve several key steps:

Risk assessment: Conduct a thorough evaluation of the software or system to identify potential security risks and vulnerabilities. This assessment should consider factors such as data confidentiality, integrity, availability, and compliance requirements.

Security requirements: Define the necessary security requirements for the software or system based on the identified risks. This may include requirements for authentication, access controls, encryption, logging, and monitoring.

Secure configuration: Ensure that the software or system is configured securely according to best practices and organizational policies. This includes setting appropriate access permissions, disabling unnecessary features or services, and implementing secure communication protocols.

Testing and validation: Conduct rigorous testing and validation of the software or system before it is deployed in the operational environment. This should include vulnerability scanning, penetration testing, and other security assessments to identify and address any potential weaknesses.

Training and awareness: Provide training and awareness sessions for relevant personnel to ensure they understand the proper use and security considerations of the new software or system. This includes educating users about potential risks and how to mitigate them.

Ongoing monitoring and maintenance: Continuously monitor the software or system for security vulnerabilities and apply necessary patches and updates. Regularly review and update security controls to adapt to changing threats and organizational needs.

By considering the onboarding of new software and systems from an information security perspective and following these steps, organizations can minimize the potential risks and ensure that their operational environment remains secure.

Key Role of Asset Owners

In the context of onboarding new software or systems, it is essential to understand that while the IT department is responsible for managing and maintaining the information system, the ultimate responsibility for protecting the information lies with the asset owner(s). The asset owner(s) are accountable for ensuring that the new software or system has the necessary safeguards to protect the information it handles.

There can be a divergence of views between system owners (those responsible for the technical aspects of the software or system) and information asset owners (those responsible for the information being processed or stored). Each party may have different perspectives on the level of protection required, influenced by their respective roles in the organization.

However, the common objective for both system owners and information asset owners is to ensure the confidentiality, integrity, and availability of the assets under their control, albeit with varying degrees of emphasis on each aspect. It is important to recognize that the significance of these aspects should be driven by the nature and sensitivity of the information itself.

Therefore, in most cases, it is the information asset owner who should determine the level of protection needed for the software or system, rather than solely relying on the technical expertise of the IT personnel responsible for the system. The information asset owner's understanding of the information's value and risk will guide the decisions on the appropriate security measures to be implemented.

By involving information asset owners in the decision-making process and considering their insights, organizations can ensure that the protection measures align with the specific requirements of the information being processed or stored. This collaborative approach enhances the overall security posture of the organization and promotes a more comprehensive and effective information security strategy.

Determining Risks to Software/Systems

During the design phase of a system or software, it is crucial for the system or software owner to consider the input and engagement of the information asset owner. This collaboration ensures that the protection of information is incorporated into the design from the beginning. It is important for the organization to assess and understand the risks associated with the information that may be stored, processed, or communicated by the new system or software, as provided by the information asset owner.

The identified risks should be properly documented and effectively communicated to all relevant stakeholders. This includes the system or software owner, the information asset owner, and any other involved parties. By clearly documenting and sharing the identified risks, everyone involved can have a shared understanding of the potential threats to the information.

This collaborative approach enables the early identification of the necessary controls required to mitigate the identified risks. By integrating these controls into the development lifecycle of the new software or system, rather than adding them as an afterthought, the organization can establish a more robust and comprehensive security framework. Building the controls into the system from the ground up ensures that the software or system has the necessary safeguards to protect the information it handles, reducing the likelihood of vulnerabilities or weaknesses that could be exploited.

By emphasizing early input from the information asset owner, risk identification, and proactive control implementation, organizations can enhance the security posture of their information systems, reduce potential vulnerabilities, and ensure a more effective and secure operational environment.

Planning Phase

During the planning phase of a development project, it is crucial to establish effective communication between the business and technical departments to ensure that the documented business requirements align with the technical requirements. This comparison is necessary to ensure that both sets of requirements complement each other and are accessible to all relevant stakeholders.

As part of this planning phase, the project should include the development of a project brief or a business case. This document outlines the technical requirements, deliverables, and security controls needed for the information system. It should also specify the type of data that will be processed, define roles and responsibilities, and establish timelines for implementation.

At this stage, it may be necessary to revisit the cost-benefit ratio to assess whether the anticipated benefits of implementing the information system outweigh the associated costs. This evaluation ensures that the organization makes an informed decision, considering the potential risks and benefits of the system implementation.

By conducting thorough planning and documentation during the initial phases of the project, the organization can ensure that the technical requirements align with the business objectives and that appropriate security controls are incorporated from the start. This approach reduces the likelihood of encountering significant issues during the development and implementation stages and helps to prioritize resources based on the potential risks and benefits of the information system.

Design Phase

In the design stage of the project, the focus should be on developing the technical architecture and defining the business workflows. It is recommended to start with the business workflows, allowing the technical team to review their initial plan and ensure that the technical solution aligns with the security requirements of the system.

During the design of business workflows, the business stakeholders should define deliverables or at least clearly communicate their expectations regarding the desired outcomes, the format of the information, the criticality of the data, and any additional security controls that may be required.

It is crucial to adhere to the agreed scope of the new software or system to minimize the risk of the solution not meeting its intended purpose. To effectively manage and control risks, it is advisable to maintain a project risk register. This register provides a transparent overview of any issues that could potentially have a negative impact on project deployment, including situations where security requirements have not been adequately addressed.

By engaging in a collaborative design process and effectively managing project risks, the organization can ensure that the technical solution is aligned with business needs and security requirements. This approach helps to mitigate potential risks and enhances the chances of successful system implementation.

Security Assurances

You're absolutely right. In cases where sensitive information is involved or there is a need for additional assurance, internal verification and validation alone may not be sufficient. Independent verification, such as compliance audits or thorough penetration testing, can provide an extra layer of assurance.

Compliance audits assess whether the new software or system meets the established security requirements, including any regulatory or industry-specific standards. This type of audit is typically conducted by an independent party with expertise in the relevant security standards and frameworks.

Penetration testing, on the other hand, involves simulating real-world attacks to identify vulnerabilities and weaknesses in the system's security controls. It helps to identify potential entry points and weaknesses that could be exploited by malicious actors. Penetration testing is often performed by specialized security firms or internal teams with expertise in ethical hacking.

By conducting compliance audits and penetration testing, organizations can obtain an objective assessment of the security posture of the new software or system. This helps to ensure that the security requirements are adequately addressed and that the system is resilient against potential threats.

It is important to identify the security requirements early in the process, regardless of whether the software or system is a commercial off-the-shelf product or a bespoke development. This ensures that the necessary security measures are implemented from the start and reduces the risk of vulnerabilities or weaknesses being overlooked.

In summary, independent verification through compliance audits and penetration testing can provide additional assurance and help organizations meet the necessary security requirements for new software or systems, especially when sensitive information is involved. This verification process is an essential part of ISO 27001 implementation, as it ensures that the implemented security measures align with the standard's guidelines and requirements. By conducting these audits and tests, organizations can identify any vulnerabilities or weaknesses in their systems and take appropriate measures to mitigate the risks. ISO 27001 implementation emphasizes the importance of regular assessments and evaluations to maintain a robust security posture and ensure the protection of sensitive data.