ISO/IEC 27010:2015 — Information technology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition)
This standard provides guidance in relation to sharing information about information risks, security controls, issues and/or incidents that span the boundaries between industry sectors and/or nations, particularly those affecting “critical infrastructure”.
ISO/IEC 27010 provides guidance on information security interworking and communications between industries in the same sectors, in different industry sectors and with governments, either in times of crisis and to protect critical infrastructure or for mutual recognition under normal business circumstances to meet legal, regulatory and contractual obligations.
Purpose and justification
Sometimes it is necessary to share confidential information regarding information-related threats, vulnerabilities and/or incidents between or within a community of organizations, for example when private companies, governments, law enforcement and CERT-type bodies are collaborating on the investigation, assessment and resolution of serious pan-organizational and often international or pan-jurisdictional cyberattacks. Such information is often highly sensitive and it may need, for example, to be restricted to certain individuals within the recipient organizations. Information sources may need to be protected by remaining anonymous. Such information exchanges typically happen in a highly charged and stressful atmosphere under intense time pressures - hardly the most conducive environment for establishing trusted working relationships and agreeing on suitable information security controls. The standard should help by laying out common ground-rules for security.
The standard provides guidance on methods, models, processes, policies, controls, protocols and other mechanisms for the sharing of information securely with trusted counterparties on the understanding that important information security principles will be respected.
Status of the standard
ISO/IEC 27010 was first published in April 2012 then minor editorial changes were made to align the standard with the 2013 editions of ISO/IEC 27001 and 27002.
The 2nd edition was published in December 2015.
While the actual information risks arising from the sharing of information concerning information security incidents etc. between disparate organizations will of course depend on the specifics of the particular situation at hand (e.g. the nature of the incidents, the protagonists, the victims and the organizations involved), the following generic list of potential information risks and security issues in this area exemplifies the broad range of matters that may need to be taken into account in practice:
- Establishing general approaches towards the information security aspects of the process (e.g. writing and implementing policies and procedures along with training and awareness activities for those involved in the process, and conceivably independent assessment or audits to confirm that the arrangements conform to ISO/IEC 27010 and/or other applicable ISO27k standards such as 27001, 27002 and 27005);
- Disclosing initial information and knowledge about the situation at hand prior to formalizing the arrangements, in order to prompt the recipient/s to consider their role and for disclosing parties to consider the risks involved in disclosing further information;
- Trust relationships between the organizations directly concerned, communicating and collaborating;
- Trust relationships with other organizations that may also be involved (e.g. if communications are routed through some sort of agency) or are somehow drawn-in to the situation, including business partners and those that may have to be informed or engaged in the process as a statutory or other duty;
- Determining and declaring or defining specific information security requirements (implies some form of information risk analysis by the disclosing parties for sure, and perhaps by the receiving parties);
- Communicating security risks and control requirements, obligations, expectations or liabilities unambiguously (e.g. using a mutually-understood lexicon of terms based on ISO27k, and comparable information classifications);
- Assessing and accepting security risks and obligations (e.g. in some form of contract or agreement, whose existence and contents may also be confidential);
- Communicating information securely (e.g. using suitable cryptographic controls), preventing it from being sent to the wrong counterparties, intercepted, deleted, spoofed, duplicated, repudiated, damaged, modified or otherwise called into doubt deliberately by some third party or through inadequate controls and errors;
- Version controls and appropriate authorization for both disclosure and acceptance of valuable information;
- Risks and controls relating to the collection, analysis, ownership, protection and onward disclosure of information regarding the situation at hand by the recipient parties engaged in an investigation (e.g. limitations on using the information for purposes not directly associated with the incident at hand);
- Adequately protecting the information and perhaps others assets entrusted to the recipient organizations and individuals;
- Compliance and where appropriate enforcement activities such as imposition of penalties etc. if promises are broken, trust is misplaced or accidents happen;
- Unacceptable delays or other constraints on the communication of important information due to the risk assessment, security and related activities;
- The possible effects on collection, handling, storage, analysis and presentation of forensic evidence;
- Any limitations on post-incident disclosures such as incident management reporting, public press-releases, legal action etc.;
- Systematic process improvement, leading to greater trust and stronger security arrangements for future situations.
The published standard doesn’t mention all of these risks explicitly, unfortunately. It would have been more comprehensive and valuable if it had.