Category Archives: ISO

How to secure your start up

It can be both hectic and rewarding when starting a new venture. After being around startups since 2000, I know how you feel. While it can be overwhelming you need to know how security and privacy play a part of your success.

First of all you should not ignore security despite what many venture capitalist groups are preaching it is pure BS. By designing security and privacy into your solution you will be miles ahead of your competition.

Here is how you need to approach this complex problem (which is not complex by the way but people feel better when you tell how complex it really is).

1. Need to conduct a Risk Assessment against both your product and small company to determine the data you collect and the means of collecting, processing, storing and destroying this data.  I would recommend to use ISO 27005 as the framework for this. As you step through this process you will need to consider all aspects of your solution including but not limited too, hosting, OS, plugins, modules, binaries, daemons, services, coding languages, authentication, logging, encryption, databases, etc. You get the point. You must focus on how each of the elements is going to be integrated and test each to confirm that you actually did not introduce any vulnerabilities.

2. Threat model your solution to determine how it can be attacked……because it will be. There are several frameworks for this out there. Get one and use it and make it part of a simple but efficient SDLC.

3. Know the laws and regulations that impact your product not just today but geographic regions where you plan to do business. These will be requirements for your product.

4. Unit testing for each of risks that you identify ensure that you create unit tests that will validate that you have identified and will ensure that each one is mitigated to minimum.

Here is the secret formula for security success (Sssshhh don’t tell anyone):

TRA + Regulatory + Threat Modeling + Testing/Verfication = Security Success

Some keys to success

1. Keep it simple but create a SDLC that drive security into your solution now. This will save you money down the road. If you have completely resign your software 2 years down the road to deal with security the costs will be prohibative. Trust me you will learn this the hard way.

2. Not all risks can and need to be eliminated. You need to determine how to get them to a level that you and the other founders are willing to accept. Keep in mind some privacy laws and regulations cannot be ignored you must mitigate the risks to a bare minimum.

3. Keep documentation of all your activities. These can be used if a partner or customer send in their auditors because you know they will.

4. Once you company is about 6-12 months old consider drafting some policies and procedures to drive new employees to better understand the culture of security you are looking to create.

Good luck and realize that you can simplify the security process but do it now! It will save you time and money down the road. I will also point out the 68% of SMBs that experience a data breach are usually out of business within two years. Hopefully, that is motiviation enough.


NAFTA Cyber Security Framework

As part of the NAFTA discussions it looks like the US is looking to add a cyber security component in the mix. Finally a great idea in a trade agreement! The basis for this is quite clear given the interconnected world we live in and the fact that all Canadian Internet traffic is routed to the US. We have to ensure that one country is not in a position to bring the downfall of another due to weak security practices.

Given the current state of cyber security practices in Canada by most SMB’s this will serve as a good wake up call to get your security house in order if you want to sell to the US. Based on the current wording companies would have to demonstrate the implementation of an accepted cyber security framework within the organization.

What does these mean? From the top down, executives are responsible enough to have implemented the necessary security management system to measure and mitigate cyber risk within their respective organizations. I am not going to provide all the nuts and bolts to how to do this but would “highly” recommend you get a copy of ISO/IEC 27001/27002 and build your plan to implement a Information Security Management System (ISMS). Don’t let the information part of the name fool you, this standard has been written to fully consider the cyber elements of any organization regardless of sector.

The best place to buy this is from our friends at CSA Group in Canada. They actually offer a Security bundle that contains all the base standards to get you started at a very reason price.

When you initiate your cyber program focus on conducting your risk assessments, your action/mitigation plan and getting those policies and processes nailed down, and most of all education and awareness will be a key element of your success.

Keep in mind that this will not be easy but the benefits will help you sell your solutions to the US and will help protect your digital assets. What else could you ask for?


Data Breach – Get Prepared if you collect customer data

Today, I was a panellist at Data Breach Seminar held in Toronto. It was a full room of attendees at the Davis LLP office in First Canadian Place. Our panelist include the following:

Kelly Friedman – Moderator

Kelly is an experienced litigator with unique expertise in electronic information matters, including e-discovery, privacy and data breach risk mitigation and response. She is an expert advisor to Standards Council of Canada with respect to the development of international (ISO) standards regarding information technology security. 

Kelly is known for her efficient, no-nonsense approach to problem solving and dispute resolution and her ability to bring calm and clarity to bear in crisis situations.

Anna MacMillan

Anna MacMillan has extensive experience in mergers and acquisitions, and has been involved in a broad range of transactions involving international and Canadian clients. Anna has specialized expertise in dealing with financial institutions and payment card industry participants, both in the M&A setting and in respect of ongoing compliance considerations. 

She has advised clients on a wide range of issues relating to privacy, data protection, actions to be taken on a data breach incident and allocation of risks relating to data breach.

Carol Levine

Carol Levine is a professional communicator with expertise in image, issues and reputation management, as well as crisis communications. Her experience spans many industry sectors, including health and pharmaceuticals, consumer packaged goods, retail, technology and manufacturing. 

Carol is co-founder and owner of energi PR, the Canadian affiliate of the Public Relations Global Network (PRGN), which is among the four largest networks of independently-owned PR firms in the world.

Patrick Malcolm

Patrick Malcolm is the President of NetRunner Inc. – A Canadian Cyber Defence Company. 

Patrick is a trusted advisor to the Department of National Defence and the Royal Canadian Mounted Police Integrated Technology Crime Unit. He has extensive experience dealing with both criminal and nation-state cyber threats. He is a technical trainer and professional speaker. Patrick combines subject matter expertise with a mature assessment process to provide a complete solution that helps his customers enhance their security posture, reduce risk, facilitate compliance and improve operational efficiency.

Garth Heustis

Garth is responsible for leading and managing the Information Risk (cyber) book of business for CNA in Canada and is very active in conducting seminars across the country for their brokers. CNA as a corporation has been writing Information Risk since 2001 and is one of the top 5 carriers for this line of business.

We provided attendees details to both pre-breach and post-breach issues and considerations. The key here is being prepared and ensuring you create a playbook to be used in the even of a breach.

As this is growing issue with our customers, I am attaching a document the includes some considerations and questions you should be asking your organization to determine you level of preparedness.

As always, should have any questions on data breach please reach out to us. We would be more than willing to provide support and help you build your data breach playbook.

Data Sheet on Breach Services


You’re never to small to implement an ISMS

So what is an ISMS? A Information Security Management System is typically used by larger organizations who due to process maturity have developed many systems and processes to be able to show proof of risking being managed and deployed for IT. However, we are seeing a trend where the starts-ups need to quickly develop these capabilities…..why??…..big customers are demanding alignment or evidence of a ISMS.

We are fortune enough to be working with some starts-up to help secure their product and service solutions. During these engagements we are being asked more and more to provide guidance around building a ISMS. This can include aspects of security policies and procedures to designing a secure coding practice which aligns to a ISMS. While many don’t have policies and procedures these can be quickly developed, updated and instilled into the corporate culture for ensuring security is being considered at all stages of product development and business operations.

While not a requirement for everyone, CEOs need to consider that requirements for ISMS will come quickly as you grow a start-up.

Things to consider:

1. You will need a security policy that covers off your plan to secure your product/service. It might be small at the beginning and that is okay but make sure you document how you determined your risk, controls that you have implemented, how you monitor the systems, and determine if you have possible compromises to both the process and product/service.

2. Make sure you understand threats to your organization not just product and services.

3. Make it part of your culture now not just when the security compromise happens. ‘cause if you put it off you will loose customer confidence down the road

4. Purchase ISO 27001/27002 and read them

5. Conduct a quick assessment of your company against the guidelines for ISO 27000 to determine how far off you are from having this capability

6. You don’t have to get certified “right now” but you will have the foundation prepared when you are large enough and mature enough in your processes to quickly obtain this certification

7. You will increase customer confidence as you have seriously considered security implications to your business

There does that sound too difficult? You need to start off small and let this grow with your business. It becomes a much smaller obstacle down the road with this approach.


Canada we need more cyber security leadership

One of the good things of practicing security consulting globally and participating in ISO work is that I get to talk to security experts around the globe. One thing that I am seeing more and more every year is the how many countries are pull away from Canada when it comes to cyber security leadership.

When I look at our government I am not aware of any one security leader who is driving requirements for things like cloud, mobile and IoT. Nor do I see the same thing when it comes to critical infrastructure. Not to say they don’t exist but when I have people in the government reaching out to me to ask that same question…..thats a problem…..a big problem.

Canadians are completely oblivious to fact the we do not have a national plan to help protect us against cyber security attacks from another nation. Really, if you are aware of something please send me details because I have asked over and over and never received a single response. I am also aware of security companies that have stopped practising in Canada due to lack of business. However, many are relocating or opening offices south of the boarder where they are more bullish on this topic and business is brisk.

Also of concern is the lack of supporting and developing ISO standards when the rest of the world is. This topic has been discussed on many forums in Canada but no action has taken place – business and government leaders are very well aware of this issue. I was recently attending a three day symposium on software assurance in the US where this is hot topic and government who takes this and supply chain very serious. I was very surprise to discover that they stated on several occasions that everyone should be looking to ISO for the basis for standards. This is definitely a tone change from when NIST and ANSI were the go to organizations. It shows a shifting tide which is refreshing. However, we are not seeing the same thing in Canada nor is our government even considering the security risk of software. Again, should we be concerned.

Canada is going to have to change their old ways or we are going to become an easily target for cyber attacks. Take for example that our carriers send Internet routers to all customer in a insecure configuration. When someone gets their device compromised and experience a theft of service they are responsible for paying the bill. This is very disturbing. This is not a case where our carriers don’t know any better, they do, they are just to stuck in there ways to change how they operate. Yet they insist they don’t need more regulations….I think they do for security…or they will never change.

Canadians need to start asking our political and corporate leaders if we are doing enough to protect our organizations and citizens. Right now it is a resounding NO!