| About the Author |
Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.
I'm privileged to have been asked to write here, on a regular basis no less (!), and I'm very conscious that I'm writing from that opposite side - the one that makes sure that information doesn't leave the secure systems that it's been put on. Full disclosure is a fine concept, but it needs to be executed with a little finesse, so I'll try to be careful.
In any case, this month I'm on safe ground - no encryption, plausible deniability or anonymous browsing - today we are going to talk about ISO Standards. OK, anybody still reading? Fine, I accept that it's not the world's most exciting or sexy subject, however in the UK at least, it is something that has become very much more important as there are moves to enforce compliance with ISO 17025 for forensic labs. The ISO relates to the "General requirements for the competence of testing and calibration laboratories", and is, like so many other ISO standards, a specific extension of ISO 9001, the Quality Management standard. (Personally, I think that all labs should comply with the Information Security Standard ISO 27001 - with all of the critical, confidential and important data kicking around - it seems logical to me, not to mention more personally relevant.)
The standard has been taken on board by the Forensic Science Regulator, Andrew Rennison (http://police.homeoffice.gov.uk/operational-policing/forensic-science-regulator/index.html) who has been working on ensuring that UK labs do meet certain basic standards. He's taken care to engage well with the Digital Forensics community, taking advice from a Specialist Group made up of significant digital forensics leaders in the UK and also engaging with the wider community in the form of workshops and conferences. At the moment there is a tender out for the development of a framework interpreting ISO 17025 as it applies to specific subject areas - and, although digital forensics isn't explicitly mentioned - with crimes related to computers being measured in the millions, it will have to be...