October 3rd, 2017, Equifax’s ex CEO, Rick Smith, had to explain to the American Congress how the private data of almost one out of two Americans could be hacked.
Let us briefly recall the chronology of events (for more information, we invite you to read Adriana Lecerf’s complete article):
- March 9th, 2017: An Apache Struts flaw is detected. Less than a week after, the security patch is validated and planned, but the latter is not applied on all the servers.
- March 15th, 2017: a scan is carried out but no vulnerability is detected.
- April 2017: Hackers take advantage of this breach (the security patch which was not applied on all the servers) and steal the precious data.
- July 31th, 2017: The ex CEO is informed of the information theft.
- September 8th, 2017: Official communication on the hacking.
How can the ISO 27001 certification and the establishment of an associated ISMS (Information Security Management System) help to prevent this kind of incident?
The ISO 27001 standard is the reference regarding validation and constant improvement of an ISMS. It relies on 114 control points which scan all the domains for the establishment of an ISMS, including the implementation of procedures and the platforms update processes.
That includes the implementation and regular control of the risks management process aiming to ensure the data security. The main purpose of this management system is to carry out the appropriate measures in order to reduce, even eliminate threats impact on users or customers.
The ISMS is a wheel of constant improvement and in the case of Equifax, the processes of control established and tracked with an ISMS could have eventually helped to prevent this kind of incident.
This case demonstrates again the obligation to rethink the security strategy within companies and to implement necessary protocols to ensure the discovery of possible security flaws and the corrective action to apply.