Privacy notice under the GDPR

 


A privacy notice is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals.

Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. These are more detailed and specific than in the UK Data Protection Act 1998 (DPA).

The GDPR says that the information you provide must be:

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language, particularly if addressed to a child; and
  • Free of charge.

Help with creating a privacy notice template

The privacy notice should address the following to sufficiently inform the data subject:

  • Who is collecting the data?
  • What data is being collected?
  • What is the legal basis for processing the data?
  • Will the data be shared with any third parties?
  • How will the information be used?
  • How long will the data be stored for?
  • What rights does the data subject have?
  • How can the data subject raise a complaint?

Below is an example of a customisable privacy notice template, available from IT Governance here.

GDPR Privacy Notice Template - Example from the EU GDPR Documentation Toolkit

Example of the privacy notice template available to purchase from IT Governance

If you are looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:

  • A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
  • Helpful dashboards and project tools to ensure complete GDPR coverage;
  • Direction and guidance from expert GDPR practitioners; and
  • Two licences for the GDPR Staff Awareness E-learning Course.


Leave a Comment

Why your organisation should consider outsourcing its DPO

Why your organisation should consider outsourcing its DPO

By Laura Downes

Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, demand for DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to support their GDPR compliance. DPOs also have an essential role as intermediaries between relevant stakeholders, such as supervisory authorities, data subjects, and business units within an organisation. 

Your organisation will need to appoint a DPO if it:  

  • Is a public authority or body; 
  • Regularly and systematically monitors data subjects; or 
  • Processes special categories of data on a large scale. 

The GDPR does not stipulate the level of experience a DPO must have, meaning some organisations might appoint an internal team member who does not have the experience or qualifications required, leaving them wide open to error.  

Why you should consider outsourcing your DPO 

Suitably skilled and experienced DPO candidates are hard to find. Outsourcing the role not only satisfies the requirements of the GDPR but also ensures your organisation is employing proper data handling and privacy policies. Furthermore, there is no conflict of interest between the DPO and other business activities. 

An external DPO can work for your organisation on a fixed-fee or a per-hour basis. Signing up to a DPO service also means you can rely on several experienced DPOs rather than just one, which means more hands on deck should you ever suffer a breach. 

DPO as a service (GDPR) 

IT Governance’s annual subscription DPO service offers you hands-on support from one of our qualified DPOs, who will serve as independent data protection expert to your organisation. Your appointed DPO will: 

Find out more >> 


Leave a Comment

PCI DSS policies address the weakest link – people

By Nick Calver @ITG

Drafting detailed data protection policies and documentation is vital for improving security for your customers, stakeholders and brand because it shows your understanding and commitment to the PCI DSS (Payment Card Industry Data Security Standard). From policy, to procedure, to configuration standard, a significant proportion of PCI DSS compliance begins with documentation.

Deploying security technologies can only go so far in protecting an organisation and helping maintain compliance.

Nearly 1 in 5 data breaches caused by human error

Verizon’s 2018 Data Breach Investigations Report identified that almost 1 in 5 data breaches (17%) were the result of human error.

Policies are needed to address the weak link in security – people. If your employees don’t know or understand what’s expected of them, they can put cardholder data at risk, regardless of the other security measures you have in place. Policies play an important role in securing data. They are the foundation for everything else as they provide direction and instruction, and assign responsibility.

What’s in a PCI policy set?

PCI DSS compliance requires that all merchants and service providers document the processes and procedures they put in place. These policies and procedures can then serve as a guide, following the 12 requirements of the PCI DSS, from which you and your QSA (Qualified Security Assessor) can work during your assessment.

The policies might address:

Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE (cardholder data environment).

Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme and is intended for anyone who has access to the CDE. Staff should take this program during their induction and repeat it at least annually or whenever there is a security incident.

Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or fail to follow proper protocol to contain it and recover.

Nothing here should surprise an experienced security professional. The policy requirements are basic information security best practices. Therefore, when structuring your PCI policy set we advise doing so alongside the development of your core information security policy.

PCI DSS Staff Awareness

Increase your employees’ knowledge of the Payment Card Industry Data Security Standard (PCI DSS) and how it affects your organization with the expertise at IT Governance USA Inc.

 


Leave a Comment

Equifax fined by ICO over data breach that hit Britons

Equifax

Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

The compromised systems were also US-based.

But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

A further 14.5 million British records exposed would not have put people at risk, the company added last October.

The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

  • 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
  • 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
  • Up to 15 million UK data subjects had names and dates of birth exposed

 

Guard let down

Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

And appropriate steps to fix the vulnerability were not taken, according to the ICO.

Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

And the fine of £500,000 is the highest possible under that law.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

“This is compounded when the company is a global firm whose business relies on personal data.”

An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

By BBC.com


Leave a Comment

CISOs and the Quest for Cybersecurity Metrics Fit for Business

By Kevin Townsend

Never-ending breaches, ever-increasing regulations, and the potential effect of brand damage on profits has made cybersecurity a mainstream board-level issue. It has never been more important for cybersecurity controls and processes to be in line with business
priorities.

Reporting Security Metrics to the Board

recent survey by security firm Varonis highlights that business and security are not fully aligned; and while security teams feel they are being heard, business leaders admit they aren’t listening.

The problem is well-known: security and business speak different languages. Since security is the poor relation of the two, the onus is absolutely on security to drive the conversation in business terms. When both sides are speaking the same language, aligning security controls with business priorities will be much easier.

Well-presented metrics are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isn’t always happening

Using metrics to align Security and Business: Information security metrics

SecurityWeek spoke to several past and present CISOs to better understand the use of metrics to communicate with business leaders: why metrics are necessary; how they can be improved; what are the problems; and what is the prize?

Demolishing the Tower of Babel

“While some Board members may be aware of what firewalls are,” comments John Masserini: CISO at Millicom Telecommunications, “the vast majority have no understanding what IDS/IPS, SIEMs, Proxies, or any other solution you have actually do. They only care about the level of risk in the company.”

CISOs, on the other hand, understand risk but do not necessarily understand which parts of the business are at most risk at any time. Similarly, business leaders do not understand how changing cybersecurity threats impact specific business risks.

The initial onus is on the security lead to better understand the business side of the organization to be able to deliver meaningful risk management metrics that business leaders understand. This can be used to start the process for each side to learn more about the other. Business will begin to see how security reduces risk, and will begin to specify other areas that need more specific protection.

The key and most common difficulty is in finding and presenting the initial metrics to get the ball rolling. This is where the different ‘languages’ get in the way. “The IT department led by the CIO typically must maintain uptime for critical systems and support transformation initiatives that improve the technology used by the business to complete its mission,” explains Keyaan Williams, CEO at CLASS-LLC. “The Security department led by the CISO typically must maintain confidentiality, integrity, and availability of data and information stored, processed, or transmitted by the organization. These departments and these leaders tend to provide metrics that focus on their tactical duties rather than business drivers that concern the board/C-suite.”

Drew Koenig, consultant and host of the Security in Five podcast, sees the same basic problem. “In security there tends to be a focus on the technical metrics. Logins, blocked traffic, transaction counts, etc… but most do not map back to business objectives or are explained in a format business leaders can understand or care about. Good metrics need to be tied to dollars, business efficiency shown through time improvements, and able to show trending patterns of security effectiveness as it relates to the business. That’s the real challenge.”

Williams sees the problem emanating from a lack of basic business training in the academic curriculum that supports IT and security degrees. “The top management tool in 2017 was strategic planning,” he said. “Strategic planning is often listed as one of the top-five tools of business leaders. How many security leaders understand strategic planning and execution enough to ensure their metrics contribute to the strategic initiatives of the organization?”

It is not up to the business leaders to learn about security. “The downfall for many CISOs in the past is believing that business needs to understand security,” adds Candy Alexander, a virtual CISO and president-elect of ISSA. “That is a mistake, because security is our job. We need to better understand the business, so that we can articulate the impact of not applying appropriate safeguards. The key to this whole approach is for the CISO to understand the business, and to understand the mission and goals of the business.”

for more on this article: CISOs and the Quest for Cybersecurity Metrics Fit for Business

 

 


Leave a Comment

US lawmakers introduce bill to fight cybersecurity workforce shortage

Report claims US public and private sectors had over 300,000 cybersecurity-related job openings between April 2017 and March 2018.

By  for Zero Day

softwarearchitect.jpg

US lawmakers have introduced a bipartisan bill in the House of Representatives meant to address the cybersecurity workforce shortage crisis.

The bill, named the Cyber Ready Workforce Act (H.R.6791), would establish a grant program within the Department of Labor.

According to the bill’s proposed text, the Secretary of Labor will be able to award grants to workforce intermediaries to support the creation, implementation, and expansion of apprenticeship programs in cybersecurity.

These apprenticeship programs may include career counseling, mentorship, and assistance with transportation, housing, and child care costs.

The Cyber Ready Workforce Act is meant to address a growing problem in the US workforce landscape where companies, across all sectors, are having a hard time filling cybersecurity jobs with trained personnel.

According to a CompTIA report based on data from CyberSeek, a free cybersecurity career and workforce resource, there were 301,873 cybersecurity-related job openings in the private and public sectors between April 2017 and March 2018.

Also: Bill that would have the White House create a database of APT groups passes House vote

Congresswoman Jacky Rosen (Dem., NV-03) introduced the bill last week. The bill is based on the state of Nevada’s recently introduced cybersecurity apprenticeship program.

The bill was also co-sponsored by Congressman Seth Moulton (Dem., MA-06), Congresswoman Elise Stefanik (Rep., NY-21), and Congressman Dan Donovan (Rep., NY-11).

The bill, which doesn’t yet have mirroring legislation in the Senate, has also gained the support of trade and workforce organizations such as CompTIA and The Learning Center.

Cybersecurity threats will continue to present national security challenges for America in the 21st century,” said Congressman Dan Donovan. “With these threats and the changing economic and technological landscape, America needs a workforce that can adequately advance our cybersecurity defense priorities.”

“Investing in and expanding our cybersecurity workforce doesn’t only fuel our economy, it keeps us safe,” said Congressman Seth Moulton. “While I was fighting on the ground in Iraq, Al-Qaeda was fighting us on the internet — and they were beating us online! And while we focused on Russia’s military in 2016, they attacked us through the internet. This bill is an important first step towards making sure we don’t get ourselves into such a vulnerable position again.”


Leave a Comment

Download ISO27k standards

 

 

Download ISO27000 family of information security standards today!

• ISO27001 2013 ISMS Requirement (Download now)

• ISO27002 2013 Code of Practice for ISM (Download now)

ISO 27001 Do It Yourself Package (Download)

 

ISO 27001 Training Courses –  Browse the ISO 27001 training courses

ISO 27001 Training Courses


Leave a Comment

CISO’s Library

#CISO who is looking to build his/her personal library on managing risk for their organization.


Leave a Comment

4 bad things happening every minute on the Internet

4 bad things happening every minute on the Internet

Risk IQ’s Evil Internet Minute infographic tells you the bad things happening every minute on the Internet:

  • 5 successful ransomware attacks
  • 9 phishing attacks
  • 1,274 new malware variants
  • 5,518 records compromised

Any data you look at shows that the scale of ‘Internet evil’ increases every year. The economic impact of cyber crime now exceeds $1.1 million per minute. This is a major corporate risk, irrespective of organisational size, and cyber insurance is an inadequate response – insurers will not pay out where you have been negligent.

The EU’s GDPR (General Data Protection Regulation) makes the tests for negligence pretty clear: absence of accountability, insufficient corporate governance and countermeasures that do not adequately respond to the frequency and virulence of today’s attacks.

In an environment where four potentially vulnerable web components are discovered every minute, an annual penetration test is only slightly better than not bothering at all. We run penetration tests about once a month; you should be doing them at least quarterly. However, even if you do this, you need to recognise that purely technical responses have limited benefits. Staff are the weakest of your links, particularly as phishing and ransomware attacks get smarter every day. And your supply chain may increasingly be your attackers’ fastest route into what passes for your secure environment. Staff awareness training only every year or two would be desperately short-sighted.

We’re going to see more and more organisations reporting data breaches – it’s now an offence to not report one, and you can be punished with significant fines. The costs don’t stop there. After you report a breach, and undergo investigation, fines and reputational damage, you still have to spend the money to get secure. It therefore probably works out less expensive in the long run to make comprehensive cyber security investments before you are breached (assuming that you haven’t already been breached, and you just don’t know it yet).


Leave a Comment

NordVPN apps for iOS and macOS

Redesigned NordVPN apps for iOS and macOS are available now!

NordVPN team has been on a mission “Make the app UX go WOW” for a while. As they want users to have smooth and hassle-free NordVPN experience, rethinking our app navigation from the ground up felt like the right thing to do. Tweak after tweak, and today NordVPN’re more than excited to introduce the redesigned NordVPN apps for iOS and macOS! This a major design update, so let’s take a closer look.

NordVPN app for iOS goes 4.0. What’s inside?

Once you open the updated app, the view and navigation you will see is likely to remind you of a deck of cards. We organized our app this way to make it more thumb-friendly and clear for finding what you’re looking for.

Swipe up to browse servers

What can you do with a simple swipe-up? Great things, great things… From now on, by swiping up in the main map screen you’ll get one-tap access to:

  • Servers by country
  • Specialty servers
  • Search
  • Your favorites’ list

 

Anonymous VPN Service

NordVPN – The World’s most advanced VPN 

 


Leave a Comment

Secure File Sharing from any device

Easy Desktop Access to Cloud Files

Ditch Email Attachments. With your files in the cloud, you can easily share them with anyone — even if they’re outside your company firewall — with a simple link via email or straight from Box.

Keep Everybody on the Same Page. Easily share files and folders, and add, move or edit files while always having the latest file version on hand.

Preview Files Without Download. With Box, you can view 120+ types of files, including Word, Excel, PDF, AI, EPS, PSD, photos and more—without downloading a single file.

Easily Share Your Workspace. Right click any folder to share instantly or open on box.com and invite your team to view, edit and upload files, turning folders into collaborative workspaces.

Never Lose Files. A stolen laptop or hard drive crash doesn’t mean you lose your files. Safely store all of your work documents and projects in Box Drive.

 

Box enables secure file sharing and collaboration so you can get real work done with anyone, from any device.

 

  • Secure File Sharing. Easily and securely share files—even sensitive or confidential ones—without worry.
  • Hassle-Free File Sharing. Ditch email attachments! Share any file with a simple link or straight from Box, with anyone you want.



An Introduction to Box: The Modern Content Management Platform

Discover how Box can solve simple and complex challenges, from sharing and accessing files on mobile devices to sophisticated business processes like data governance and retention.


Leave a Comment

Nine Steps to Successful implementation

Achieving and maintaining accredited certification to ISO 27001 can be complicated, especially for those who are new to the Standard.

Aligned with the latest iteration of ISO 27001:2013, the North American edition of Nine Steps to Success – An ISO 27001 Implementation Overview is ideal for anyone tackling ISO 27001 for the first time.

In nine critical steps, the guide covers each element of the ISO 27001 project in simple, non-technical language.

Get step-by-step guidance on successful ISO 27001 implementation from an industry leader.

Implementation Overview, North American edition
This must-have guide from ISO 27001 expert Alan Calder helps you get to grips with the requirements of the Standard and make your ISO 27001 implementation project a success:

Details the key steps of an ISO 27001 project from inception to certification
Explains each element of the ISO 27001 project in simple, non-technical language
An ideal guide for anyone tackling ISO 27001 implementation for the first time
Buy before the end of August to save 10%

RRP:$34.99
Price: $31.49

 

 

 


Leave a Comment

(ISC) 2 CISSP Certified Information Systems Security Professional

(ISC) 2 CISSP Certified Information Systems Security Professional Official Study Guide 8th Edition

 

Get expert content and real-world practice with the new CISSP Study Guide, now available for purchase in paperback and kindle! Order yours today >> https://amzn.to/2KjxoSm

CISSP Study Guide –  fully updated for the 2018 CISSP Body of Knowledge

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8th Edition has been completely updated for the latest 2018 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You’ll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you’ve learned with key topic exam essentials and chapter review questions.

Along with the book, you also get access to Sybex’s superior online interactive learning environment that includes:

  • Six unique 150 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you’re ready to take the certification exam.
  • More than 1400 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
  • A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam

Coverage of all of the exam topics in the book means you’ll be ready for:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communication and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

 


Leave a Comment

Nine Things That Are Poised To Impact Cybersecurity

Read Forbes Technology Council list nine things that can impact cybersecurity on Forbes :

From the Equifax breach this past September to the recent hack of MyFitnessPal data through Under Armour, the number of high-profile cyberattacks has continued to climb in recent months. Every company, regardless of size, must be prepared for the possibility that they may be the next victim.

Read the full article here.

Leave a Comment

What is ‘privacy by design’?

What is ‘privacy by design’?

Privacy by design is a voluntary approach to projects that promotes privacy and data protection compliance, and helps you comply with the Data Protection Act 1998 (DPA).

The Information Commissioner’s Office (ICO) encourages organisations to seriously consider privacy and data protection throughout a project lifecycle, including when:

  • Building new IT systems to store or access personal data;
  • Needing to comply to regulatory or contractual requirements;
  • Developing internal policies or strategies with privacy implications;
  • Collaborating with an external party that involves data sharing; or
  • Existing data is used for new purposes.

Privacy by design and the GDPR

The upcoming EU General Data Protection Regulation (GDPR) will supersede the DPA. Article 25 of the GDPR, “[d]ata protection by design and default”, requires you to “implement appropriate technical and organisational measures” throughout your data processing project. As such, data must be considered at the design stage of any project, during which you must process and store as little data as possible, for as short a time as possible.

Under the GDPR, you are required to document your data processing activities. One way to do this is to map your organisation’s data flows. This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.

Organisations need to be aware of the personal data that they are processing, and that this data is being processed in compliance with the law. Organisations can often process significantly more data than they realise, so it is vital that they perform mapping exercises to keep track of them all.

Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.

The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.

IT Governance free green paper ‘Conducting a data flow mapping exercise under the GDPR’ will help you understand how to effectively map your data in compliance with the GDPR.

Steps to GDPR Compliance


Leave a Comment

Six Essential Data Protection and Privacy Requirements Under GDPR

gdpr
By Leighton Johnson, CISA, CISM, CIFI, CISSP

With the advent of the European Union (EU) deadline for General Data Protection Regulation (GDPR) (EU 2016/679 regulation) coming up on 25 May 2018, many organizations are addressing their data gathering, protection and retention needs concerning the privacy of their data for EU citizens and residents. This regulation has many parts, as ISACA has described in many of its recent publications and events, but all of the efforts revolve around the protection and retention of the EU participants’ personal information. The 6 main areas for data protection defined in this regulation are:

  1. Data security controls need to be, by default, active at all times. Allowing security controls to be optional is not recommended or even suggested. “Always on” is the mantra for protection.
  2. These controls and the protection they provide must be embedded inside all applications. The GDPR view is that privacy is an essential part of functionality, the security of the system and its processing activities.
  3. Along with embedding the data protection controls in applications, the system must maintain data privacy across the entire processing effort for the affected data. This end-to-end need for protection includes collection efforts, retention requirements and even the new “right to be forgotten” requirement, wherein the customer has the right to request removal of their data from an organization’s storage.
  4. Complete data protection and privacy adds full-functional security and business requirements to any processing system in this framework for data privacy. It provides that business requirements and data protection requirements be equally important during the business process.
  5. The primary requirement for protection within the GDPR framework demands the security and privacy controls implemented are proactive rather than reactive. As its principal goal, the system needs to prevent issues, releases and successful attacks. The system is to keep privacy events from occurring in the first place.
  6. With all of these areas needed under GDPR, the most important point for organizations to understand about GDPR is transparency. The EU wants full disclosure of an organization’s efforts, documentation, reviews, assessments and results available for independent third-party review at any point. The goal is to ensure privacy managed by these companies is not dependent upon technology or business practices. It needs to be provable to outside parties and, therefore, acceptable. The EU has purposely placed some strong fine structures and responses into this regulation to ensure compliance.

Having reviewed various organizational efforts in preparation for GDPR implementation, it has been found that it is good practice to look at these 6 areas for all the collected and retained data, not just EU-based data. This zero-tolerance approach to data breaches is purposely designed to be stringent and strong. Good luck to all in meeting and maintaining the data privacy and security requirements of GDPR.

Steps to EU GDPR compliance

 


Leave a Comment

Pinpoint your current cyber security gaps

A comprehensive information security management system (as defined by the requirements contained in ISO 27001) details the steps required for the effective management of information security (and cyber security) risks.

An ISO 27001 gap analysis is a sensible starting point for assessing the gaps in your information security regime.

Even if you aren’t considering certification to ISO 27001, an in-person gap analysis against the requirements of a leading information security standard offers the following benefits:

 

  • A high-level review of the efficacy of your policies, procedures, processes and controls
  • Interviews with key managers
  • Assistance defining the scope of a proposed information security management system (ISMS)
  • A detailed compliance status report against the clauses and controls described in ISO 27001

 

Description

Our ISO27001 Gap Analysis will provide you with an informed assessment of:

  • Your compliance gaps against ISO 27001
  • The proposed scope of your information security management system (ISMS)
  • Your internal resource requirements; and
  • The potential timeline to achieve certification readiness.

 

What to expect:

An ISO 27001 specialist will interview key managers and perform an analysis of your existing information security arrangements and documentation.

Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

 

The report includes:

  • The overall state and maturity of your information security arrangements
  • The specific gaps between these arrangements and the requirements of ISO 27001
  • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives
  • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS; and
  • A compliance status report (red/amber/green) against the management system clauses (clause-by-clause), as well as the information security controls (control-by-control) described in ISO 27001:2013.

 

Please contact us for further information or to speak to an infosec expert.


Leave a Comment

Top 5 Programming Languages In 2018

English: A selection of programming language t...

English: A selection of programming language textbooks on a shelf. Levels and colors adjusted in the GIMP. Français : Une étagère en bois de houx naturel lacqué : Prgrammé en java pour avoir l’AIR réel. Ainsi que quelques livres (Photo credit: Wikipedia)

Top 5 Programming Languages In 2018

Programming world is rising exponentially with every passing year. With over 600 unique programming languages. The main question which comes to everyone’s thought is which language is most appropriate given the current and future market needs.

Let’s see which programming languages are popular enough today to deserve your attention:

1. Java:
There is no doubt that Java is keeping its place as the most popular language from long time. It is still the most favored language for building the backends for modern applications.

2. Python:
One of the main reasons as to why python became so common is the tons of frameworks available for actually anything ranging from web applications to text mining.

3. JavaScript:
Every web browser supports JavaScript, it’s used by over 80% of developers and by 95% of all websites. With the ability of node.js, even the backend can also be developed using JavaScript.

4. C++:
This language is regularly used for application software, game development, drivers, client-server apps and embedded firmware. According to Coding Dojo, C++ continues in use in several legacy systems at large enterprises,

5. C#:
An object-oriented language from Microsoft designed to run on the .NET platform, This language is designed for use in developing software and it is also massively used in video game development.


Leave a Comment

From CIA to APT: An Introduction to Cyber Security


By Edward Amoroso

Most introductory books on cyber security are either too technical for popular readers, or too casual for professional ones. This book, in contrast, is intended to reside somewhere in the middle. That is, while concepts are explained in a friendly manner for any educated adult, the book also necessarily includes network diagrams with the obligatory references to clouds, servers, and packets.

But don’t let this scare you. Anyone with an ounce of determination can get through every page of this book, and will come out better informed, not only on cyber security, but also on computing, networking, and software. While it is true that college students will find the material particularly accessible, any adult with the desire to learn will find this book part of an exciting new journey.

A great irony is that the dizzying assortment of articles, posts, and books currently available on cyber security makes it difficult to navigate the topic. Furthermore, with so much information coming from writers with questionable backgrounds in cyber security, separating the wheat from the chaff has become an almost impossible task for most readers, experienced or otherwise.

This book is written specifically to address that problem. That is, we set out to create an accessible but technically accurate work on cyber security that would not insult the intelligence of our readers. We avoid the temptation to navigate away from the technical issues, choosing instead to steer toward the detailed concepts in the hopes that our readers will develop new understanding and insights.

The material here provides a technical grounding that is commensurate with what you might receive in a college course on the topic. If you are an engineer, developer, or student, then you are certainly in the right place. On the other hand, if you work in management, executive leadership, or some other non-technical role, then this is exactly the technical grounding in cyber that you’ve been looking for.

Anyone who has not been sleeping in a cave the past few years knows the consequences of misguided decision-making in cyber security. Business leaders colliding with this complex issue will find their intellectual property gone and their services blocked by hackers. Government and political leaders who misstep in this area will find their careers, programs, and campaigns ruined.

Consider this: Target, Home Depot, and Sony have seen massive attacks on their infrastructure, and most citizens, including our leaders, have no idea how or why this occurred. Similarly, we watched data leaks from the US Office of Personnel Management and the Democratic National Committee, and most people have only a vague sense of how such cyber attacks were accomplished.

Perhaps more disturbingly, decision-makers in our society have no idea how to reduce this risk. Because they typically have zero technical understanding, they are forced to suggest simple, trite measures they can understand like awareness, penalties, and compliance. Our approach here is to demonstrate that cyber security attacks are best avoided through improved technology and architecture.

Written from the perspective of the professional cyber security executive, long-time academic, and industry analyst (Edward Amoroso), and the graduate computer science student, software developer, and occasional hacker (Matthew Amoroso), this book provides a concise technical introduction to cyber security that keeps things as straightforward as possible, but without veering into silly analogies.

One brief warning to expert readers: At times, we have decided to take out our scissors and trim some of the more confusing details of a given cyber security issue. We’ve tried in these cases to smoothen the edges to make complex concepts more accessible, hopefully without changing the essence of the technology. This is a difficult task, we discovered, and we hope only fat was removed and never bone.

In the end, our hope is that this short book will help you become more technically equipped to navigate the mine fields of misleading and incorrect cyber security information found across the Internet and on television. It is our hope that you will be in a better position to make informed decisions about anything of consequence that might be affected by the growing potential for cyber attacks.

If you successfully complete this book, you will no longer have to shrug when asked about cyber security. Rather, you will be able to lean in and offer an informed opinion based on an introductory grounding in the fundamental aspects of cyber security technology. Our goal is to expand your understanding and make you a more informed and educated adult.

We are pleased that you’ll be spending time with our material. To not lose any momentum, proceed ahead and continue your reading right now with the first chapter on cyber threats.

This book is available for download today on Amazon.com!

 


Leave a Comment

4 reasons you should get a cyber security qualification

The dramatic rise in cyber attacks over the past few years has caught most businesses off guard. Their cyber security departments are severely understaffed, causing them to look desperately for qualified professionals to help tackle the threat.

There has never been a better time to get into cyber security, so if you’re looking to enter the field, or further your career in it, you could benefit massively from gaining a relevant qualification. Here are four reasons why:

  1. Cyber security professionals are well paid

Money isn’t everything when it comes to choosing your career, but it’s obviously a big factor for many people. We mentioned recently that people with a CISM®PCIor GDPR qualification could earn £60,000 or more a year.

Of these, the CISM (Certified Information Security Manager) qualification is the most versatile. It’s the globally accepted standard of achievement among information security, information systems audit and IT governance professionals.

According to ITJobsWatch, people with a CISM qualification earn £64,000 a year on average. This figure has grown by more than 9% in the past two years.

  1. There’s a high level of job security

The shortage of qualified cyber security professionals means that those in the field are less likely to be replaced or made redundant. Their skills are hard to find elsewhere, and the more someone gets to know the company, the more valuable they will become.

Additionally, because almost every organisation currently needs cyber security professionals, those with the relevant qualifications are more likely to find a position in a location or company that suits them.

  1. There’s room for career growth

For the same reason that cyber security is a safe career, it’s also one that offers plenty of room for growth. Qualifications plus experience is a powerful combination that can help you move into more senior positions.

As you gain experience, you’ll also get the opportunity to earn more advanced qualifications. For example, you must have at least three years’ experience in IT governance to be eligible for a Certified in Risk and Information Systems Control (CRISC) qualification, and five years’ experience to be eligible for a Certified in the Governance of Enterprise IT (CGEIT®) qualification.

  1. The work is rewarding

Cyber security is still a relatively young field, making it an exciting and prosperous place. The threats that organisations face are constantly evolving, so you’ll always have new challenges. Plus, you know that your hard work is for a good cause: to stop cyber criminals and keep your organisation safe.

What qualifications do I need?

The qualifications you need will depend on the career path you choose. If you’re interested in governance, risk management, and compliance, for instance, a CGEIT qualification is essential. If you’re interested in information security, you’ll need a CRISC qualification.

We’re currently running promotions on our CRISC, CGEIT, CISA and CISM training courses. If you book before 22 December, you’ll receive a 10% discount on the courses and a 5% discount on all reading materials.

Find out more about our:



Leave a Comment