DISC InfoSec blog

With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis – and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure

vsRisk – The Definitive Cyber Security Risk Assessment Tool
The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
• Assessing key areas such as Groups, Assets and Owners
• Capturing your IS policy, objectives and ISMS scope
• In-built audit trail and comparative history
• Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
• Comprehensive reporting and gap analysis

Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
Watch the video now >>>

This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
Join the professionals and orders your today >>>

vsRisk and Security Risk Assessment

ISO 27001 As A Business Tool
More than ever, information security is a key part of a business’ overall plan and objective set. ISO 27001 can help businesses bring their information security practices together and develop a strategy to raise awareness and vigilance throughout the business.

With ISO 27001, all of a business’ information security is brought together, meaning there is a far greater level of accountability across all levels of the organisation.

ISO 27001 is a highly worthwhile tool, a world leading information security management system which integrates compliance into an organisation’s everyday tasks.

Who Is Accountable For ISO 27001?
The short answer is everybody, however there is more to it than that. ISO 27001 stands alone as an information security standard as it places the sole accountability on the business managers. That is, ultimately the buck stops with them, however it is up to them to spread responsibility and delegate as they see fit.

It is down to the business leaders to clearly identify which information security risks apply to their particular business and then take the necessary action to remove the risk entirely, or reduce it to a workable, acceptable level. It is the full responsibility of the managers to check and maintain that ISO 27001 standards are being met across the business.

One aspect which makes ISO 27001 a highly worthwhile tool is that there is room for each business to implement the standard in a way that best suits them. This is far removed from previous standards which have been “blankets”, leading to businesses at times putting things in place when in reality that scenario will never apply to them.

ISO 27001 is only really worthwhile if a business and its leaders gives the necessary level of time and dedication to achieving its aims. The certificate of ISO 27001 is an acknowledgement that an information security management system exists, continuous work must be done to ensure that compliance standards are continually met and the business remains fully protected.

Strong Reputation
A business with an ISO 27001 certification will be highly reputable so long as the standards required are strongly upheld. A dedication to the protection of information, whether it be internal finances or customer details, is highly regarded throughout the world in an age where privacy is highly valued but not often respected.

ISO 27001 raises awareness throughout the business of information security risks, involves all employees throughout a company and therefore delivers a significantly lower level of overall risk.

In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks

• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)

Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system

Boardrooms are finally waking up to the importance of cyber security. In the digital age, winning new business, protecting your own assets and ensuring customer confidence are all dependent upon cyber security. And there is one international standard which can help you achieve all of this, ISO27001.

But what do you really know about the ISO27001 Standard?
ISO27001 is the international best practice standard for an information security management system (ISMS). An ISMS is a systematic approach to managing all your confidential and sensitive information so that it remains secure, whilst maintaining its availability, confidentiality and integrity.
An ISMS encompasses people, processes and IT systems and ensures your security efforts and coherent, effective and proportionate. ISO27001 provides the requirements to help you design a best in class ISMS.

If you are new to ISO27001 you can read more information and download a free white paper on cyber security and ISO27001 here >>>

Download a copy of ISO 27001 ISMS Requirements

IT Governance Ltd, the global provider of cyber security management solutions, has announced a value-add offer in March. Organisations that buy the No3 ISO27001 Comprehensive Toolkit before the end of March will receive the Cybersecurity Self Assessment Tool free, making double savings on resource and time.

The No3 ISO27001 Comprehensive Toolkit contains highly practical books, document templates and risk assessment tool, also providing a 100% return on investment. It helps organisations tackle cybersecurity issues quickly and efficiently, whilst considerably improving their cybersecurity defences.

The recent Symantec Threat Awareness Survey uncovered that over 50% of the 1,900 SME’s interviewed, thought that they were immune to cybercrime because they were too small.

However, Symantec’s report found that since 2010 40% of all attacks were on SME’s. Ross Walker, Symantec director of small business for Symantec UK, commented “hackers are going after ‘low hanging fruits’ these are the companies who are less security aware and do not have the proper defences in place”.

Alan Calder, CEO of IT Governance, says “The best way to build robust and effective cyber defences is by implementing ISO27001, the world’s cybersecurity standard. An ISO27001-compliant Information Security Management System (ISMS) promotes customer confidence, helps vendors win new business and improves organisational efficiency”.

The easiest way to implement an ISO27001-compliant ISMS, especially for SMEs, is with the No 3 Comprehensive ISMS ISO27001 Toolkit. It provides organisations with all the tools they will need for the implementation of an information security management system (ISMS).

The No 3 Comprehensive ISMS ISO27001 Toolkit includes copies of the three key standards (ISO27001, ISO27002 and ISO27005), the Risk Assessment Tool (vsRisk™), the Documentation Template Toolkit and manuals that describe in practical detail how each aspect of the ISMS should be tackled.

One user of the Toolkit said: “Using the templates was the only way that we could deliver a first edition ISMS in under six months. Our deliverable was a work in progress, but miles ahead of where they would have been without the templates”.

Organisations that buy the No 3 Comprehensive ISMS ISO27001 Toolkit before the end of March will receive the Cybersecurity Self Assessment Tool free. It enables any organisation to quickly assess and demonstrate which areas of the organisation are up to scratch and where more attention is required.

Organisations can purchase the ISO27001 Comprehensive Toolkit here!

Risk Assessment should include the followings primary steps:
* Critical Asset Sensitivity (impact analysis) level affecting business, contractual and legal imapct
* Threats identified
* Vulnerabilities related to the threats
* Probablity of occurance that the specific threat will exploit the given vulnerability
* Impact of the loss if the specific threat will exploit the given vulnerability
* Risk level identified
* Control recommendations based on risk acceptance
* Results documentation

How to Complete a Risk Assessment in 5 Days or Less

For security controls to be effective, apply the pillars of information security

– Principle of least privilege
– Separation of duties
– Economy of mechanisim
– Complete mediation
– Open design

Information Security: Principles and Practice

Good policies should have five distinct attributes to become a successful and reasonably accepatable organization wide.

Specific: A policy must address a specific issue or objective clearly and thoroughly.

Measureable: To be effective, policy must have some condition of measuring adherence to the control. If people are not adhereing to policy then we may need better controls or perhaps better training program.

Achievable: To follow the policy, employee must have enough resources, tools and training to make policy objectives achieveable

Realistic: How realisticcally can we expect the policy will be followed and employee will be able to achieve his/her business objectives without any issues. This is where there is a need to balance security and availability. The question we need to ask how much should we Lock it Down or Free it Up?

Time Based: Specify when policy takes effect, when review will occurs and when conformance become required

To remember these five attributes here is an acronym “SMART”

Writing Information Security Policies

The UK’s 2010 National Security Strategy identified cyberattacks as one of the four highest-priority risks faced by the UK. President Obama has declared cybersecurity as one of the most serious economic and national security challenges the US faces as a nation.

There is an Advanced Persistent Threat (APT) posed by organised crime and state level entities, targeting large multi-national corporations and foreign governments. Organisations of all sizes can suffer collateral damage. China has been regularly identified in the press as a major player in modern cyberwar activities but, until now, little has been written to describe the depth and severity of this threat.

21st Century Chinese Cyberwarfare, from IT Governance Publishing, is a comprehensive and in-depth review of the Chinese role in cyberwarfare. Drawing on a combination of cultural, historical, business, linguistic and personal experience, the book attempts to explain China to the uninitiated. It describes how the combination of Chinese Communism and the unique cultural and linguistic heritage of the People’s Republic of China are driving Chinese cyber activity.

The author, Lieutenant Colonel (Ret’d) William Hagestad II, is an internationally recognised subject matter expert on the Chinese People’s Liberation Army and Government Information Warfare. He advises international intelligence organisations and multi-national commercial enterprises with regard to their internal IT security governance and external security policies, making him the ideal person to write this book.

21st Century Chinese Cyberwarfare is the first book to gather the salient information regarding the use of cyberwarfare doctrine by the People’s Republic of China, highlighting the increasing threat it imposes to the western world and the fact that Chinese cyberwarfare is a clear and present danger that can no longer be ignored. The book should be read by many, from individuals through to governmental departments, with everyone finding benefit in it.

William Hagestad II adds, “My intent with this book was to introduce my readers to the Chinese culture, history and language through the lens of the People’s Liberation Army (PLA) information security & cyber warfare initiatives as a basis for economic, political and military hegemony by the Chinese Communist Party.”

Alan Calder, CEO of IT Governance comments, “This book provides a fascinating and comprehensive study of the evolution and current nature of the Chinese approach to war ‘by other means’, conducted in what the Chinese see as the fifth sphere of war: cyberspace. ‘Know your enemy’ is a good starting point for any defence strategist and this book is an outstanding contribution to a better understanding of cyber security challenges that should be read by information security professionals the world over.”

21st Century Chinese Cyberwarfare can be purchased in local currency from the ITG website

Related story

NATO Drafting Cyber Warfare International Law Manual

A summary of the challenges facing today’s IT project manager
Discussions on project management forums highlight many of the challenges facing a project manager during the course of a project. Unclear requirements, scope creep and undefined roles are well-trodden issues that can derail a project. Other challenges are less obvious, often more subtle, but equally destructive.

Facing up to the challenges
This book offers a focused and concise summary of 50 challenges facing today’s IT project manager. The authors draw on years of practical experience (rather than classroom theory) to outline these challenges and offer useful tips and advice on how to deal with them.

Challenge and response
Readers of this book will be better equipped to respond to key project management challenges, including

• Building the team – getting the right resources, matching skills/knowledge, defining roles and responsibilities.
• Project scope – clarifying assumptions, avoiding ambiguity, getting the time/cost estimates right.
• Politics – communicating with management and stakeholders, dealing with conflict, handling interference and micro-managing.
• Risk awareness – identifying inside/outside influences, recognising inbound and outbound dependencies.
• Time management – using the right planning tools, balancing work versus meetings.
• Failure – handling the blame game, protecting the team, rescuing the project.

This book condenses into a handy summary much of the information and advice that can be found in project management related books and discussion forums. It is an ideal reference for anyone involved in IT project management, from professional service organisations (PSO) and project management offices (PMO), through to active project managers and studying graduates.

Buy this book and deliver your next project on time, on budget and to specification!

About the authors

Premanand Doraiswamy has over 14 years’ experience working in IT project management with Fortune 500 companies in various industries and is the author of IT Project Management – 30 Steps to Success, also published by IT Governance.

Premi Shiv is a quality assurance specialist with 7 years’ experience in IT processes and management solutions. With an optimistic approach and organisational skills, she has carved a niche in quality assurance.