Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am
Cyber Resilience

Cyber Resilience

RESILIA™ Cyber Resilience Best Practices

AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIA™ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.

RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.

 

Target market

 

  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.

 

Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIA™ Cyber Resilience Best Practices


Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002


Aug 22 2014

Do it yourself solution for ISO27001 implementation

Category: ISO 27kDISC @ 3:16 pm

DoItYourself

ISO 27001 Do It Yourself Package

This is the do-it-yourself solution for ISO27001 implementation

Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.

This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.

 

This package does not include certification fees which are paid directly to the certification body.

 

The ISO 27001 do-it-yourself package contains:

  • The ISO 27001:2013 Standard, which details the requirements against which you will be audited.
  • The ISO 27002:2013 Standard, which is the code of practice that provides supports for the implementation of information security controls for ISO27001.
  • The ISO 27000:2014 Standard, which contains the terms and definitions referenced in ISO27001.
  • IT Governance – An International Guide to Data Security and ISO27001/ISO27002, which details how to design, implement and deliver an Information Security Management System (ISMS) that complies with ISO27001.
  • Nine Steps to Success – An ISO 27001 Implementation Overview, which outlines the nine critical steps that mean the difference between ISO27001 project success and failure.

The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.

Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool

Tags: Corporate governance of information technology, data security, Information Security, Information Security Management System, International Organization for Standardization, isms, ISO/IEC 27001, Risk Assessment


May 10 2014

Information Security and ISO 27001-2013

Category: ISO 27kDISC @ 9:38 pm

ISO270012013

The perfect introduction to the principles of information security management and ISO27001:2013

Most organizations implementing an information security management regime opt for systems based on the international standard, ISO/IEC 27001. This approach ensures that the systems they put in place are effective, reliable and auditable.

Up to date with the latest version of the Standard (ISO27001:2013), An Introduction to information security and ISO27001:2013 is the perfect solution for anyone wanting an accurate, fast, easy-to-read primer on information security from an acknowledged expert on ISO27001.

This pocket guide will help you to:

Make informed decisions

    By providing a clear, concise overview of the subject this guide enables the key people in your organization to make better decisions before embarking on an information security project.

Ensure everyone is up to speed

    Once you have decided to implement an information security project, you can use this guide to give the non-specialists on the project board and in the project team a clearer understanding of what the project involves.

Raise awareness among staff

    An Information Security Management System (ISMS) will make demands of the overall corporate culture within your organization. You need to make sure your people know what is at stake with regard to information security, so that they understand what is expected of them.

Enhance your competitiveness

    Your customers need to know that the information you hold about them is managed and protected appropriately. And to retain your competitive edge, you will want the identity of your suppliers and the products you are currently developing to stay under wraps. With an effective knowledge management strategy, you can preserve smooth customer relations and protect your trade secrets.

Download this pocket guide and learn how you can keep your information assets secure.

 

 

Tags: Information Security, Information Security Management System, isms, ISO/IEC 27001, Policy


Mar 14 2014

Hacking Point of Sale

Category: cyber security,data securityDISC @ 9:28 am

Hacking Point of Sale

A hands-on guide to achieve better security at point of sale

Hacking Point of Sale – A must-have guide for those responsible for securing payment card transactions. Hacking Point of Sale is a book that tackles the issue of payment card data theft head on. It covers issues from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and much more.

Packed with practical recommendations, it goes beyond covering PCI DSS compliance to offer real-world solutions on how to achieve better security at point of sale.

Hacking Point of Sale…

•A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
•Explores most of the major groups of security standards applicable to point of sale, including PCI, FIPS, ANSI, EMV, and ISO
•Details how protected areas are hacked and how hackers notice vulnerabilities.
•Highlights ways of defending against attack, such as introducing cryptography to payment applications and hardening application code

An essential guide for security professionals that are charged with addressing security issues with point of sale systems.

Tags: debit card, Information Security, Payment card industry, Payment Card Industry Data Security Standard, Point of sale


Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool

httpv://www.youtube.com/watch?v=M8acvay4FmU

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>

 

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards


Jul 22 2013

Your employees aren’t the only threat to InfoSec and Compliance

Category: cyber security,Information SecurityDISC @ 1:18 pm
Information security

Information security (Photo credit: Wikipedia)

July 22nd, 2013 by Lewis Morgan 

I overheard a conversation the other day, one which left me so stunned that I’ve decided to write about it….

Two men having dinner behind me (I got the impression they were both directors) were discussing the £200k fine the NHS received for losing patient data. Eventually, the conversation turned into a discussion about information security as a whole. I won’t go into all the details but one of them said, “We don’t particularly focus on cyber security, it’s always large organisations which are in the news about getting hacked and being a small company, we’re not under threat”. It bothered me (probably more than it should have) that someone in control of an organisation has that attitude to cyber security. If an organisation of 5 employees was hacked, the same day as, let’s say DELL, were hacked – who’d make it into the news? DELL would, why? Because it’s likely to be more of an interest to the readers/listeners and will have a bigger impact on the public compared to that of the smaller organisation.

I never see stories in the news of someone being hit by a bus in my local town, but it doesn’t mean I’ll walk in front of one holding a sign saying ‘hit me’. That’s effectively what this director is doing, turning a blind eye to a large threat just because he’s not seen an example of a small organisation being hacked – chances are he doesn’t even read the publications which cover those stories.

Ignorance

It’s a strong word, isn’t it? Personally I hate calling people ignorant, I’d rather use a more constructive word such as ‘unaware’, but I feel that using the word ignorance will raise some eyebrows.

As a director of a company, your aim is to maximise revenue, minimise costs and anything in between.

You need a future for your organisation; this is usually done by investing in your marketing efforts, improving your products/services and providing the best customer service possible. But what do you do to actually secure a future? It’s all good and well having a 5 year plan which see’s 400% growth in revenue, but how do you make sure that your organisation will even exist in 5 years?

2 years into your plan and you’re hitting your targets – but you’ve just discovered that there’s been a data breach and your customers credit card details have been sold online.

Your plans have now become redundant; they are depending on how prepared you are to handle the situation, so are your staff. The cost of recovering from a data breach for a small organisation is between £35 – 65K (and that’s not including fines). Can your organisation afford that? Probably not, but you could have afforded the costs which would have prevented this breach in the first place.

Let’s say that the breach happened because a new member of staff was unaware that they shouldn’t open emails in the spam folder. An email was opened, malicious software was installed and login credentials were stolen. You could have trained that member of staff on basic information security in under an hour, for £45. But instead, you chose to ignore your IT Manager who’s been raising spam issues at each monthly meeting but all you chose to hear is “we’ve not been hacked” and “invest” which is enough for you to move on.

What your IT Manager is really telling you is “We’ve recently been receiving a large amount of emails into our spam filter, and some are getting through. I think we need to invest in a more advanced spam filter, and perhaps train some of the staff on which emails to avoid. A virus from an email could lead to a hack, it’s not happened yet but there’s a chance it will.”

Forget blaming the IT Manager or the new member of staff when that breach happens, it comes down to you and your:

Inability to perceive cyber threats

Grey areas in appropriate knowledge

Naivety

Overhead cost restrictions

Refusal to listen to something you don’t understand

Absent mindedness

No interest in the customer’s best interests

Careless decisions

Eventual disaster

 

Cyber security threats are real, so why are you ignoring them?

To save money? Tell that to a judge

Introduction to Hacking & Crimeware

You don’t understand the threats? Read this book

 

Tags: Computer security, data breach, Email spam, hackers, Information Security, Malware


May 20 2013

A Guide to Data Security and ISO27001/ISO27002

Category: ISO 27kDISC @ 1:39 pm

ITGovernance

IT Governance 5: An International Guide to Data Security and ISO27001/ISO27002

This manual provides clear, unique guidance for both technical and non-technical managers. It details how to design, implement and deliver an ISMS that complies with ISO 27001.

Now in its fifth edition, this title has been fully updated to take account of the latest regulatory and technological developments, and the International Board for IT Governance Qualifications

 

Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO, ISO/IEC 27001, Risk Assessment


Apr 23 2013

Cyber Security and Risk Assessment

Category: cyber security,Security Risk AssessmentDISC @ 9:19 am

Cyber security is the protection of systems, networks and data in cyber space.

If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.

To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.

Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.

Tools and techniques which work in mitigating cyber risks

The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management

Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.

The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks

Tags: Computer security, cyberwarfare, Information Security, Information Security Management System, Risk Assessment, Risk management


Mar 06 2013

Your Cyber Security Project

Category: cyber securityDISC @ 12:04 pm

by James Warren

Internet technologies have revolutionised the way that business is conducted but these innovations expose your business to various cyber security risks.

Inadequate security can lead to the theft of customer data and, in the event of technological failure or a cyberattack, your business could lose its ability to function altogether. An effective risk management strategy is, therefore, vital to your company’s survival.

Cyber Security Risks for Business Professionals: A Management Guide Cyber Risks for Business Professionals: A Management Guide 

A general guide to the origins of cyber security risks and to developing suitable strategies for their management. It provides a breakdown of the main risks involved and shows you how to manage them.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks. As the leading provider of cyber security products and services, ITG can help you with any aspect of your project:

Cyber Security Risks for Business Professionals: A Management Guide  >> ITG | eBay | Amazon

Tags: Computer security, cyber security, Information Security, ISO/IEC 27001, Risk management


Feb 25 2013

PENETRATION TESTING & ISO27001

Category: ISO 27k,Pen TestDISC @ 10:38 pm

penetration testing

Penetration testing (often called “pen testing” or “security testing”) establishes whether or not the security in place to protect a network or application against external threats is adequate and functioning correctly. It is an essential component of most ISO27001 and UK public sector contracts.

Why would my company need penetration testing services?

In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective penetration testing is the only way of establishing that your networks and applications are truly secure. Penetration testing is also an essential component in any ISO27001 ISMS – from initial development through to on-going maintenance and continual improvement.

How does penetration testing fit into my ISO27001 ISMS project?

There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:

1. As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.

2. As part of the Risk Treatment Plan ensuring controls that are implemented do actually work as designed.

3. As part of the on-going corrective action/preventive action (CAPA) and continual improvement processes; ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

The Basics of Hacking and Penetration Testing
This guide will show you how to undertake a penetration test or as it is sometimes known an ethical hack. This book focuses on how to hack one particular target, this allows you to see how the tools and phases of the pen test relate. to get your copy of The Basics of Hacking and Penetration Testing
ITG | eBay | Amazon

Penetration Testing – Protecting Networks and Systems
An essential guide to penetration testing and vulnerability assessment, which can be used as a Certified Penetration Testing Engineer Exam Prep Guide. to get your copy of your Penetration Testing – Protecting Networks and Systems
ITG | eBay | Amazon

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Penetration test


Feb 12 2013

Why ISO 27001 certification should be a priority

Category: ISO 27kDISC @ 10:34 pm

ISO 27001

Why ISO 27001 certification is unavoidable

Now a days, the ISO27001 standard has become an almost unavoidable factor in the field of information security. Compliance is unavoidable because most industries are heavily regulated. Seems like more legislations are on our way to redefine our actions on the internet. Because ISO 27001 requirements are largely a superset of other major standars and regulations, achieving ISO 27001 certification positions most organizations to be well on their way to meeting the requirements of PCI, SOX, HIPAA and GLBA.

Six main benefits of Information Security Management System based on ISO 27001 specifications

1. Business managers of the organizations will make informed decisions regarding potential risk and should be able demonstrate compliance with standards and regulations such as SOX, GLBA, HIPAA, DPA to their critical information on regular basis.

2. An ISMS is a defensive mechanism to any APT (advanced persistent threat) to minimize the impact from these external threats of various cybercrime.

3. Informed information security decisions will be made based on risk assessment to implement technical, management, administrative and operational controls, which is the most cost effective way of reducing risk. Highest priority risks are tackled first to attain best ROI in information security.

4. Information security is not an IT responsibility; In general everybody in an organization is responsible for protecting information assets and more specifically business manager. The business manager may delegate their responsibility.

5. Organization will improve credibility and trust among internal stakeholder and external vendors. The credibility and trust are the key factors to win a business.

6. ISMS raises awareness throughout the business for information security risks, involve all employees throughout an organization and therefore lower the overall risk to the organization.

Related Books, Standards and Tools you may need to achieve ISO 27001 certification

Nine Steps to Success: an ISO 27001 Implementation Overview“It’s like having a $300/hr consultant at your elbow as you consider the aspects of gaining management support, planning, scoping, communication, etc…” Thomas F. Witwicki (amazon.com review)

IT Governance: An International Guide to Data Security and ISO27001/ISO27002
Covers simply everything you need to know about information security and ISO27001. It is also the UK’s Open University’s post-graduate information security textbook. All aspects of data protection / information security are covered including viruses, hackers, online fraud, privacy regulations, computer misuse, investigatory powers etc.

ISO27000 Standards
Official standards available in hardcopy and downloadable formats.

Standalone ISO 27001 ISMS Documentation Toolkit
This toolkit contains all the documents, procedures and templates you need to massively simplify your progress to certification. It will save you months of work, help you avoid costly trial-and-error dead-ends and ensure everything is covered to the current ISO 27001 standard.

Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO/IEC 27001, Risk Assessment


Feb 11 2013

BYOD security measures for mobility

Category: Mobile SecurityDISC @ 9:22 pm
BYOD Usage

BYOD Usage (Photo credit: IntelFreePress)

BYOD security controls for mobility

These days smart phones certainly add additional risk to Bring Your Own Device (BYOD) to office. Like it or not Bring Your Own Device is a growing trend at all scales and levels. An important thing to understand is that today’s user like and prefer to use their own devices and applications at work.

As we know some organizations have pretty strict policies around Bring Your Own Device. When it comes to BYOD, it should be addressed in structured manner considering information security policies and procedures. Utilize IT Governance framework to align the with business goals. In this regard, an organization may have to amend some of their own policies to allow BYOD instead of making user to circumvent the potential existing policies. Security professional must reassess their current Bring Your Own Device policies to find new balance which work for users and also match the organization business objectives and security needs.

Organizations of all sizes are dealing with the – mobility – before they even have had adequate time to manage the risks: How do we secure the systems and data accessed broadly by employees’ mobile devices?

  • State of Security – Which mobile platforms will organizations support in 2013, and how do they rate their state of mobile security? Perform a thorugh risk assessment with mobility in scope
  • Policy – What formal policies do organizations have in place for concerns such as inventory, mobile device/application management and data/device encryption? Update your policies and procedures to cover mobility
  • Controls – What security controls are in place to manage and secure identity and access management, content and the use of third-party applications? Implement mobility controls based on risk assessment
  • Metrics – How do organizations measure the tangible business results of mobile initiatives, including cost-savings and improved productivity? Metrics measures improvement and effectiveness of controls. Best way to show you are maintaining and improving mobility controls over time to auditor and business suite.  


Considerations for BYOD Policies, Controls and Metrics

• Address the allowed and supported mobile platform for user community
• Address stolen and misplaced devices to avoid data loss
• Address remote access to corporate resources which should be secure using (TLS, SSL)
• Also address exceptions in remote access where application does not support TLS or SSL
• Address the use Implicit authorization instead of traditional explicit authorization
• Implicit authorization uses SIM based Extensive Auth Protocol (EAP)
• Implicit authorization is less risky than explicit authorization in BYOD

Tags: BYOD, Extensible Authentication Protocol, Information Security, Remote access, Smartphone, Transport Layer Security


Dec 17 2012

5 Essentials changes to harden Network Infrastructure

Category: Network securityDISC @ 4:09 pm

First principle to understand vulnerability assessment, one can’t exploit the vulnerability if a threat does not exist. So by default the services (ports) which are not required in a system (server) will present an unnecessary threat to be exploited if specific vulnerability exists in a system.

These unnecessary and unattended services are also the prime target of an attacker which they will find in reconnaissance session and ultimately exploit these vulnerabilities to get into a system. Modern networks should be resilient enough to handle the availability and bandwidth of traffic but also the daily barrage of attacks. Information security is a necessary evil to stay in business (cost of doing business) today. Compliance and regulatory fines aside, InfoSec is treated as business enabler in today’s business suite.

Below are five services which must be disabled unless there is a business reason. If you do have to enable one of these services then utilize compensatory controls to minimize the given risk to acceptable level.

1. Finger – the finger is TCP Unix service (port 79) which is utilized to determine who was logged on to system. After that all you have to find what is their password to get into the system and there are plenty of brute force applications out there to do that for you. Same service can be provided from other lookup secure services (like whois) which may minimize the risk in your environment. So make sure this service is disabled on all devices.

2. Telnet – is used for remote device management to get into system, no wonder a gold mine for a hacker. Like FTP, Telnet communicate in clear text, so it is insecure protocol. So it should be replaced with other secure services like SSH (port 22).

3. HTTP – is the most common user friendly web interface today. Because of its commonality the hackers have discovered several methods of exploiting HTTP service. Beside that HTTP is a clear text protocol as well which provides an extra advantage to a hacker. So it should be replaced with other secure services like Https (port 443).

4. NTP – Network Time protocol utilize to synchronize all the time clocks with a remote time server which also use to keep all the logs in sync for forensic or incident handling. If NTP is not required on a system it should be disabled.

5. ICMP – is data link layer protocol which provides information about neighboring network devices. ICMP flood, also known as Ping flood or Smurf attack, is type of Denial of Service attack that sends large amounts of (or just over-sized) ICMP packets to a machine in order to attempt to crash the TCP/IP stack on the machine and cause it to stop responding to TCP/IP requests. Some time it necessary to enable this protocol when troubleshooting, so only enable when necessary otherwise keep it disable.

Please feel free to comment and add more services which you think should be added to this list

Related Topics

Hardening Linux

Hardening Windows Systems

Tags: Denial-of-service attack, HTTP, HTTP Secure, Hypertext Transfer Protocol, Information Security, Internet Control Message Protocol, Network Time Protocol, Smurf attack


Dec 11 2012

Monitoring and reviewing third party InfoSec services

Category: ISO 27k,Vendor AssessmentDISC @ 12:25 pm

Control A10 of ISO 27001 mandates for outsourcing organization to monitor and review the performance of third party service provider on regular basis which includes the contractor working on critical assets within the scope. Service level Agreement (SLA) or Operation level Agreement (OLA) are the binding legal agreement which includes all the important services to fullfil the information security and compliance requirements of an organization.

Contract with service provider should require the need of standard reports on regular basis which should be reviewed at least monthly and attended by staff and management responsible for services. In these meetings, management should ensure that contractual requirements have been met by the service provider

Key management responsibilities should include but not limited to the followings:

    Outsourcing organization should decide which key metrics will be created to monitor the performance of service provider which will ensure that contractual clauses are met consistanly.
    For information security related services, reviewing all incidents for sepcified period (at least once a month) to make sure thay have been included in an organization treatment plan for appropriate corrective actions based on an organization risk priorty.


Related Articles and Info.

ISO 27001 is the litmus test for information security
Live Webinars feed for Governance, Risk and Compliance

Tags: Contract, Information Security, ISO/IEC 27001, Operational-level agreement, Service-level agreement, SLA


Dec 04 2012

Advanced Persistent Threats are the main challenge for businesses

Category: cyber security,ISO 27kDISC @ 11:27 am

Advanced Persistent Threats’ are top infosecurity challenge for businesses in 2013

Mitigating Advanced Persistent Threats (APT) is going to be a main challange and should be the highest of information security priorities for businesses in 2013, according to governance, risk management and compliance firm IT Governance.

Latest APT threats should be taken into account in an organization risk assessment process and depending on the current vulnerabilities, these threats should be treatetd based on the organization risk appetite. Risk appetite or risk threshold is where an organization draw a line to accept or treat any given risk to an organization.  

Alan Calder, Chief Executive of IT Governance, says: “Today, through benign neglect, staff carelessness or insufficient preparation, every business, large and small, is vulnerable to cyberattack. ITG Top 10 identifies the biggest online threats to your business in the coming year and shows how you can tackle these.”

1. Advanced Persistent Threats: APTs refer to coordinated cyberactivities by sophisticated criminals and state-level entities. With the aim of stealing information or compromising information systems, these target governments and corporations which have valuable intellectual property. By their very nature, manufacturing and the high-tech, oil and gas, finance and pharmaceutical industries all come under the greatest threat of attack by APTs. While there’s no single, stand-alone solution, coordinated and integrated preparations can help you rebuff, respond to and recover from possible attacks. Adopting ISO27001, the best practice infosecurity standard, is the most practical way for companies to develop and implement a tailor-made and comprehensive cybersecurity management system to counter the APT threat.

2. Cyberwar: Cyberespionage and cyberterrorism have become a major threat to UK and US governments. In the form of high-profile malware attacks, state-backed entities are seeking commercial advantage against international competitors, as well as preparing for a new front in modern warfare. China is the best known example of a state believed to engage in such activities, so much so that many larger corporations now forbid employees from taking their laptops on business trips into China for fear of data loss. Effective, enterprise-wide cyber-defence must therefore be in place at all levels, to provide strategic, tactical and operational protection, alongside linkages between operational management, operational processes and technical controls.

3. Cybercrime: As opposed to APTs or cyberwar, cybercrime is a threat to every individual and organisation, no matter how small. Cybercriminals exploit modern technologies in order to commit criminal activities, ranging from identity theft to the penetration of online financial services. All businesses should implement an integrated cybersecurity strategy which, among other issues, includes securing your cyber-perimeter to making sure that your staff are trained to recognise and respond to social engineering attacks and follow a well-thought-out social media strategy.

4. Personal data protection: 2012 has seen a slew of data breaches involving the theft of customers’ personal information. This trend will continue unless businesses change their approach to handling personal data. The proposed new EU Data Protection regulation aims to strengthen individual rights and tackle the challenges of globalisation and new technologies. The EU Commission is also putting pressure on businesses to tighten information security measures. Again, the most logical and sensible way to do this is via ISO27001 implementation and certification.

5. Mobile security: USB devices, laptops, tablets and mobile phones make it very easy for employees to transport massive amounts of information out of the door – potentially to your rivals. Also, whenever employees save username and password data onto their mobile devices, they make it exceptionally easy for fraudsters to crack the passwords of a range of applications, thereby increasing cyber risk. All confidential information stored on these devices must be encrypted to avoid data breaches as a result of theft or loss.

6. Data security: Given that many data breaches are due to human error, insider threats play a significant role. Continuous staff awareness training is essential, but companies also need to manage access to data as part of the overall information security management system. For example, restrict access to people with a ‘business need to know’, or set up a unique ID for users which, combined with logging and audits, protects against the ‘insider’.

7. Bring Your Own Device: BYOD policies are becoming the norm at a growing number of both companies and state organisations. Protecting and controlling company data on your staff’s personal mobile devices poses a stiff challenge – best answered by implementing a mobile device management policy.

8. Identity theft: Identity fraud, which involves someone pretending to be somebody else for financial or other gain, is rife. We all need to be aware of ‘phishing’ and ‘pharming’ emails, but we also need to be wary of how we use social media and how much personal information we provide. Antivirus software and spyware removal software alone cannot protect against these attacks. Effort also needs to go into user education to cut exposure to risk.

9. Payment Card Security: Ever-growing numbers of payment cards are being threatened as a result of the migration of payment apps onto mobile devices. Companies should apply regular website security testing, known as ‘vulnerability scanning’, which should be conducted by qualified ethical hackers. It’s also important to regularly apply all relevant patches, and to have a basic understanding of common hacking techniques and new threats and computer viruses.

10. Cloud continuity and security: If you are using a Cloud provider for mission-critical applications and data storage, check the contract carefully. What security policies does the provider have in place? Do they have ISO27001 certification? Evaluate the risks of using a Cloud provider and make them part of your own information security management system.

Tags: Advanced persistent threat, APT, Corporate governance of information technology, Information Security, iso 27001, threat


Nov 06 2012

New Tools for IT and Security professionals

Category: BCP,Information SecurityDISC @ 11:40 am

IT Governance continually striving to create, source and deliver products that can help IT and Information Security professionals in the real world. Check out their latest on Business Continuity, ITIL & ITSM and Information Security products below to help you in your current and future projects. This is a perfect time of the year to start adding some of these tools in your wish list and stay abreast in your area of expertise.

ISO22301 BCMS Implementation Toolkit
New release

 

ITIL Lite: A Road Map to Full or Partial ITIL Implementation – ITIL 2011 Edition
New release

 

ITIL Foundation Essentials: The exam facts you need
Published on 6th November

 

Resilient Thinking: Protecting Organisations in the 21st Century
Published on 8th November

 

ISO19770 SAM Process Guidance: A kick-start to your SAM programme
Published 13th November

 
 

Tags: Business, business continuity, Information Security, Information Technology, Information Technology Infrastructure Library, it service management, SAM, Software asset management


Oct 30 2012

Operation Procedures and ISMS

Category: ISO 27kDISC @ 11:18 am

In ISO 27001 Annex A control 10.1.1 makes it a requirement to identify all necessary operating procedures at policy level and then document these operating procedure based on the current environment. All of these operating procedures should be under strict document control meaning these procedures should be reviewed and updated at regular intervals based on the organization risk acceptance level. Also if your organization already has ISO20000 then the ISO20000 document control procedures are applicable to ISO 27001.

In ISO 27002 recommendation suggest the detail these operating procedures should address. The detailed work instructions will be directly proportional to the size of the organization and complexity of the task. The rule of thumb is another trained staff should be able to follow the instruction without much assistance. Also these procedures should have an input from cross functional team especially from security staff and the staff operating these procedures. The procedures should take into consideration vendor user manual instructions for all basic functions of the operations. The organizations which may outsource their IT and Security services need to specify the documentation requirement based on ISO 27001/ ISO 9000 in their contract and the relevant documents should be audited on regular basis to keep their required ISO certification

Below are some of the operating procedures.

  • Backup and restore procedures.
  • Handling of information based on the classification.
  • Contact list of all supporting staff including vendors to tackle unexpected events.
  • Detailed system restart and recovery procedures to tackle unexpected incidents

Tags: Information Security, Information Security Management System, International Organization for Standardization, ISO/IEC 27001, ISO/IEC 27002


Aug 11 2012

ISO 27001 Information Security Incident Management

Category: ISO 27k,Security IncidentDISC @ 10:37 pm
English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

Section 13 of Annex A handle information security incident management. One of the important thing to know about this section is the difference between an event and an incident.

Information Securty Event: is an occurance of a system, service or netwrok state indicating a possible breach of information security policy or failure of safeguards.

Informtaion Security Incident: is indicated by a single or series of unwanted information security events that have a significant probability of compromising business operations.

IT Governance: An International Guide to Data Security and ISO27001/ISO27002

This video covers Section A.13 of ISO 27001. This refers to the reporting of information security events and weaknesses and the management of information security.

Tags: Information Security, Information Security Management System, ISO 27001 Lead Implementer, ISO/IEC 27001, Policy


Apr 29 2011

Top Five Hollywood Hackers Movie

Category: cyber security,Information SecurityDISC @ 11:23 am
Hollywood Sign

Image via Wikipedia

In movies the hacker tries to hack into a Department of Defense computer by speed-typing passwords. We all know reality is nothing like this and we see it as the joke that it is.

But business management don’t see the inherent risks as affecting business bottom line but a hindrance to another new project; they don’t see the research, the probing, the social engineering, risk impact, risk probability and overall risk as security professional do. It is our job as a security professional to show the risks in business terms to management so they can make a reasonable decision based on business risk threshold rather than emphasis on hinderance to bottom line. Remember the return on investment in security is part of doing business, it’s about reducing risks on ongoing basis and keep the company profitable on long term basis (keep making the money).

Emphasize management’s accountability for the risk and most importantly for residual risks (remaining risk after implementing a control). Put the onus on the Information Asset Owner who should be at the management level not a technical staff (may delegate responsibilities in small companies). Make clear recommendations but let them make the key decisions AND make them accountable if things may go wrong.

So yes, management is more impressed by flash and glamour, Because they know and good at analyzing the business risks but take the security risks as business inhibiting to their new project and may like to accept the risks rather than taking the time to address the issue which should be a corrective control to mitigate the existing risk to acceptable level.

What do you think – Do the Hollywood movies add any value in a sense to emphasis the information security risks as a threat to business folks or they just fictional stories which make business people ignore the information security threat?

Which one is your favorite hacker movie….

Below are the top three hackers movies

3-Hackers, 2-Untraceable, 1-WarGames



Tags: Business, Cinema of the United States, Hollywood, Information Security, Management, Risk, United States Department of Defense, WarGames


Jun 08 2010

U.S cybersecurity policies update

Category: Information Warfare,Security Risk AssessmentDISC @ 12:47 am

Breakdown of political party representation in...
Image via Wikipedia

By Greg Masters

The U.S. House of Representatives has passed a defense bill that contains an amendment aimed at regulating the information security responsibilities and practices of federal agencies.

The amendment, sponsored by Rep. Jim Langevin, D-R.I., and Rep. Diane Watson, D-Calif., updates the Federal Information Security Management Act (FISMA) and establishes a National Office for Cyberspace in the Executive Office of the President.

The amendment was attached to the National Defense Authorization Act for Fiscal Year 2011, which passed the House Friday by a 229-186 vote.

“The passage of this amendment comes after a great deal of work to raise awareness about the cybervulnerabilities that exist throughout our federal government,” Langevin, co-chair of the House Cybersecurity Caucus, said in a news release. “These provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace.”

The measure integrates a number of policy recommendations made by the Obama administration’s 60-day Cyberspace Policy Review, the CSIS Commission on Cybersecurity for the 44th Presidency and the U.S. Government Accountability Office (GAO), which has offered suggestions for remedying security vulnerabilities across federal agencies.

The amendment establishes the National Office for Cyberspace (NOC) within the Executive Office of the President.

A director, appointed by the president and confirmed by the Senate, would be charged with coordinating and overseeing the security of agency information systems and infrastructure. In addition, a CTO would be hired.

Also, a Federal Cybersecurity Practice Board within the NOC would be charged with overseeing the implementation of NIST-approved standards and guidelines, in addition to defining policies that agencies must adhere to in order to comply with FISMA requirements.

Further, agencies would be required to undertake automated and continuous monitoring of their systems to ensure compliance and to identify potential risks to assets. An annual independent audit of information security programs to determine their overall effectiveness and compliance with FISMA requirements would also be required.

The amendment also calls for developing policies to be used in the purchasing of technology products and services.

A version of the bill currently making its way through the Senate does not contain the Watson-Langevin amendment, but it could be altered before it is voted on by the upper chamber. Adjustments between the two versions of the bill could be made in conference before it is presented for President Obama’s signature. The Senate version passed the Armed Services Committee

The amendment combines two previous bills: Watson’s Federal Information Security Amendments Act and Langevin’s Executive Cyberspace Authorities Act.

Tags: Diane Watson, Federal government of the United States, Federal Information Security Management Act of 2002, FISMA, Information Security, Security, Senate, United States


Next Page »