Jan 13 2011

Meet Stringent California Information Security Legislation with Comprehensive Toolkit

Category: ISO 27kDISC @ 4:06 pm

Three years ago, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

This legislation deals with the security of personal information and is applicable to all organisations (state and government agencies, non-profit, companies of all sizes, regardless of geographic location) holding personal data on any person living in California. SB-1386 requires such information holders to disclose any unauthorised access of computerised data files containing personal information.

In response, IT Governance’s comprehensive ‘SB-1386 & ISO27002 Implementation Toolkit’ is specifically designed by experts in data compliance legislation to guide organisations on how to conform to SB-1386. The toolkit conforms to ISO27002 and, if desired, also helps organisations prepare for any external certification process (ISO 27001) that would demonstrate conformance with such a standard. The State of California has itself formally adopted ISO/IEC 27002 as its standard for information security and recommended that organisations use this standard as guidance in their efforts to comply with California law.


Which businesses are affected by SB 1386 law?
o If you have a business in California
o Outsourcing company who does business with a company in California or have customers in California
o Data centers outside of California which store information of California residents

sb1386

Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


The Comprehensive SB1386 Implementation toolkit comprises of:
1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
o automates and delivers an ISO/IEC 27001-compliant risk assessment
o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
o Comprehensive best-practice alignment
o Supports ISO 27001
o Supports ISO 27002 (ISO/IEC 17799)
o Conforms to ISO/IEC 27005
o Conforms to NIST SP 800-30
o The wizard-based approach simplifies and accelerates the risk assessment process;
o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification.

vsRisk and security risk assessment

ISO 27002 Framework for Today’s Security Challenges
httpv://www.youtube.com/watch?v=yRFMfiLbNj8

Tags: iso 27001, iso 27001 certification, iso 27002, iso 27005, ISO 27k, iso assessment, iso compliance, sb 1386


Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security ComplianceDISC @ 2:13 am

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.


  • From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

  • Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.



  • Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
    To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

    The Nevada PCI DSS Law:

    The PCI DSS requires you to:

  • apply a number of specific controls, or safeguards.

  • These include documented policies and procedures; as well as

  • a number of technical IT and network configurations.

  • You will also have to provide staff with appropriate training; and

  • You will have to have quarterly scans.



  • PCI DSS v1.2 Documentation Compliance Toolkit
    toolkit-book-pci-dss

    This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).


    201 CMR 17.00 – The Massachusetts Data Protection Law:

    201 CMR 17.00 & ISO 27001 Toolkit
    mass_dpa_law

    will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

    This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

    Reblog this post [with Zemanta]

    Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386


    May 18 2009

    Security breach and notification

    Category: Security BreachDISC @ 1:05 am

    California Flag
    Image by victoriabernal via Flickr

    California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

    The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.

    notice

    California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

    Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
    Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

    Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
    When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.



    Reblog this post [with Zemanta]

    Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley


    Feb 12 2009

    SB1386 and ISO27002

    Category: ISO 27kDISC @ 7:08 pm

    In April 20007, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

    [Table = 13]

    Which businesses are affected by SB 1386 law?
    o If you have a business in California
    o Outsourcing company who does business with a company in California or have customers in California
    o Data centers outside of California which store information of California residents

    sb1386

    Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


    The Comprehensive SB1386 Implementation toolkit comprises of:
    1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
    2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
    3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
    o automates and delivers an ISO/IEC 27001-compliant risk assessment
    o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
    o Comprehensive best-practice alignment
    o Supports ISO 27001
    o Supports ISO 27002 (ISO/IEC 17799)
    o Conforms to ISO/IEC 27005
    o Conforms to NIST SP 800-30
    o The wizard-based approach simplifies and accelerates the risk assessment process;
    o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
    4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

    Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

    ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification audit or for that matter any compliance audit.

    ISO 27002 Framework for Today’s Security Challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Reblog this post [with Zemanta]

    Tags: Information Security, Information Security Management System, International Organization for Standardization, iso 27001, iso 27002, iso 27005, iso assessment, National Institute of Standards and Technology, sb 1386


    Oct 07 2008

    vsRisk and security risk assessment

    Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

    Information Security Risk Management for ISO27001 / ISO27002

    The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

    To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

    vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesn’t.

    Major benefits of vsRisk tool:
    1. It is the definitive ISO27001 risk assessment tool, compliant
    with all the key information security standards – which means that
    you can be certain that a vsRisk risk assessment will help you
    achieve ISO27001 certification.
    2. It is designed to be usable – your lead risk assessor and any
    asset owners involved in your risk assessment are going to find
    their task made easier
    3. Unique features include the risk assessment wizard, which
    standardizes the risk assessment process and guides asset owners
    through the risk assessment process.
    4. vsRisk creates a baseline from which future risk assessments can
    easily be made.
    5. vsRisk integrates with ISMS documentation toolkit, for even
    greater usability.

    “vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.”

    The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

    Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

    Meet Stringent California Information Security Legislation with Comprehensive Toolkit

    ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
    EIN News (press release) – Netherlands
    vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …

    Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk