Dec 20 2011

ISO/IEC 27001 – BSI interviews Henk de Vries

Category: ISO 27kDISC @ 9:59 am

BSI and Rotterdam school of management, Erasmus university conducted a research study about ISO/IEC 27001 Information technology. Security techniques. BSI interviewed Henk de Vries who is one of the experts behind the study.

ISO27001 (ISO 27001) ISMS Requirements (Download now)

ISO27002 (ISO 27002) Code of Practice for ISM (Download now)

To Download a copy of ISO27003 – Implementation Guidance

To Download a copy of ISO27004 – Information Security Metrics

ISO27005 (ISO 27005)ISRM Standard (Download now)

ISO/IEC 27006 ISMS certification guide (Download now)

Tags: iso 27001, iso 27002, iso 27003, ISO 27004, iso 27005, iso 27006

Dec 06 2011

vsRisk The Ultimate Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 11:05 am

With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis – and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure

vsRisk – The Definitive Cyber Security Risk Assessment Tool
The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
• Assessing key areas such as Groups, Assets and Owners
• Capturing your IS policy, objectives and ISMS scope
• In-built audit trail and comparative history
• Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
• Comprehensive reporting and gap analysis

Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
Watch the video now >>>

This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
Join the professionals and orders your today >>>

vsRisk and Security Risk Assessment

Dec 02 2011

How to get certified against ISO 27001?

Category: ISO 27kDISC @ 11:39 am

ISO27001 ISMS Requirements (Download now!)

By Dejan Kosutic

You have been implementing ISO 27001 for quite a long time, invested quite a lot in education, consultancy and implementation of various controls. Now comes the auditor from a certification body – will you pass the certification?

This kind of anxiety is normal – you can never know whether your ISMS (information security management system) has everything the certification body is asking for. But what is it exactly the auditor will be looking for?

First, the auditor will perform the Stage 1 audit, also called the “Document review” – in this audit, the auditor will look for the documented scope, ISMS policy and objectives, description of the risk assessment methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, procedures for document control, corrective and preventive actions, and for internal audit. You will also have to document some of the controls from Annex A (only if you found them applicable in the Statement of Applicability) – inventory of assets (A.7.1.1), acceptable use of assets (A.7.1.3), roles and responsibilities of employees, contractors and third party users (A.8.1.1), terms and conditions of employment (A.8.1.3), procedures for the operation of information processing facilities (A.10.1.1), access control policy (A.11.1.1), and identification of applicable legislation (A.15.1.1). Also, you will need records of at least one internal audit and management review.

If any of these elements are missing, this means that you are not ready for Stage 2 audit. Of course, you could have many more documents if you find it necessary – the above list is the minimum requirement.

Stage 2 audit is also called the “Main audit”, and it usually follows a few weeks after Stage 1 audit. In this audit the focus will not be on the documentation, but if your organization is really doing what your documentation and ISO 27001 say you have to do. In other words, the auditor will check whether your ISMS has really materialized in your organization, or is it only a dead letter. The auditor will check this through observation, interviewing your employees, but mainly by checking your records. The mandatory records include education, training, skills, experience and qualifications (5.2.2), internal audit (6), management review (7.1), corrective (8.2) and preventive (8.3) actions; however, the auditor will be expecting to see many more records as a result of carrying out your procedures.

Please, be careful here – any experienced auditor will notice right away if any part of your ISMS is artificial, and is being made for the purpose of audit only.

OK, you knew all this, but it still happened – the auditor found major non-conformity and told you that ISO 27001 certificate will not be issued. Is this the end of the world?

Certainly not. The process goes like this – the auditor will state the findings (including the major non-conformity) in the audit report, and give you the deadline until which the non-conformity must be resolved (usually 90 days). Your job is to take appropriate corrective action; but you have to be careful – this action must resolve the cause of the non-conformity, otherwise the auditor might not accept what you have done. Once you are sure the right action is taken, you have to notify the auditor and send him/her the evidence of what you have done. In the majority of cases, if you have done your job thoroughly, the auditor will accept your corrective action and activate the process of issuing the certificate.

There you go – it took some time, but now you are a proud owner of the ISO/IEC 27001 certificate. (Be careful though – the certificate is valid for three years only, and can be suspended during that period if the certification body identifies another major non-conformity on the surveillance visits.)

Oct 05 2011

Information Security: Everything you need to know

Category: ISO 27kDISC @ 12:36 pm

To understand more about securing and protecting information assets and implementing ISO 27001 (Information Security Management System) then we recommend IT Governance: A Manager’s Guide to Data Security and ISO 27001 / ISO 27002, Fourth Edition. This book contains everything you need to know about information security and data protection, as it covers viruses, hackers, online fraud, privacy regulations, computer misuse and investigatory powers.

Read more >>

Sep 23 2011

IT GOVERNANCE PRAISES ISO27001 BUT WARNS AGAINST COMPLACENCY

Category: ISO 27kDISC @ 9:31 pm

Geneva, Switzerland, September 2011 – Alan Calder, Chief Executive of IT Governance (ITG), the one-stop shop for information security expertise, is today advising organisations globally to embrace the ISO27001 security management standard, yet warning nobody should be complacent.

Speaking at the United Nations’ Information Security Special Interest Group’s symposium in Geneva, Calder said: “ISO27001 is international best practice for any organisation seeking a structured framework to address cyber risks. ISO27001 has many strengths, including helping organisations secure the right balance of data availability, integrity and confidentiality. A further benefit of ISO27001 is the flexibility to integrate with other management standards. This point is vital – effective cybersecurity depends on establishing a comprehensive and interconnected defence strategy.

“Every organisation should remember, however, that ISO27001 certification does not equate with invincible security. ISO27001, effectively deployed, improves an organisation’s information security and resilience, but new threats are constantly evolving. Defences, therefore, need to evolve, too. There is no room for complacency. ISO27001 rightly expects you to continually reassess your business, risk and compliance environment in line with ‘real-world’ developments.

“There is never a time for complacency in information security. The need to keep strategies under constant review has never been greater. The revolutionary wonders of ‘Web 2.0’ can rapidly turn into ‘Threat 2.0’. The speed and degree of change in the modern business, compliance and security worlds is unprecedented, from new standards and threats to new technologies, such as Google+ and Android telephones. Any technological advance brings new security risks, as hackers immediately start finding ways to burrow in and exploit vulnerabilities. Everyone must be prepared.”

Sep 05 2011

Risk Assessment Critical for the Security of Information Assets

Category: ISO 27k,Risk AssessmentDISC @ 10:05 pm

Information Security Risk Management for ISO27001 / ISO27002

Today, there is hardly any organisation that doesn’t recognise the critical role that information technology plays in supporting its business objectives.

September 01, 2011 /24-7PressRelease/ — Today, there is hardly any organisation that doesn’t recognise the critical role that information technology plays in supporting its business objectives. As a result, IT security has come to the forefront and the ISO 27001 information security standard has been embraced by numerous organisations worldwide as a best practice approach for implementing Information Security Management System (ISMS).

Risk assessment plays an important role in managing ISO 27001 controls. This is the part with which many project managers struggle when implementing an ISMS. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Therefore it is imperative that a thorough risk assessment is being undertaken and no risk is left unexplored. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

IT Governance Ltd, the global leader in information security products and services, has developed a risk assessment tool, vsRisk, that automates and accelerates the risk assessment process. It enables project managers to monitor the day-to-day execution and management of the controls as well as generating reports for audit purposes.

Uniquely, vsRisk (www.itgovernance.co.uk/products/744) can assess the confidentiality, integrity and availability for each of the business, legal and contractual aspects of information assets, as required by the ISO 27001 standard. The tool can serve as a day-to-day operational tool, showing at a glance where an organisation stands in its progress towards ISO 27001 compliance. A free trial version can be requested here www.itgovernance.co.uk/iso27001-risk-assessment.aspx

Alan Calder, CEO of IT Governance, comments, “vsRisk reduces the time and cost of undertaking an ISO 27001-compliant risk assessment. It simplifies each step of an ISO 27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. ”

vsRisk (www.itgovernance.co.uk/products/744) offers an in-built audit trail, comparative history, comprehensive reporting and gap analysis that radically reduces the manual record keeping traditionally associated with risk assessments. The tool minimises the need for specialist knowledge and significantly undercuts the cost of generalist risk management tools, thus, making ISO27001 compliance achievable for a far wider range of organisations and professionals.

As well as supporting ISO/IEC 27001:2005 and ISO/IEC 27002, vsRisk v1.5 complies with BS7799-3:2006, ISO/IEC 27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.

vsRisk is produced by Vigilant Software, the specialist software subsidiary of IT Governance and can be purchased online from www.itgovernance.co.uk/products/744.

Aug 20 2011

ISO27002 Implementation Intro.m4v

Category: ISO 27kDISC @ 10:25 pm

Making the Implementation of ISO27001 easier for you to do within your organisation. This video is your introduction.

Aug 08 2011

How to decide between ISO 27001 Cert and ISO 27002 Compliance

Category: ISO 27kDISC @ 9:40 pm

It is one of an important decision for your organization when you have to decide between ISO 27001 certification and ISO 27002 compliance. When continuous compliance with the standards may save you money in short run but ISO 27001(ISMS) certification outweighs benefits in long run. ISO compliance is a commitment for an organization when it has to be audited (internal) on regular basis to show to your vendors and partners. At the same time ISO certification has to be audited by independent external auditors.

Things that may affect your decision:
a) What will be the cost of achieving ISO compliance? Pick a scope and perform a gap analysis based on ISO 27002 to see where the gaps are. Find out the cost of treating the gaps for your organization including the cost of consultant, cost of tool, and cost of project management. These processes may vary from organization to organization.

b) Does ISO certification will benefit the organization because its competitors already have done it? (How much business an organization may lose or perhaps prospective new customers.)

c) Achieving certification may save money, time and efforts in long run by aiding your organization in compliance effort (PCI, HIPAA, SOX, NIST, GLBA). (Hey auditor we are already certified in specific controls, How much of the spending can be safe on other audits.)

d) Do enough customers will demand/require the certification in order to do business with them? Not having ISO certification may be a business disabler and organization may lose important customers which will affect company’s bottom line.

Risks of being non-compliant:
• No assurance to customers regarding InfoSec controls
• May lose customers in the long run
• May affect future business

Benefits of certification:
• Business enabler
• Align with the business goals
• Everyone is responsible for InfoSec
• De-facto InfoSec standards
• ISO 9000, ISO 14000, ISO 20000 compatible
• Commonly accepted best practice
• Capable of external certification

Tags: iso 27001, iso 27002

Jul 21 2011

Information Security Breaches: Avoidance and Treatment based on ISO27001

Category: ISO 27k,Security BreachDISC @ 2:47 pm

Information Security Breaches: Avoidance and Treatment based on ISO27001
If you are running a business, you learn to expect the unexpected. Even if you have taken all the right precautions, your company might still find itself confronted with an information security breach. How would your business cope then?

There are lots of books that will tell you what to do to prevent an information security breach. This book is different. It tells you what you have to do if a security breach occurs.

Security breaches sometimes occur because computers containing sensitive information are not returned to their owners. NATO laptops have been spotted in flea markets, and US government computers were put up for sale on Ebay. Security breaches may also be the result of data theft. A bad apple in your company may be tempted to sell your confidential data to a rival firm.

If something happens, your company needs to be ready to take prompt and decisive action to resolve the issue. This book tells you the plans and procedures you need to put in place to tackle an information security breach should it occur. In particular, the book gives you clear guidance on how to treat an information security breach in accordance with ISO27001.

If a breach occurs, the evidence needs to be secured professionally. You need to know the rules on evidence gathering, and you need to be capable of isolating the suspect laptops right from the start. If you want your company to respond rapidly to an information security breach, you need to make sure that the responsibilities and roles in your company are clearly defined.

Benefits to business include:

Recover faster
An information security breach can have crippling consequences. However, with the right emergency measures in place, you will be able to recover quickly from the incident and resume normal operations.
Preserve customer confidence
An information security breach can result in loss of records and disruption to service. This can do serious damage to your relationship with your customers. It is vital for you to be prepared for an information security breach, so that if it ever happens you can preserve customer confidence.
Assist the investigation
Uncovering the root causes of an information security breach requires detective work. If an information security breach occurs, the investigators will need to be able to identify the problem. You can help them to do that by keeping proper records.
Catch the criminals
In the event of data theft, you will want to be in a position to act promptly and decisively. So you should set up an incident management system. This will mean that in the event of data theft, the police will have a greater chance of getting hold of the incriminating evidence they need to secure a conviction.

As Michael Krausz warns, “It is the prudence of management that decides on a company’s fate once a serious incident occurs, not only the size.”

What others are saying about this book …

‘…I recommend this pocket guide to anyone implementing ISO27001, and indeed to anyone who is concerned about the risks of security breaches, and who wants to know how best to prepare their organization for the unpleasant events that are bound to happen from time to time…’

Willi Kraml, Global Information Security Officer

‘…The author thankfully narrows down some important vocabulary to a practical usage in real life situations. The book gives what it advertises: a quick pocket guide to avoidance and treatment of security breaches with references to ISO27001…’

Sascha-A Beyer, Senior Manager

‘…Michael Krausz has created a valuable tool for both professional as well as less knowledgeable persons in respect to the ISO27001 Standard… Written in plain English, this handbook is easy to follow even by a novice in the Information Technology Field. Therefore “Information Secuirty Breaches” is a must within the ‘tool box’ of anyone who deals with IT issues on an every-day basis…’

Werner Preining, Interpool Security Ltd

‘Michael Krauz did a good job. His pocket guide is small enough to be read in only a few minutes, yet is packed full of valuable information presented in a structured way. The case studies especially help to understand the topic. As former CIO of a large company I can recommend it.’
Christian H Leeb, Holistic Business Development

About the author: Michael Krausz is an IT expert and experienced professional investigator. He has investigated over a hundred cases of information security breaches. Many of these cases have concerned forms of white-collar crime. Michael Krausz studied physics, computer science and law at the University of Technology in Vienna, and at Vienna and Webster universities. He has delivered over 5000 hours of professional and academic training and has provided services in eleven countries to date.

Don’t let your organisation fall victim to a security incident … download your copy today!
Information Security Breaches: Avoidance and Treatment based on ISO27001

Tags: information security brecahes, iso 27001, Michael Krausz, NATO laptops, Security Breach

Jul 13 2011

Do US companies do enough for their cyber security?

Category: cyber security,ISO 27kDISC @ 9:51 pm

IT Governance Ltd, the ISO27001 and information security experts have reported that they are making a number of free resources available for download from their US website to help US companies meet the challenges of increased cyber crime.

July 12, 2011 /24-7PressRelease/ — IT Governance Ltd, the ISO27001 and information security experts have reported that they are making a number of free resources available for download from their US website (www.itgovernanceusa.com) to help US companies meet the challenges of increased cyber crime. This week the company has published a white paper on cyber security which can be downloaded from here http://www.itgovernanceusa.com/cyber-security.aspx

Cyber security has become an issue for every nation in the world. In the US over the last 3 months there have been data breaches against high-profile organizations including Fox, Sony, Gmail, the IMF (International Monetary Fund) and major government departments. Two weeks ago, the Arizona State Police again became the victim of a cyber attack. The hack was announced on Twitter less than a week after a previous attack from Lulz Security.

US companies need to do their utmost in order to defend themselves form hackers and protect their information assets. At present, key changes in the US legislation are being discussed, and sooner or later, it is likely that strict data security measures will be imposed on organizations, which they will need to comply with. Organizations who do not act now may face serious fines in the future or even become the subject of a class action lawsuit, if the loss of customer’s data is established. Such was the case with Sony in April when a Canadian Play Station Network (PSN) user claimed damages in excess of $1 billion. This followed another lawsuit filed by an American PNS user. The consequences for companies compromising customers’ data can be severe, leading to both big financial implications and reputation damage.

IT Governance, which specializes in cyber security and compliance solutions, has published a white paper on their US website that provides information on some of the key developments US companies and their directors or IT managers need to be aware of in order to protect their business from cyber attacks. The white paper can be downloaded for free here: http://www.itgovernanceusa.com/cyber-security.aspx

Alan Calder, CEO of IT Governance, comments, “There are a few essential steps that organizations should be following if they are to implement an effective security strategy. Most organizations would only take certain measures if they are given the reasons why they should be doing this and know that their investment of time and money is worth. What is a more convincing reason than the data breaches we all witness? At IT Governance, we not only advise customers what should be done, but also provide guidance and solutions to their problems. We have the most comprehensive range of resources across a number of areas, from books and toolkits through to e-learning and software tools.”

US companies can be doing more than taking partial measures to fight cyber crime. Implementing best practice in information security management has become the most popular approach to tackling cyber security; demonstrating to both customers and business partners that an organization is working to the highest standard. Accredited certification to ISO27001 gives an organization internationally recognized and accepted proof that its system for managing information security – its ISMS or cyber security readiness – is of an acceptable, independently audited and verified standard. Everything US companies need to know about ISO27001 is explained on this website: http://www.27001.com

Tags: isms, iso 27001

Jul 05 2011

Newly released ISO/IEC 27005:2011 helps improve risk management

Category: ISO 27k,Security Risk AssessmentDISC @ 12:55 pm

/EINPresswire.com/ ISO 27005:2011, the newly released international information security risk management standard, is now available to the international community of business continuity and information security practitioners.

Information security risk management is one of the core competencies of information security. This Standard is an essential companion to ISO/IEC 27001 and ISO/IEC 27002 and replaces ISO/IEC 27005:2008.

ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. The Standard is applicable to all organisations of all types and sizes, which intend to manage risks that could compromise the organisations information security.

IT Governance Ltd, an international distribution partner for IEC and a global leader in ISO27001 information, products and services, is making ISO/IEC 27005:2011 available from all its main websites. ISO 27005:2011 ISRM, can be downloaded today from www.itgovernance.co.uk/products/1852 .

“The new ISO/IEC 27005:2011 is a much better standard than was the 2008 version”, comments Alan Calder, CEO of IT Governance, “First, it is a better written, more coherent standard. Second, it is aligned with the risk management standard ISO31000, which makes it easier to integrate Enterprise Risk Management approaches with information security risk management. Third, it provides good, practical guidance on carrying out the risk assessment required by ISO27001, together with clear guidance on risk scales. Fourth, it has good guidance on threats, vulnerabilities, likelihoods and impacts. ISO27005 should become standard additional guidance on risk assessment – the ISMS core competence – for all organisations tackling ISO27001.”

Organisations that would like to save time and money whilst implementing the new Standard should consider applying vsRisk – an ISO27001:2005 compliant information security risk assessment tool produced by Vigilant Software, the specialist software subsidiary of IT Governance.

vsRisk (www.itgovernance.co.uk/products/744) simplifies each step of an ISO27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. The tool makes ISO27001 compliance achievable for a far wider range of organisations and professionals by minimising the need for specialist knowledge and significantly undercutting the cost of generalist risk management tools.

As well as supporting ISO/IEC 27001:2005 and ISO/IEC27002, vsRisk complies with BS7799-3:2006, ISO/IEC27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.

A copy of the ISO27005:2011 standard can be downloaded immediately from www.itgovernance.co.uk/products/1852 and the vsRisk CD-ROM can be ordered from www.itgovernance.co.uk/products/744 .

May 27 2011

How to Manage Information Security Breaches Effectively

Category: ISO 27k,Security BreachDISC @ 9:45 am

A complete solution to manage an information security incident

Managing Information Security Breaches

Even when organisations take precautions, they may still be at risk of a data breach. Information security incidents do not just affect small businesses; major companies and government departments suffer from them as well.

A strategic framework
Managing Information Security Breaches sets out a strategic framework for handling this kind of emergency. It focuses on the treatment of severe breaches and on how to re-establish safety and security once the breach has occurred. These recommendations support the controls for the treatment of breaches specified under ISO27001:2005.

Top priorities
The actions you take in response to a data breach can have a significant impact on your company’s future. Michael Krausz explains what your top priorities should be the moment you realise a breach has occurred. This book is essential reading for security officers, IT managers and company directors.

Read this guide and learn how to …

  • Avoid information security breaches

    • The author uses cases he has investigated to illustrate the various causes of a breach, ranging from the chance theft of a laptop at an airport to more systematic forms of data theft by criminal networks. By analysing situations companies have experienced in real life, the case studies can give you a unique insight into the best way for your organisation to avoid a data breach.

  • Plan your response

    • If something did go wrong, how would you handle it? Even if you have done everything possible to prevent a data breach, you still need to know what to do, should one occur. This book offers advice on the strategies and tactics to apply in order to identify the source of the leak, keep the damage to a minimum, and recover as swiftly as possible.

  • Preserve the trust of your customers

    • If your company ever experiences an information security incident, then the way your customers see you will depend on how you react. This book tells you the key steps you need to take to hold on to the goodwill of your customers if a data breach occurs. The book also offers advice on what to do if you discover defamatory material about your business on YouTube or on forum sites.

  • Improve management processes

    • Information security breaches are committed, often by ambitious or embittered employees. This book looks at ways to reduce the risk of staff selling product designs or customer data to your competitors for personal gain.

    “Information security is a key Board responsibility. In today’s information economy, the confidentiality, availability and integrity of corporate information assets and intellectual property are more important for the long-term success of organisations than traditional, physical, tangible assets. This book is essential reading for security officers, IT managers and company directors to ensure they are prepared for, and can effectively manage, an information security breach, should it occur”.

    May 09 2011

    The Business Case for Information Security Management System

    Category: Information Security,ISO 27k,Security ComplianceDISC @ 2:10 pm

    Today’s economy is about protecting the information assets which is essential to existence of an organization. After a major incident or a security breach it is unthinkable to say it is not going to affect your bottom line. Most of the organization has to comply with various standards and regulations and a breach in a state of non compliance will be business limiting factor, and the organization may be liable to contractual penalties and loss of potential business from current and future customers.

    So Information Security Management System defined as a protection of information from various threats and risks on daily basis. Therefore mitigating information security risks are becoming a critical corporate discipline alongside with other business functions such as HR, IT or accounting.

    Mitigating business risks not only improve the business efficiency but also maximize the return on investment and business opportunities.

    It is a mistake to assume that information security is solely a technical problem left for IT to solve. These titles below are a non-technical discussion of security information management. It offers a framework that will help business leaders better understand and mitigate risks, prioritize resources and spending, and realize the benefits of security information management.

    Jan 13 2011

    Meet Stringent California Information Security Legislation with Comprehensive Toolkit

    Category: ISO 27kDISC @ 4:06 pm

    Three years ago, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

    This legislation deals with the security of personal information and is applicable to all organisations (state and government agencies, non-profit, companies of all sizes, regardless of geographic location) holding personal data on any person living in California. SB-1386 requires such information holders to disclose any unauthorised access of computerised data files containing personal information.

    In response, IT Governance’s comprehensive ‘SB-1386 & ISO27002 Implementation Toolkit’ is specifically designed by experts in data compliance legislation to guide organisations on how to conform to SB-1386. The toolkit conforms to ISO27002 and, if desired, also helps organisations prepare for any external certification process (ISO 27001) that would demonstrate conformance with such a standard. The State of California has itself formally adopted ISO/IEC 27002 as its standard for information security and recommended that organisations use this standard as guidance in their efforts to comply with California law.


    Which businesses are affected by SB 1386 law?
    o If you have a business in California
    o Outsourcing company who does business with a company in California or have customers in California
    o Data centers outside of California which store information of California residents

    sb1386

    Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


    The Comprehensive SB1386 Implementation toolkit comprises of:
    1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
    2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
    3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
    o automates and delivers an ISO/IEC 27001-compliant risk assessment
    o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
    o Comprehensive best-practice alignment
    o Supports ISO 27001
    o Supports ISO 27002 (ISO/IEC 17799)
    o Conforms to ISO/IEC 27005
    o Conforms to NIST SP 800-30
    o The wizard-based approach simplifies and accelerates the risk assessment process;
    o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
    4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

    Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

    ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification.

    vsRisk and security risk assessment

    ISO 27002 Framework for Today’s Security Challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Tags: iso 27001, iso 27001 certification, iso 27002, iso 27005, ISO 27k, iso assessment, iso compliance, sb 1386

    Dec 30 2010

    Information Security Law: The Emerging Standard for Corporate Compliance

    Category: Information Security,ISO 27kDISC @ 3:25 pm

    Order Information Security Law: The Emerging Standard for Corporate Compliance today!
    Information Security Law: The Emerging Standard for Corporate Compliance

    In today’s business environment, virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. Most business entities are, quite literally, fully dependent upon information technology and an interconnected information infrastructure.

    Emerging information security compliance requirements.
    While this reliance on technology provides tremendous economic benefits, it also creates significant potential vulnerabilities that can lead to major harm to a company and its various stakeholders. As a result, public policy concerns regarding these risks are driving the enactment of numerous laws and regulations that require businesses to adequately address the security of their own data.

    Information Security Law: The Emerging Standard for Corporate Compliance is designed to help companies understand this developing law of information security, the obligations it imposes on them, and the standard for corporate compliance that appears to be developing worldwide. ISO/IEC 27001, the international information security standard, should be read alongside this book.

    Emerging global legal framework – and compliance in multiple jurisdictions.
    This book takes a high level view of the multitude of security laws and regulations, and summarizes the global legal framework for information security that emerges from them. It is written for companies struggling to comply with several information security laws in multiple jurisdictions, as well as for companies that want to better understand their obligations under a single law. It explains the common approach of most security laws, and seeks to help businesses understand the issues that they need to address to become generally legally compliant.

    About the Author
    The author, Thomas J. Smedinghoff, is an attorney and partner in a Privacy, Data Security, and Information Law Practice in Chicago. He has been actively involved in developing e-business and information security legal policy, both in the US and globally. He currently serves as a member of the US Delegation to the United Nations Commission on International Trade Law (UNCITRAL) and chairs the International Policy Coordinating Committee of the American Bar Association (ABA) Section of Science & Technology Law.

    ORDER YOUR COPY OF THIS INFORMATIVE BOOK ON INFORMATION SECURITY LAW NOW….Information Security Law: The Emerging Standard for Corporate Compliance

    Author: Thomas J Smedinghoff
    Publisher: IT Governance Publishing
    Format: Softcover
    ISBN: 9781905356669

    Pages:185
    Published Date: 7th October 2008
    Availability: Immediate

    Dec 26 2010

    Information Security Risk Management for ISO27001/ISO27002

    Category: ISO 27k,Security Risk AssessmentDISC @ 8:56 pm

    Expert guidance on planning and implementing a risk assessment and protecting your business information. In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002. As the code of practice explains, information security management enables organisations to ‘ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’.

    ISMS requirements
    The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management. This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

    International best practice
    Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.

    Benefits to business include:

    Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.

    Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses. However, having too many safeguards in place will make information security system expensive and bureaucratic; so without accurate planning your investment in information security controls can become unproductive. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment.

    Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day. If you set up an ISMS in line with ISO27001, then, after an assessment, you can obtain certification. Buyers now tend to look for the assurance that can be derived from an accredited certification to ISO27001 and, increasingly, certification to ISO27001 is becoming a prerequisite in service specification procurement documents.

    Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.

    Order this book for advice on information security management that can really benefit your bottom line! Information Security Risk Management for ISO27001 / ISO27002

    About the authors

    Alan Calder is the founder director of IT Governance Ltd. He has many years of senior management and board-level experience in the private and public sectors.

    Steve G Watkins leads the consultancy and training services of IT Governance Ltd. In his various roles in both the public and private sectors he has been responsible for most support disciplines. He has over 20 years’ experience of managing integrated management systems, and is a lead auditor for ISO27001 and ISO9000. He is now an ISMS Technical Expert for UKAS, and provides them with advice for their assessments of certification bodies offering certification to ISO27001.

    Feb 08 2010

    Long Awaited ISO/IEC 27003:2010

    Category: ISO 27kDISC @ 2:43 pm


    The long awaited international standard to the implementation of an information security management system, ISO/IEC 27003:2010, is now available.

    It’s a must have –

    To Download a copy of ISO27003 – Implementation Guidance

    Key Features and Benefits:

    • The first standard to offer comprehensive guidance on implementing an ISO/IEC 27001:2005 ISMS. Using this standard during an ISMS implementation will improve your organisation’s chances of becoming ISO/IEC 27001 certified.
    • Fully aligned with the rest of the ISO/IEC 27000 family of standards, meaning the strengths of all of the ISO/IEC 27000 standards together can be leveraged. Bringing about a higher level of information security, compliance, and cost savings, etc
    • Written in a generic, practical manner, making the advice and guidance within applicable no matter the size, type or location of your organisation.


    Get your copy today >>

    To Download a copy of ISO27003 – Implementation Guidance

    Tags: iso 27000, iso 27001, iso 27003, ISO 27k, ISO/IEC 27003

    Jan 11 2010

    Long Awaited ISO/IEC 27004:2009

    Category: ISO 27kDISC @ 12:49 pm

    Security Metrics: Replacing Fear, Uncertainty, and Doubt

    The long awaited international standard on Information Security Measurement, ISO/IEC27004:2009, is now available.

    It’s a must have –
    To Download a copy of ISO27004 – Information Security Metrics

    Key Features and Benefits:

    • Provides guidance on the development, implementation use of metrics to measure the effectiveness of an ISO 27001-compliant ISMS, controls or groups of controls. Helping you to quantify the payback to your organisation of implementing an ISMS.
    • Covers not just the development, implementation and use of metrics, but also the communication of the results. Helping you to ensure management buy-in for future projects.
    • The use of this standard provides opportunities to identify areas in need of improvement, facilitating continual improvement. Thus leading more secure information, cost savings and increases in efficiency.

    If you have not claibrated the model with measurement, only one thing is certain: You will either overspend or under-protect.

    Get your copy today >>
    To Download a copy of ISO27004 – Information Security Metrics

    Tags: Individual Standards, International Organization for Standardization, ISO, ISO 27004, ISO 27k, iso measurement, iso27004, Policy, Security, under-protect

    Jun 30 2009

    Security controls and ISO 27002

    Category: Information Security,ISO 27kDISC @ 1:56 pm

    seeyourdataUsually security breach occurs due to lack of basic security controls or lack of effective control which is not relevant over the time. Security controls also disintegrate over the time due to lack of maintenance and monitoring.
    According to Privacy Rights Clearinghouse survey, the top three breaches resulted from laptop theft, software or human error, and hackers. Most of these breaches could have been prevented by procedural, management and technical security controls. Most of the security breaches happen during the state of non-compliance. The most famous TJX security breach happens in 2007, at the time of the breach TJX complied with only 3 out of 12 PCI-DSS requirements.

    Small organizations sometimes don’t have enough resources to comply with all the requirements of regulations and standards like HIPAA and PCI. But that is not an excuse of not understanding the relevant regulations and standards requirements to your business and having a clear security strategy which explains how to achieve the compliance down the road. Also your security strategy will be an evidence of your due diligence to secure your critical assets. On the other hand big organizations have enough resources to implement security controls, but for whatever reason they often do not have clear strategy how to establish security controls.

    Information security is not a onetime static process but an ongoing assessment of risks in your business, where you need to understand the your critical assets, classification of those assets based on CIA, sensitive data and its access, policies, standards, procedures , training, security reviews and continuous monitoring.

    One of the most popular baseline for security controls is the international standard ISO 27002 – Code of Practice for Information Security management. ISO 27002 have 11 security clauses and 133 security controls are high level which provides a reasonable guidance for implementing an Information Security Management System (ISMS). Due to ISO 27002 broad scope, it’s relevant to every industry and size of business.

    Organization should have a baseline of security controls before barging onto complying with PCI or HIPAA regulation. ISO assessment will help you to understand what controls are in place and assist you with security strategy and later will become a measuring stick for your ISMS.

    Ongoing compliance is achieved by monitoring the relevant controls. Ongoing compliance will depend on the quality of your information security management system (ISMS). ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time. You can develop an automated monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

    Related articles by Zemanta

    [TABLE=2]


    Reblog this post [with Zemanta]

    Tags: Computer security, Health Insurance Portability and Accountability Act, Information Security, Information Security Management System, ISO/IEC 27001, pci dss, Privacy Rights Clearinghouse

    Feb 12 2009

    SB1386 and ISO27002

    Category: ISO 27kDISC @ 7:08 pm

    In April 20007, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

    [Table = 13]

    Which businesses are affected by SB 1386 law?
    o If you have a business in California
    o Outsourcing company who does business with a company in California or have customers in California
    o Data centers outside of California which store information of California residents

    sb1386

    Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


    The Comprehensive SB1386 Implementation toolkit comprises of:
    1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
    2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
    3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
    o automates and delivers an ISO/IEC 27001-compliant risk assessment
    o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
    o Comprehensive best-practice alignment
    o Supports ISO 27001
    o Supports ISO 27002 (ISO/IEC 17799)
    o Conforms to ISO/IEC 27005
    o Conforms to NIST SP 800-30
    o The wizard-based approach simplifies and accelerates the risk assessment process;
    o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
    4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

    Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

    ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification audit or for that matter any compliance audit.

    ISO 27002 Framework for Today’s Security Challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Reblog this post [with Zemanta]

    Tags: Information Security, Information Security Management System, International Organization for Standardization, iso 27001, iso 27002, iso 27005, iso assessment, National Institute of Standards and Technology, sb 1386

    « Previous PageNext Page »