May 27 2011

How to Manage Information Security Breaches Effectively

Category: ISO 27k,Security BreachDISC @ 9:45 am

A complete solution to manage an information security incident

Managing Information Security Breaches

Even when organisations take precautions, they may still be at risk of a data breach. Information security incidents do not just affect small businesses; major companies and government departments suffer from them as well.

A strategic framework
Managing Information Security Breaches sets out a strategic framework for handling this kind of emergency. It focuses on the treatment of severe breaches and on how to re-establish safety and security once the breach has occurred. These recommendations support the controls for the treatment of breaches specified under ISO27001:2005.

Top priorities
The actions you take in response to a data breach can have a significant impact on your company’s future. Michael Krausz explains what your top priorities should be the moment you realise a breach has occurred. This book is essential reading for security officers, IT managers and company directors.

Read this guide and learn how to …

  • Avoid information security breaches

    • The author uses cases he has investigated to illustrate the various causes of a breach, ranging from the chance theft of a laptop at an airport to more systematic forms of data theft by criminal networks. By analysing situations companies have experienced in real life, the case studies can give you a unique insight into the best way for your organisation to avoid a data breach.

  • Plan your response

    • If something did go wrong, how would you handle it? Even if you have done everything possible to prevent a data breach, you still need to know what to do, should one occur. This book offers advice on the strategies and tactics to apply in order to identify the source of the leak, keep the damage to a minimum, and recover as swiftly as possible.

  • Preserve the trust of your customers

    • If your company ever experiences an information security incident, then the way your customers see you will depend on how you react. This book tells you the key steps you need to take to hold on to the goodwill of your customers if a data breach occurs. The book also offers advice on what to do if you discover defamatory material about your business on YouTube or on forum sites.

  • Improve management processes

    • Information security breaches are committed, often by ambitious or embittered employees. This book looks at ways to reduce the risk of staff selling product designs or customer data to your competitors for personal gain.

    “Information security is a key Board responsibility. In today’s information economy, the confidentiality, availability and integrity of corporate information assets and intellectual property are more important for the long-term success of organisations than traditional, physical, tangible assets. This book is essential reading for security officers, IT managers and company directors to ensure they are prepared for, and can effectively manage, an information security breach, should it occur”.

    May 09 2011

    The Business Case for Information Security Management System

    Category: Information Security,ISO 27k,Security ComplianceDISC @ 2:10 pm

    Today’s economy is about protecting the information assets which is essential to existence of an organization. After a major incident or a security breach it is unthinkable to say it is not going to affect your bottom line. Most of the organization has to comply with various standards and regulations and a breach in a state of non compliance will be business limiting factor, and the organization may be liable to contractual penalties and loss of potential business from current and future customers.

    So Information Security Management System defined as a protection of information from various threats and risks on daily basis. Therefore mitigating information security risks are becoming a critical corporate discipline alongside with other business functions such as HR, IT or accounting.

    Mitigating business risks not only improve the business efficiency but also maximize the return on investment and business opportunities.

    It is a mistake to assume that information security is solely a technical problem left for IT to solve. These titles below are a non-technical discussion of security information management. It offers a framework that will help business leaders better understand and mitigate risks, prioritize resources and spending, and realize the benefits of security information management.

    Jan 13 2011

    Meet Stringent California Information Security Legislation with Comprehensive Toolkit

    Category: ISO 27kDISC @ 4:06 pm

    Three years ago, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

    This legislation deals with the security of personal information and is applicable to all organisations (state and government agencies, non-profit, companies of all sizes, regardless of geographic location) holding personal data on any person living in California. SB-1386 requires such information holders to disclose any unauthorised access of computerised data files containing personal information.

    In response, IT Governance’s comprehensive ‘SB-1386 & ISO27002 Implementation Toolkit’ is specifically designed by experts in data compliance legislation to guide organisations on how to conform to SB-1386. The toolkit conforms to ISO27002 and, if desired, also helps organisations prepare for any external certification process (ISO 27001) that would demonstrate conformance with such a standard. The State of California has itself formally adopted ISO/IEC 27002 as its standard for information security and recommended that organisations use this standard as guidance in their efforts to comply with California law.


    Which businesses are affected by SB 1386 law?
    o If you have a business in California
    o Outsourcing company who does business with a company in California or have customers in California
    o Data centers outside of California which store information of California residents

    sb1386

    Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


    The Comprehensive SB1386 Implementation toolkit comprises of:
    1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
    2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
    3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
    o automates and delivers an ISO/IEC 27001-compliant risk assessment
    o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
    o Comprehensive best-practice alignment
    o Supports ISO 27001
    o Supports ISO 27002 (ISO/IEC 17799)
    o Conforms to ISO/IEC 27005
    o Conforms to NIST SP 800-30
    o The wizard-based approach simplifies and accelerates the risk assessment process;
    o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
    4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

    Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

    ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification.

    vsRisk and security risk assessment

    ISO 27002 Framework for Today’s Security Challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Tags: iso 27001, iso 27001 certification, iso 27002, iso 27005, ISO 27k, iso assessment, iso compliance, sb 1386

    Dec 30 2010

    Information Security Law: The Emerging Standard for Corporate Compliance

    Category: Information Security,ISO 27kDISC @ 3:25 pm

    Order Information Security Law: The Emerging Standard for Corporate Compliance today!
    Information Security Law: The Emerging Standard for Corporate Compliance

    In today’s business environment, virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. Most business entities are, quite literally, fully dependent upon information technology and an interconnected information infrastructure.

    Emerging information security compliance requirements.
    While this reliance on technology provides tremendous economic benefits, it also creates significant potential vulnerabilities that can lead to major harm to a company and its various stakeholders. As a result, public policy concerns regarding these risks are driving the enactment of numerous laws and regulations that require businesses to adequately address the security of their own data.

    Information Security Law: The Emerging Standard for Corporate Compliance is designed to help companies understand this developing law of information security, the obligations it imposes on them, and the standard for corporate compliance that appears to be developing worldwide. ISO/IEC 27001, the international information security standard, should be read alongside this book.

    Emerging global legal framework – and compliance in multiple jurisdictions.
    This book takes a high level view of the multitude of security laws and regulations, and summarizes the global legal framework for information security that emerges from them. It is written for companies struggling to comply with several information security laws in multiple jurisdictions, as well as for companies that want to better understand their obligations under a single law. It explains the common approach of most security laws, and seeks to help businesses understand the issues that they need to address to become generally legally compliant.

    About the Author
    The author, Thomas J. Smedinghoff, is an attorney and partner in a Privacy, Data Security, and Information Law Practice in Chicago. He has been actively involved in developing e-business and information security legal policy, both in the US and globally. He currently serves as a member of the US Delegation to the United Nations Commission on International Trade Law (UNCITRAL) and chairs the International Policy Coordinating Committee of the American Bar Association (ABA) Section of Science & Technology Law.

    ORDER YOUR COPY OF THIS INFORMATIVE BOOK ON INFORMATION SECURITY LAW NOW….Information Security Law: The Emerging Standard for Corporate Compliance

    Author: Thomas J Smedinghoff
    Publisher: IT Governance Publishing
    Format: Softcover
    ISBN: 9781905356669

    Pages:185
    Published Date: 7th October 2008
    Availability: Immediate

    Dec 26 2010

    Information Security Risk Management for ISO27001/ISO27002

    Category: ISO 27k,Security Risk AssessmentDISC @ 8:56 pm

    Expert guidance on planning and implementing a risk assessment and protecting your business information. In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002. As the code of practice explains, information security management enables organisations to ‘ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’.

    ISMS requirements
    The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management. This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

    International best practice
    Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.

    Benefits to business include:

    Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.

    Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses. However, having too many safeguards in place will make information security system expensive and bureaucratic; so without accurate planning your investment in information security controls can become unproductive. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment.

    Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day. If you set up an ISMS in line with ISO27001, then, after an assessment, you can obtain certification. Buyers now tend to look for the assurance that can be derived from an accredited certification to ISO27001 and, increasingly, certification to ISO27001 is becoming a prerequisite in service specification procurement documents.

    Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.

    Order this book for advice on information security management that can really benefit your bottom line! Information Security Risk Management for ISO27001 / ISO27002

    About the authors

    Alan Calder is the founder director of IT Governance Ltd. He has many years of senior management and board-level experience in the private and public sectors.

    Steve G Watkins leads the consultancy and training services of IT Governance Ltd. In his various roles in both the public and private sectors he has been responsible for most support disciplines. He has over 20 years’ experience of managing integrated management systems, and is a lead auditor for ISO27001 and ISO9000. He is now an ISMS Technical Expert for UKAS, and provides them with advice for their assessments of certification bodies offering certification to ISO27001.

    Feb 08 2010

    Long Awaited ISO/IEC 27003:2010

    Category: ISO 27kDISC @ 2:43 pm


    The long awaited international standard to the implementation of an information security management system, ISO/IEC 27003:2010, is now available.

    It’s a must have –

    To Download a copy of ISO27003 – Implementation Guidance

    Key Features and Benefits:

    • The first standard to offer comprehensive guidance on implementing an ISO/IEC 27001:2005 ISMS. Using this standard during an ISMS implementation will improve your organisation’s chances of becoming ISO/IEC 27001 certified.
    • Fully aligned with the rest of the ISO/IEC 27000 family of standards, meaning the strengths of all of the ISO/IEC 27000 standards together can be leveraged. Bringing about a higher level of information security, compliance, and cost savings, etc
    • Written in a generic, practical manner, making the advice and guidance within applicable no matter the size, type or location of your organisation.


    Get your copy today >>

    To Download a copy of ISO27003 – Implementation Guidance

    Tags: iso 27000, iso 27001, iso 27003, ISO 27k, ISO/IEC 27003

    Jan 11 2010

    Long Awaited ISO/IEC 27004:2009

    Category: ISO 27kDISC @ 12:49 pm

    Security Metrics: Replacing Fear, Uncertainty, and Doubt

    The long awaited international standard on Information Security Measurement, ISO/IEC27004:2009, is now available.

    It’s a must have –
    To Download a copy of ISO27004 – Information Security Metrics

    Key Features and Benefits:

    • Provides guidance on the development, implementation use of metrics to measure the effectiveness of an ISO 27001-compliant ISMS, controls or groups of controls. Helping you to quantify the payback to your organisation of implementing an ISMS.
    • Covers not just the development, implementation and use of metrics, but also the communication of the results. Helping you to ensure management buy-in for future projects.
    • The use of this standard provides opportunities to identify areas in need of improvement, facilitating continual improvement. Thus leading more secure information, cost savings and increases in efficiency.

    If you have not claibrated the model with measurement, only one thing is certain: You will either overspend or under-protect.

    Get your copy today >>
    To Download a copy of ISO27004 – Information Security Metrics

    Tags: Individual Standards, International Organization for Standardization, ISO, ISO 27004, ISO 27k, iso measurement, iso27004, Policy, Security, under-protect

    Jun 30 2009

    Security controls and ISO 27002

    Category: Information Security,ISO 27kDISC @ 1:56 pm

    seeyourdataUsually security breach occurs due to lack of basic security controls or lack of effective control which is not relevant over the time. Security controls also disintegrate over the time due to lack of maintenance and monitoring.
    According to Privacy Rights Clearinghouse survey, the top three breaches resulted from laptop theft, software or human error, and hackers. Most of these breaches could have been prevented by procedural, management and technical security controls. Most of the security breaches happen during the state of non-compliance. The most famous TJX security breach happens in 2007, at the time of the breach TJX complied with only 3 out of 12 PCI-DSS requirements.

    Small organizations sometimes don’t have enough resources to comply with all the requirements of regulations and standards like HIPAA and PCI. But that is not an excuse of not understanding the relevant regulations and standards requirements to your business and having a clear security strategy which explains how to achieve the compliance down the road. Also your security strategy will be an evidence of your due diligence to secure your critical assets. On the other hand big organizations have enough resources to implement security controls, but for whatever reason they often do not have clear strategy how to establish security controls.

    Information security is not a onetime static process but an ongoing assessment of risks in your business, where you need to understand the your critical assets, classification of those assets based on CIA, sensitive data and its access, policies, standards, procedures , training, security reviews and continuous monitoring.

    One of the most popular baseline for security controls is the international standard ISO 27002 – Code of Practice for Information Security management. ISO 27002 have 11 security clauses and 133 security controls are high level which provides a reasonable guidance for implementing an Information Security Management System (ISMS). Due to ISO 27002 broad scope, it’s relevant to every industry and size of business.

    Organization should have a baseline of security controls before barging onto complying with PCI or HIPAA regulation. ISO assessment will help you to understand what controls are in place and assist you with security strategy and later will become a measuring stick for your ISMS.

    Ongoing compliance is achieved by monitoring the relevant controls. Ongoing compliance will depend on the quality of your information security management system (ISMS). ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time. You can develop an automated monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

    Related articles by Zemanta

    [TABLE=2]


    Reblog this post [with Zemanta]

    Tags: Computer security, Health Insurance Portability and Accountability Act, Information Security, Information Security Management System, ISO/IEC 27001, pci dss, Privacy Rights Clearinghouse

    Feb 12 2009

    SB1386 and ISO27002

    Category: ISO 27kDISC @ 7:08 pm

    In April 20007, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

    [Table = 13]

    Which businesses are affected by SB 1386 law?
    o If you have a business in California
    o Outsourcing company who does business with a company in California or have customers in California
    o Data centers outside of California which store information of California residents

    sb1386

    Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


    The Comprehensive SB1386 Implementation toolkit comprises of:
    1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
    2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
    3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
    o automates and delivers an ISO/IEC 27001-compliant risk assessment
    o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
    o Comprehensive best-practice alignment
    o Supports ISO 27001
    o Supports ISO 27002 (ISO/IEC 17799)
    o Conforms to ISO/IEC 27005
    o Conforms to NIST SP 800-30
    o The wizard-based approach simplifies and accelerates the risk assessment process;
    o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
    4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

    Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

    ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification audit or for that matter any compliance audit.

    ISO 27002 Framework for Today’s Security Challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Reblog this post [with Zemanta]

    Tags: Information Security, Information Security Management System, International Organization for Standardization, iso 27001, iso 27002, iso 27005, iso assessment, National Institute of Standards and Technology, sb 1386

    Jan 30 2009

    ISO 27k and CMMI

    Category: Information Security,ISO 27kDISC @ 2:00 am

    To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform ISO assessment and assess the organization security posture based on ISO 27002 code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. information The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements. The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. ISO 27002 is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in ISO 27002, maturity levels are defined using maturity definition found in CMMI. In the assessment report maturity level of each control of ISO 27002 standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.

    The scope of the ISO27k standards includes various aspects of IT. The introduction to ISO 27002 states clearly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”

    Benefits of ISO 27k framework:
    o Framework addresses the security issues for the whole organization and limit data breaches
    o Address compliance with various regulations like (SOX, HIPAA, and PCI) without creating silos.
    o Reduce total cost of security by decreasing total number of controls required
    o Perception of your business that you are serious about information security not just compliance
    o Enhance partners and vendors confidence to do business with your organization
    o Future deciding factor for national and especially international partners for more business
    o Internationally recognized standard which addresses security awareness for the whole organization

    isotocmmi

    Assessment will give an organization a high level view of their current security posture and provide a road map for security strategy in a sense what needs to be addressed first utilizing risk based approach. This is also a good start if your organization is interested in the Information Security Management System (ISMS) or ISO 27001 certification. ISO 27001 is the standard for the certification which includes the set of requirements for ISMS. Justifiable scoping is the key to a quick and successful certification; organization may adjust their scope in a re-certification attempt. Perhaps in the first attempt you may need to include just a web portal in your scope and the entire infrastructure behind supporting that portal. Once the ISMS project scope is determined, here are some steps you can follow to prepare for ISO 27001 auditors.

    1. Based on your scope, create an asset list
    2. Find out asset threats and vulnerabilities and classify the asset based on CIA scale
    3. Come up with risk matrix based on impact and likelihood of the risk
    4. Create priorities based on impact and likelihood of the risk
    5. Based on priorities, implement appropriate controls for risks which needs to be addressed
    6. Do the risk assessment again, PDCA improve ISMS

    “ISO27001 is a structured, technology-neutral, vendor-agnostic specification and code of practice for information security management in organizations of all sizes that should be adopted as part of an organization’s overall risk management strategy.”

    This should give you a jump start to certification. You have already started the process of certification because most of the documentations in the risk assessment will become part of certification process later and will lead you to 12 steps which are part of PDCA cycle. ISMS certification process utilized Plan-Do-Check-Act (PDCA) cycle methodology which continually improve information security management system and meet the contractual, legal, and regulatory requirements for information security.

    ISO assessment is utilized to analyze the current security posture of an organization where each control is defined and can be color coded using the base definition found in CMMI. Therefore ISO assessment is a great first step towards the final ISO 27001 certification audit or for that matter any compliance audit.

    [TABLE=2]

    ISO 27k framework for today’s security challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Three useful titles on ISO 27k by Alan Calder

    Related articles by Zemanta

    Tags: Capability Maturity Model Integration, CIA scale, Information Security, Information Security Management System, International Organization for Standardization, isms, iso 27001, iso 27002, ISO/IEC 27001, PCI, PDCA, Risk Assessment, Risk management, Security, SOX HIPAA, vsrisk

    Oct 07 2008

    vsRisk and security risk assessment

    Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

    Information Security Risk Management for ISO27001 / ISO27002

    The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

    To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

    vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesn’t.

    Major benefits of vsRisk tool:
    1. It is the definitive ISO27001 risk assessment tool, compliant
    with all the key information security standards – which means that
    you can be certain that a vsRisk risk assessment will help you
    achieve ISO27001 certification.
    2. It is designed to be usable – your lead risk assessor and any
    asset owners involved in your risk assessment are going to find
    their task made easier
    3. Unique features include the risk assessment wizard, which
    standardizes the risk assessment process and guides asset owners
    through the risk assessment process.
    4. vsRisk creates a baseline from which future risk assessments can
    easily be made.
    5. vsRisk integrates with ISMS documentation toolkit, for even
    greater usability.

    “vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.”

    The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

    Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

    Meet Stringent California Information Security Legislation with Comprehensive Toolkit

    ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
    EIN News (press release) – Netherlands
    vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …

    Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk

    Aug 08 2008

    ISO27k and compliance

    Category: Information Security,ISO 27kDISC @ 2:42 am

    Security review is performed to identify and analyze risks and weaknesses in the current security posture of an organization. An ISO assessment is performed utilizing international standard ISO 27002 and company security policy, the purpose of the review is to evaluate the information security posture of an organization based on international standard. The level of compliance will indicate how close your organization is to meeting the key objectives for each 133 controls defined within 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment.

    It is important to not only assess the control for completeness (all relevant areas are addressed) and comprehensiveness (each individual area is covered completely), but also this balanced framework serves as the basis for both measuring an organization’s effectiveness in addressing risk and structuring an organization’s overall security program. Because ISO 27002 requirements are largely a superset of other major regulations, achieving ISO 27002 compliance positions most organizations to be well on their way to meeting the requirements of SOX, HIPAA and GLBA.

    To achieve ISO compliance, thorough assessment utilizing all 133 controls will provide mitigating solution guidelines for gaps. To give your business an edge, conduct a security review based on ISO controls, if you would like to compare your security practices with international standard.
    The result of the assessment will not only establish and maintain security policy, but also validates the policy’s completeness, design new controls and provide a road map to mitigate risks. An assessment of risks will determine what issues need to be addressed and provide a guideline to meet security regulations and a road map to build a world class ISMS (Information Security Management System).

    ISO27001 is an international standard which is considered as an information security best practice or due diligence and is part of the security controls and audit controls specification document. ISO27002 is a code of practice which recommends guidelines for information security management systems and is closely linked to ISO 27001. ISO27001 continues to provide comprehensive best-practice advice and guidance to private and public organizations around the globe on how to design and implement a compliant information security management system ISMS.
    An ISMS is not simply a set of documents. Maintaining and improving ISMS allows it to grow over time to address new business requirements. An ISMS is simply a system which addresses information security risks facing an organization and identifies the level of organization compliance with applicable regulations.

    Reblog this post [with Zemanta]

    Tags: glba, Health Insurance Portability and Accountability Act, hipaa, Information Security, Information Security Management System, isms, iso 27002, iso assessment, iso compliance, ISO/IEC 27001, ISO/IEC 27002, sox

    « Previous Page