Dec 04 2013

ISO27001 2013 high level review for making the transition

Category: ISO 27kDISC @ 3:06 pm

ISO 27001 2013

ISO 27001 2013 high level review for making the transition from ISO 27001 2005

The Case for ISO 27001 (2013) Second Edition (Download the latest book in Adobe)

It’s been several months now that highly anticipated release of the latest information security standard ISO 27001 2013 for the organization who have vested interest due to previous compliance or certification in ISO 27001 2005. ISO 27001 2013 has 114 controls defined within 14 security control clauses (domains) collectively containing a total of 35 main security categories and introductory clauses including introduction, scope, normative references.

0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The new standard no longer require organizations to adopt the Plan-Do-Check-Act (P-D-C-A) model to develop and introduce the ISMS, but leave it to each organization to determine and adopt a continual improvement model (corrective action) that works for them.

The scope in new standard requires every organization to make sure the external and internal issues, (vendor assessment) and information security requirements of these parties are addressed in the contract. This clause will ensure that an ISMS is relevant to the organization’s activity which include external partners and provides an assurance that appropriate controls are in place for external parties as well. In risk assessment area, risks are treated and residual risk accepted by risk owners rather than asset owners, which may require organizations to build a risk register, which will ultimately become an auditable document.

There is another important requirements relating to the setting of information security objectives (strategy), which include the evaluation of the information security performance and measuring the effectiveness of the ISMS.

Annex A has also been restructured into fewer controls (114) and three new domains
A.5. Information security policies
A.6. Organisation of information security
A.7. Human resources security
A.8. Asset management
A.9. Access control
A.10. Cryptography – new
A.11. Physical and environmental security
A.12. Operations security – new
A.13. Communications security
A.14. System acquisition, development and maintenance
A.15. Supplier relationships – new
A.16. Information security incident management
A.17. Information security aspects of business continuity management

The Standard now covers what was previously referred to as ‘control of documents’ and ‘control of records’ under the description of ‘documented information’.

There is no longer a summary of the mandated documents required by the Standard in this section, relying on the organization to identify the requirements for what is now referred to as ‘documented information’ for itself. They are listed below

The scope (4.3)
The information security policy (5.2 e)
The information security risk assessment process (6.1.2)
The information security risk treatment process (6.1.3)
Statement of Applicability (6.1.3 d)
The information security objectives (6.2)
Evidence of competence (7.2)
That documentation ‘determined by the organisation as being necessary for the effectiveness of the information security management system’ (7.5.1 b)
The documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
The results of information security risk assessments (8.2)
The results of information security risk treatment (8.3)
Evidence of the information security performance monitoring and measurement results (9.1)
Internal audit programme(s) and the audit results (9.2 g)
Evidence of the results of management reviews (9.3)
Evidence of the nature of the non-conformities and any subsequent actions taken, and the results of any corrective actions (10.1)

Summary of new controls in ISO 27001 2013 Annex A

A.6.1.5 – Information security in project management
All projects will address information security, regardless of the nature of the project. This ensures that information security is dealt with from the bottom up.
A.14.2.1 – Secure development policy
Rules for development of software and systems are established and applied to developments. This acts as a sort of precursor control to 14.1.1 and 14.1.3, which relate to controlling the data and applications developed under this control.
14.2.6 – Secure development environment
The organisation ensures an appropriately secure development environment for system development and integration, across the whole development lifecycle. This is deliberately broad to allow input from the earliest stages of the ISMS (identifying the nature of the organisation), rather than restrictively demanding measures that may not be relevant.
14.2.8 – System security testing
The organisation establishes acceptance testing programs and related criteria for new information systems, upgrades and new versions.
15.1.3 – Information and communication technology supply chain
This control requires agreements with suppliers to address information security risks associated with information and communications technology services and products supply chain.
16.1.4 – Assessment of and decision on information security events
Information security events are examined and assessed to determine whether they qualify as information security incidents. This control applies an additional step in the incident management process.

Contact DISC for a Free Gap Assessment for any domain of your choice based on location

Start your ISMS project with ISO27001 2013 Documentation Toolkit

Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 for $6.99  

  

 Download ISO27000 family of information security standards!
‱ ISO 27001 2013 ISMS Requirement (Download now)
‱ ISO 27002 2013 Code of Practice for ISM (Download now)

 

Related articles

Tags: Information Security Management System, isms, ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, iso 27001 certification, ISO 27001 Lead Implementer

Dec 01 2013

ISO27001 2013 ISMS Standalone Documentation Toolkit

Category: ISO 27kDISC @ 9:53 pm

ISO27001 2013

Start your ISMS project with ISO27001: 2013

With the publication of the new version of the ISO27001 standard, there has never been a better time to start an ISMS implementation project to look after your information security.

 

ITGP toolkits – ISO27001: 2013 ISMS Documentation Toolkit

This new Toolkit provides you with a comprehensive set of pre-written ISMS documents compliant with the newly released ISO27001: 2013 Standard, built from the necessary policies, procedures, work instructions and records that will save you months of work as you get your information security system up to speed, including:

* Information Security Manual

* Visio Documentation Map and Structure

* Information Security Policy

* vsRisk risk assessment tool Integration Templates (not vsRisk itself)

* Business Continuity Management for information security

* Gap analysis ISO27001: 2013 and ISO27002: 2013 Audit tool

* Asset Management documentation templates such as, Asset Inventory, Information Hardware Assets, Software log, etc.

* Supplier Relationships documentation templates such as, External Parties Information Security Procedure and Third Party Service Contracts

* Operations and Communications Security document templates dealing with, Anti-Virus Software, Vulnerability Management, Systems Auditing, System Planning & Acceptance, etc.

 

Benefits of the ISO27001: 2013 ISMS Documentation Toolkit:

  • Fully customisable and editable templates inclusive of:
    7 Policies, 55 Procedures, 23 Work Instructions, 25 Records, guidance documents as well as Blank Templates that will enable you to bring in your exisitng documentation in-line with a consistent management system
  • Pre-written to be compliant with the standard
  • Saves you time on research
  • Saves you time on writing
  • Provides document guidance as you go
  • Cheaper than one day of consultancy
  • After sales support service
  • 12 months of automatic updates

 

Related articles

Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit

Nov 05 2013

When can we become certified to ISO/IEC 27001:2013?

Category: ISO 27kDISC @ 8:39 pm

ISO 27001

ISO27001:2013

 ISO27001: 2013 – order your copy today >>>

When can we become certified to ISO/IEC 27001:2013?

by Lewis Morgan @ ITG

At this moment in time, we can only provide an estimate which is based on the insight provided by Chair of the UK ISO/IEC 27001 User Group and Director of consultancy at IT Governance Ltd, Steve Watkins. Considering Steve’s position, we believe his estimates to be the best guidelines an organization can follow.

The following is directly taken from the ISO27001:2013 Transition Webinar by Steve Watkins

“It’s likely that as of 1st January 2014, certification bodies will be able to start the transition to the 2013 version of ISO27001 standard. If that is indeed the case, it’s likely to be that as of 30th September, no new ISO27001:2005 certificates can be issued. This means that by the end of September 2016 all ISO27001:2005 certificates should have transitioned to the 2013 version of the standard”

The image below further illustrates what Steve discussed on the webinar, including his suggestions in terms of what organizations should do next.

ISO27k timeline

Related articles

Tags: Information Security Management System, ISO, ISO/IEC 27001

Sep 25 2013

Be the first to receive ISO/IEC 27001:2013

Category: ISO 27kDISC @ 6:25 pm

ISO 27001

ISO27001:2013 Now Available!

Be the first to receive ISO27001: 2013 – order today >>>

ISO27001: 2013 is the new standard that details the requirements for an information security management system (ISMS).

ISO270012013

ISO/IEC 27001 2013 (ISO27001 ISO 27001) ISMS Requirements

There a several updates to the new standard including:

‱ Terms and definitions are now referenced from ISO27000:2012 (with the terminology of ISO27000 also being updated)
‱ Risk assessment requirements are less prescriptive and are now aligned with ISO 31000 – the international standard for risk management.
‱ The PDCA cycle is no longer mandated as the approach for reviewing and improving an ISMS. You can use the PDCA or any other approach.
‱ The requirements for management commitment have been overhauled and are largely contained presented in the Leadership clause
‱ The requirements for a statement of applicability in the 2013 edition have been enhanced
‱ The risk treatment process makes it easier to adopt control frameworks other than Annex A
‱ Annex B has been deleted, and Annex A has also been revised and restructured
Be the first to receive the new ISO27001:2013 standard.

The Code of Practice for Information Security Controls, ISO27002 has also been updated.
ISO/IEC 27002:2013 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
Order ISO27002:2013 today >>>

Related articles

Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool

httpv://www.youtube.com/watch?v=M8acvay4FmU

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRiskℱ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>

 

Related articles

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards

Jul 12 2013

Final Draft of New ISO 27001 Standards Now Available

Category: ISO 27kDISC @ 9:55 am

The ISO/IEC announced this week that the latest ISO 27001 and ISO 27002 Standards have entered the Final Draft stage (FDIS). This means that the standard is almost ready for publication, with no, or only minor changes to be made in the final approval stage.

IT Governance is offering you the chance to get ahead of the game and purchase copies of these new ISO 27001 standards today.

 

ISO/IEC FDIS 27001 2013

ISO/IEC FDIS 27001 2013

Price: $160

Buy Now

ISO/IEC FDIS 27002 2013

ISO/IEC FDIS 27002 2013

Price: $240

Buy Now
Related articles

Jun 25 2013

Risk management – ISO 27005 could be the cure

Category: ISO 27k,Risk AssessmentDISC @ 9:30 am

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)


 
 
 
 
 
 
 
 
 
 
 
 
 
 

By Catherine Thornley @ ITG

Risk management in information security management and how ISO/IEC 27005 can help you tackle it effectively.

Risk is arguably one of the most commonly used words in business, but what does it actually mean?

There are many English dictionary definitions, many centered around “a situation involving exposure to danger” and whilst some people talk about up-side or positive risk, it is generally accepted that in business, the risk is all about the chance that something will go wrong, and how badly.

But of course there is uncertainty in everything we do; and therefore risk. Sometimes there is uncertainty about whether something good will happen, but that just means that there is also a chance that it won’t; which is bad.

Risk and corporate governance

The big thing about risk in business today is corporate governance. People responsible for running companies are simply not allowed, when something goes wrong, to say “we didn’t think of that”, or “it never happened before”. Those are two quite common responses both when something has gone wrong and also when it hasn’t; when senior managers are asked to do something about risk management.

For many, when they do finally look at risk, thinking switches immediately from chance to result. The likely impact of a risk dominates thinking where previously it was the probability of a threat materialising that was the dominant factor.

Many organisations assess risk intuitively; that is to say they simply decide whether an activity, or situation, is very risky, not very risky, or somewhere in between.

This intuitive approach can be applied to information security risk – but it can be very difficult to evaluate risk effectively in this area. The challenge is two-fold; understanding what information security actually is and knowing how to assess and respond to the related risks in a logical way, that will stand scrutiny should the worst happen.

Information security managers, and those doing the job as part of a broader role, often need some help in identifying the most effective way to manage this specific set of risks, which is where ISO 27005 can help.

How ISO 27005 can help

Where ISO 27001 presents a broad blueprint for dealing with information security, ISO 27005 takes it much further and delivers the detail of information security risk assessment, in a way that the results integrate easily into an ISO 27001 compliant information security management system (ISMS).

ISO 27005 provides a detailed and valuable insight into effective information security risk management. And since ISO 27001 calls for a risk based approach, there cannot be a better basis for it!

 5 reasons why vsRisk v1.6 is the definitive risk assessment tool

Related articles

May 20 2013

A Guide to Data Security and ISO27001/ISO27002

Category: ISO 27kDISC @ 1:39 pm

ITGovernance

IT Governance 5: An International Guide to Data Security and ISO27001/ISO27002

This manual provides clear, unique guidance for both technical and non-technical managers. It details how to design, implement and deliver an ISMS that complies with ISO 27001.

Now in its fifth edition, this title has been fully updated to take account of the latest regulatory and technological developments, and the International Board for IT Governance Qualifications

 

Related articles

Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO, ISO/IEC 27001, Risk Assessment

Apr 03 2013

IT Governance 5 top tips for Implementing successful ISO27001

Category: ISO 27kDISC @ 11:06 am

Nine Steps to ISO27001

  1. Get a copy of the standard! There are a few people out there that purchase the standard half way through implementation (or even not at all) but the truth of the matter is, this is one of the first things you should do. It will help confirm suspicions and will be the core backbone as to what you do from now on.
  2. Get management buy in. This is critical for supporting your ISO27001 project and making it a success
  3. Read, read, read! There’s a wealth of free information out there on the web to help you get stuck in to your ISO27001 project. From white papers to Linkedin groups, you’re sure to find what you’re looking for.
  4. Use all the available tools and resources out there. This will make implementation a lot easier, saving you lots of head scratching, late nights and hours spent staring out the window! Documentation toolkits really help simplify the process and can also lessen the time it takes you to reach certification
  5. Communication is at the heart of the ISO27001 process. It allows you to keep your Board and the rest of your organisation updated with regular progress reports and key measurements to indicate the success of the project so far.

 

Nine Steps to Success: an ISO 27001 Implementation Overview This is the ideal guide for anyone tackling   – or about to tackle – ISO27001 for the first time.
Related articles

Mar 02 2013

Forward-thinking books on information security

Category: Information Security,ISO 27kDISC @ 8:01 pm

unto the breach

Forward-thinking books on information security help organisations understand current challenges in the sector

/EINPresswire.com/ Keeping up-to-date with information security issues and responding to new cybersecurity challenges can be time-consuming. However, it is essential that anyone concerned with information security, from IT professionals through to the Board members, dedicates time to learning and understanding these issues.

Last week, for example, the UK’s National Audit Office highlighted a severe lack of skilled cybercrime fighters in the UK. Cybercrime is costing the UK economy an estimated £18-27 billion each year.

So, is there a fast route to getting up to speed with what’s happening and what the modern means are to fight cybercrime?

Information security experts at IT Governance advise there is an easy way to catch up with the latest developments and fill in the knowledge gap. They recommend three essential books that can greatly improve everyone’s understanding of information security, data protection and risk management, whilst providing them with enjoyable and useful reading.

Once more unto the Breach – Managing information security in an uncertain world is based on a typical year in the life of an information security manager. The book examines how the general principles can be applied to all situations and discusses the lessons learnt from a real project. The book can be purchased as softcover and eBook from >> Once more unto the Breach – Managing information security in an uncertain world 

IT Governance – An International Guide to Data Security and ISO27001/ISO27002 is the definitive guide to implementing an ISO27001 compliant Information Security Management System (ISMS). Written by industry experts, Alan Calder and Steve Watkins, it contains clear guidance on all aspects of data protection and information security. Book reviewers describe it as ‘unparalleled’, a critical source when preparing and managing the ISMS’ and ‘a comprehensive guide as to actions that should be taken’. The book can be ordered online at >> IT Governance – An International Guide to Data Security and ISO27001/ISO27002

Managing Information Security Breaches – Studies from real life provides a general discussion of, and a source of learning about, what information security breaches are, how they can be treated and what ISO27001 can offer in that regard, spiced with a number of real-life stories of information security incidents and breaches. This book is highly relevant and will help every team to prepare a strategic framework for handling information security breaches. Buy a softcover or eBook from >> Managing Information Security Breaches – Studies from real life

 

Related articles

Feb 25 2013

PENETRATION TESTING & ISO27001

Category: ISO 27k,Pen TestDISC @ 10:38 pm

penetration testing

Penetration testing (often called “pen testing” or “security testing”) establishes whether or not the security in place to protect a network or application against external threats is adequate and functioning correctly. It is an essential component of most ISO27001 and UK public sector contracts.

Why would my company need penetration testing services?

In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective penetration testing is the only way of establishing that your networks and applications are truly secure. Penetration testing is also an essential component in any ISO27001 ISMS – from initial development through to on-going maintenance and continual improvement.

How does penetration testing fit into my ISO27001 ISMS project?

There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:

1. As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.

2. As part of the Risk Treatment Plan ensuring controls that are implemented do actually work as designed.

3. As part of the on-going corrective action/preventive action (CAPA) and continual improvement processes; ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

The Basics of Hacking and Penetration Testing
This guide will show you how to undertake a penetration test or as it is sometimes known an ethical hack. This book focuses on how to hack one particular target, this allows you to see how the tools and phases of the pen test relate. to get your copy of The Basics of Hacking and Penetration Testing
ITG | eBay | Amazon

Penetration Testing – Protecting Networks and Systems
An essential guide to penetration testing and vulnerability assessment, which can be used as a Certified Penetration Testing Engineer Exam Prep Guide. to get your copy of your Penetration Testing – Protecting Networks and Systems
ITG | eBay | Amazon

Related articles

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Penetration test

Feb 12 2013

Why ISO 27001 certification should be a priority

Category: ISO 27kDISC @ 10:34 pm

ISO 27001

Why ISO 27001 certification is unavoidable

Now a days, the ISO27001 standard has become an almost unavoidable factor in the field of information security. Compliance is unavoidable because most industries are heavily regulated. Seems like more legislations are on our way to redefine our actions on the internet. Because ISO 27001 requirements are largely a superset of other major standars and regulations, achieving ISO 27001 certification positions most organizations to be well on their way to meeting the requirements of PCI, SOX, HIPAA and GLBA.

Six main benefits of Information Security Management System based on ISO 27001 specifications

1. Business managers of the organizations will make informed decisions regarding potential risk and should be able demonstrate compliance with standards and regulations such as SOX, GLBA, HIPAA, DPA to their critical information on regular basis.

2. An ISMS is a defensive mechanism to any APT (advanced persistent threat) to minimize the impact from these external threats of various cybercrime.

3. Informed information security decisions will be made based on risk assessment to implement technical, management, administrative and operational controls, which is the most cost effective way of reducing risk. Highest priority risks are tackled first to attain best ROI in information security.

4. Information security is not an IT responsibility; In general everybody in an organization is responsible for protecting information assets and more specifically business manager. The business manager may delegate their responsibility.

5. Organization will improve credibility and trust among internal stakeholder and external vendors. The credibility and trust are the key factors to win a business.

6. ISMS raises awareness throughout the business for information security risks, involve all employees throughout an organization and therefore lower the overall risk to the organization.

Related Books, Standards and Tools you may need to achieve ISO 27001 certification

Nine Steps to Success: an ISO 27001 Implementation Overview“It’s like having a $300/hr consultant at your elbow as you consider the aspects of gaining management support, planning, scoping, communication, etc…” Thomas F. Witwicki (amazon.com review)

IT Governance: An International Guide to Data Security and ISO27001/ISO27002
Covers simply everything you need to know about information security and ISO27001. It is also the UK’s Open University’s post-graduate information security textbook. All aspects of data protection / information security are covered including viruses, hackers, online fraud, privacy regulations, computer misuse, investigatory powers etc.

ISO27000 Standards
Official standards available in hardcopy and downloadable formats.

Standalone ISO 27001 ISMS Documentation Toolkit
This toolkit contains all the documents, procedures and templates you need to massively simplify your progress to certification. It will save you months of work, help you avoid costly trial-and-error dead-ends and ensure everything is covered to the current ISO 27001 standard.

Related articles

Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO/IEC 27001, Risk Assessment

Jan 31 2013

New Draft ISO27001 and ISO27002 Standards

Category: ISO 27kDISC @ 2:26 pm

Check out the ITG site for details

Industry Update

New Draft ISO27001 and ISO27002 Standards

It has been announced that new Drafts of the two international information security standards ISO27001 (ISMS Requirements) and ISO27002 (Code of Practice) have been published.

These Drafts have been published for the purpose of public consultation. As these are international standards, the consultation process operates internationally, via national standards bodies.

Anyone can comment on the proposed standard and all the comments will then be assembled and reviewed by the committee. The public consultation period closes on 23 March 2013.

To help you understand the proposed changes and implications of these new draft standards we have created an information page.

Click here to read in full about the ISO27001/ISO27002: 2013 Draft Standards

You can also purchase your own copies of the draft standards here:

We will keep you updated with the progress of these standards. Once the new standards are officially published, the existing standards will be withdrawn, however there will be a transition timetable that enables organisations to move from the existing standard to the new one.

Click here to read in full about the ISO27001/ISO27002: 2013 Draft Standards

Related articles

Tags: Information Security Management System, International standard, ISO, ISO/IEC 27001, ISO/IEC 27002

Jan 24 2013

Controls against Mobile Code

Category: ISO 27k,Mobile SecurityDISC @ 12:16 pm

ISO 27002 control A 10.4.2 of the standard requires that mobile code execution should be restricted to an intended environment to support an authorized organization mobile code policy.

What is a mobile code so let’s first start with the definition: ‘Program or a code that can execute on remote locations without any modification in the code can travel and execute from one machine to another on a network during its lifetime.’ Some of the computer languages used for mobile code include but not limited to Java, JavaScript, Active x, VB script, C++, C#, ASP.NET, macros and postscripts.

Mobile code could be use for some benign to a very malicious activity which basically depend on coder intentions. Malicious activities may include collection of personal and private information, patient healthcare information, introducing Trojans & worms, and sometime used to modify or destroy information.

Different mobile code languages are used to achieve various goals by the the coder, most pop-ups are coded in JavaScript, Active x for downloading apps and patches. Only If a coder/hacker is enable to execute a mobile code on an organization infrastructure (PC, router, switch, server..) will make it possible to download, collect personal and private information and for that matter any other malicious activity.

example, if one window or frame hosted on one server tries to access the properties of a window or a frame that contains a page from a different server, then the policy of the browser comes into play and restricts that type of action from happening. The idea behind such restrictions is to prevent hackers from putting their pages inside the original page and extract unauthorized information where codes inside their pages are written for that purpose

Protections for Mobile Code
One of the solutions to secure the JavaScript from using it to write a mobile code and run it on the client-side is to perform parsing of the code before execution. If the code can be parsed before execution i.e. having access to the stack, where control over the execution of the code can be achieved the malicious virus can be prevented.

The best and the easiest way to block mobile code is to have an authorized policy to ban or restrict the mobile code into your organization. To implement this policy, an organization can build a rule set on their firewall to block all the mobile code at the perimeter and stop entering into the organization. At the same this may not be feasible for many organizations since languages like JavaScript and active x are used heavily in building website to add bells and whistles. This takes us back to familiar risk assessment question, how much and what mobile code should be allowed into the organization. Organization should assess the related risk to each mobile code and allow or disallow based on the risk it pose to business. If there’s an exception make sure the business owner sign off the exemption form.

Ongoing user awareness to mobile code policy and risk assessment process will be necessary to minimize risk. Block mobile code should be monitored or scanned based on the policy and appropriate measures should be taken if rogue mobile code is detected.

Do you check your verdors or partners are not downloading malicious mobile code on your website?

To know more about Mobile Code
.
Titles on eBay
Titles on DISC InfoSec Store

Related articles

Tags: ActiveX, Business, ISO/IEC 27002, Java, JavaScript, Mobile code, Personal computer, VBScript

Jan 17 2013

Project Planning outline for (ISO 27001) ISMS

Category: ISO 27kDISC @ 11:55 am

The project planning process includes steps to estimate the size of the project, estimate the scope of the effort and resources, assess project risks, and produce an acceptable schedule after negotiating with control owner.

Steps below provide a bullet list of project plan outline phases and action items of ISMS (ISO 27001). This is not the project plan, but rather a description of the project plan, so the detail is high level. However, this document defines the project and requires formal sign-off; therefore, be accurate as possible, any variations may require a formal project change, which adds to schedule and cost.

A generic ISO 27001 project outline includes the following:
Project Initiation, Scope of the Project,Risk Assessment Methodology, Asset Register, Risk Assessment, Risk Treatment Plan, Statement of Applicability relevant to risk, Management approval for the Project outline. These steps are outlined in the figure above.

When an individual is assigned as project manager for a project, their success is determined by the complexity of a given project. Due to lack of necessary skills, sometime project manager are changed during the middle of the project. So what are those necessary skills which will determine the success of the project manager? Below are some of the necessary skills to run a successful ISO 27001 project.

‱ To posse’s an outstanding communication skills for all the stakeholders involved
‱ Be highly organized and an effective team leader
‱ Know how to negotiate between cross functional teams
‱ Resource oriented, problem solver and understand the relevant infrastructure

Must Read Project Management Books
1. A guide to the Project Management body of Knowledge 5th edition

2. The Concise Prince2

3. 50 Top IT Project Management Challenges

4. Prince 2 2009 manual

Related articles

Tags: Information Security Management System, ISO/IEC 27001, Project Management, Project manager, Project plan, Project planning, Risk Assessment, Scope (project management)

Jan 15 2013

Management System Toolkits

Category: BCP,ISO 27kDISC @ 11:19 am

For 10 years IT Governance has been helping businesses build robust cyber defences, deliver improved IT services and comply with international and regulatory standards.

ITG understand that information technology is at the heart of every modern organisation. That is why ITG source, create and deliver IT products and services that meet the real world needs of today’s organisations, managers and practitioners.

ITG toolkits help small and medium organizations quickly adapt best management practice in technology governance, risk management and compliance. You don’t have to take ITG word for it. Download the demo and see if it fits your organizational needs.

ITG offer free trials of all our best-selling toolkits. These toolkits contain all the documents, templates and tools to help organizations quickly and cost-effectively implement a management system or IT standard.

Take a free toolkit demo today

ISO22301 Business Continuity Management System Documentation Toolkit

ISO27001 Cyber Security ISMS Documentation Toolkit

ITSM, ITIL & ISO20000 Implementation Toolkit

ISO9001 Quality Management System Documentation Toolkit

Business Transformation Toolkit

Dec 11 2012

Monitoring and reviewing third party InfoSec services

Category: ISO 27k,Vendor AssessmentDISC @ 12:25 pm

Control A10 of ISO 27001 mandates for outsourcing organization to monitor and review the performance of third party service provider on regular basis which includes the contractor working on critical assets within the scope. Service level Agreement (SLA) or Operation level Agreement (OLA) are the binding legal agreement which includes all the important services to fullfil the information security and compliance requirements of an organization.

Contract with service provider should require the need of standard reports on regular basis which should be reviewed at least monthly and attended by staff and management responsible for services. In these meetings, management should ensure that contractual requirements have been met by the service provider

Key management responsibilities should include but not limited to the followings:

    Outsourcing organization should decide which key metrics will be created to monitor the performance of service provider which will ensure that contractual clauses are met consistanly.
    For information security related services, reviewing all incidents for sepcified period (at least once a month) to make sure thay have been included in an organization treatment plan for appropriate corrective actions based on an organization risk priorty.


Related Articles and Info.

ISO 27001 is the litmus test for information security
Live Webinars feed for Governance, Risk and Compliance

Tags: Contract, Information Security, ISO/IEC 27001, Operational-level agreement, Service-level agreement, SLA

Dec 04 2012

Advanced Persistent Threats are the main challenge for businesses

Category: cyber security,ISO 27kDISC @ 11:27 am

Advanced Persistent Threats’ are top infosecurity challenge for businesses in 2013

Mitigating Advanced Persistent Threats (APT) is going to be a main challange and should be the highest of information security priorities for businesses in 2013, according to governance, risk management and compliance firm IT Governance.

Latest APT threats should be taken into account in an organization risk assessment process and depending on the current vulnerabilities, these threats should be treatetd based on the organization risk appetite. Risk appetite or risk threshold is where an organization draw a line to accept or treat any given risk to an organization.  

Alan Calder, Chief Executive of IT Governance, says: “Today, through benign neglect, staff carelessness or insufficient preparation, every business, large and small, is vulnerable to cyberattack. ITG Top 10 identifies the biggest online threats to your business in the coming year and shows how you can tackle these.”

1. Advanced Persistent Threats: APTs refer to coordinated cyberactivities by sophisticated criminals and state-level entities. With the aim of stealing information or compromising information systems, these target governments and corporations which have valuable intellectual property. By their very nature, manufacturing and the high-tech, oil and gas, finance and pharmaceutical industries all come under the greatest threat of attack by APTs. While there’s no single, stand-alone solution, coordinated and integrated preparations can help you rebuff, respond to and recover from possible attacks. Adopting ISO27001, the best practice infosecurity standard, is the most practical way for companies to develop and implement a tailor-made and comprehensive cybersecurity management system to counter the APT threat.

2. Cyberwar: Cyberespionage and cyberterrorism have become a major threat to UK and US governments. In the form of high-profile malware attacks, state-backed entities are seeking commercial advantage against international competitors, as well as preparing for a new front in modern warfare. China is the best known example of a state believed to engage in such activities, so much so that many larger corporations now forbid employees from taking their laptops on business trips into China for fear of data loss. Effective, enterprise-wide cyber-defence must therefore be in place at all levels, to provide strategic, tactical and operational protection, alongside linkages between operational management, operational processes and technical controls.

3. Cybercrime: As opposed to APTs or cyberwar, cybercrime is a threat to every individual and organisation, no matter how small. Cybercriminals exploit modern technologies in order to commit criminal activities, ranging from identity theft to the penetration of online financial services. All businesses should implement an integrated cybersecurity strategy which, among other issues, includes securing your cyber-perimeter to making sure that your staff are trained to recognise and respond to social engineering attacks and follow a well-thought-out social media strategy.

4. Personal data protection: 2012 has seen a slew of data breaches involving the theft of customers’ personal information. This trend will continue unless businesses change their approach to handling personal data. The proposed new EU Data Protection regulation aims to strengthen individual rights and tackle the challenges of globalisation and new technologies. The EU Commission is also putting pressure on businesses to tighten information security measures. Again, the most logical and sensible way to do this is via ISO27001 implementation and certification.

5. Mobile security: USB devices, laptops, tablets and mobile phones make it very easy for employees to transport massive amounts of information out of the door – potentially to your rivals. Also, whenever employees save username and password data onto their mobile devices, they make it exceptionally easy for fraudsters to crack the passwords of a range of applications, thereby increasing cyber risk. All confidential information stored on these devices must be encrypted to avoid data breaches as a result of theft or loss.

6. Data security: Given that many data breaches are due to human error, insider threats play a significant role. Continuous staff awareness training is essential, but companies also need to manage access to data as part of the overall information security management system. For example, restrict access to people with a ‘business need to know’, or set up a unique ID for users which, combined with logging and audits, protects against the ‘insider’.

7. Bring Your Own Device: BYOD policies are becoming the norm at a growing number of both companies and state organisations. Protecting and controlling company data on your staff’s personal mobile devices poses a stiff challenge – best answered by implementing a mobile device management policy.

8. Identity theft: Identity fraud, which involves someone pretending to be somebody else for financial or other gain, is rife. We all need to be aware of ‘phishing’ and ‘pharming’ emails, but we also need to be wary of how we use social media and how much personal information we provide. Antivirus software and spyware removal software alone cannot protect against these attacks. Effort also needs to go into user education to cut exposure to risk.

9. Payment Card Security: Ever-growing numbers of payment cards are being threatened as a result of the migration of payment apps onto mobile devices. Companies should apply regular website security testing, known as ‘vulnerability scanning’, which should be conducted by qualified ethical hackers. It’s also important to regularly apply all relevant patches, and to have a basic understanding of common hacking techniques and new threats and computer viruses.

10. Cloud continuity and security: If you are using a Cloud provider for mission-critical applications and data storage, check the contract carefully. What security policies does the provider have in place? Do they have ISO27001 certification? Evaluate the risks of using a Cloud provider and make them part of your own information security management system.

Related articles

Tags: Advanced persistent threat, APT, Corporate governance of information technology, Information Security, iso 27001, threat

Nov 30 2012

Cyberattack: dangers, consequences and prevention

Category: cyber security,ISO 27kDISC @ 1:26 pm

Attacks on IT systems can have devastating consequences across industries – among them, the banking and financial sector. In order to protect the best interests of their customers, and the vast tracts of personal data for which they are responsible, banks have already been paying attention to their data protection practices, writes Alan Calder of IT Governance

The heartbeat and Achilles’ heel of every organisation, information technology (IT) is crucial to the functioning of the business world. Given this situation, attacks on IT systems can have devastating consequences across industries – among them, the banking and financial sector. In order to protect the best interests of their customers, and the vast tracts of personal data for which they are responsible, banks have already been paying attention to their data protection practices.

The threat landscape is by its very nature ever-changing, however, and sees the continual emergence of new forms of highly sophisticated cyberattack. As a result, banks and financial institutions are wise to upgrade to a distinctly more comprehensive form of cyber security.

A continually evolving threat

Successful cyberattacks – attacks on a business’ IT infrastructure by a malicious third party – are known to have severe consequences, both operationally and on the business’ reputation. Indeed, the UK government classifies cyberattacks as a ‘Tier 1 threat’ in the National Security Strategy, alongside international terrorism, international military crises and major accidents or natural hazards. The distinction between well-funded, state-sponsored cyberattackers and their ‘private sector’ counterparts is becoming more blurred, meaning that commercial organisations and individuals can increasingly find themselves on the receiving end of extremely sophisticated attacks. Symptomatic of this trend is Google’s move in June 2012 to begin warning Google account holders if they are believed to have been targeted by a state-sponsored attack.

In the world of retail banking, where IT plays such a crucial role, a cyberattack can have serious consequences in terms of practical and reputational damage. The sheer volume of personal customer data held by banks intensifies the threat and consequences of a successful cyberattack. In terms of data compliance and IT security, staff are, and always will be, the weakest link, mainly through a lack of understanding of responsibilities and not comprehending the severity of an IT security breach. These misunderstandings are far from trivial, however.

In addition, the threat landscape is constantly evolving. Today, for example, we are seeing the emergence of cyber fraud and cyber threat into the criminal mainstream. This fact, and the fact modern attacks now combine technological and social elements, means traditional technology-only defences are now inadequate. Thus, forms of security that, two years ago, might have been capable of protecting retail banking institutions, are now insufficient in the face of high-level cyberattacks.

A robust and comprehensive approach

In order to tackle specialised cyberattacks such as cyber fraud and cyber theft, banks and financial institutions would therefore do well to adopt a more robust approach to their cyber security. Ultimately, effective cyber security depends on establishing a defence strategy that is not only all-embracing but also interconnected.

One such strategy is that provided by the ISO27001 security management standard. The most significant international best practice standard currently available to any organisation seeking an intelligently organised and structured framework for tackling cyber risks, ISO27001 is, in essence, a management system. When effectively deployed, ISO27001 improves an organisation’s information security and resilience to ongoing and constantly evolving threats.

Above all, ISO27001 compliance supports organisations in building their defences against cyberattacks. Among other elements, this standard requires organisations to develop and test security incident response plans, or SIRPs; select and implement appropriate controls that reduce risk to an acceptable level, from securing cyber perimeters to training staff and securing inward- and outward-bound communication channels such as e-mails and instant messaging; and carry out risk assessments. Importantly, ISO27001 compliance also requires organisations to put in place a mechanism for auditing and management review of the effectiveness of selected controls – and of the management system that supports them.

Additional steps

In addition to establishing an organisation-wide security management standard, retail banks, as with other organisations, can go a long way towards significantly improving their data protection by introducing a number of basic measures. These measures include the implementation of regular staff awareness training about the threats and ramifications of a cyberattack, enterprise-wide policies on the use of encrypted USB sticks and laptops, and regular website and network penetration testing.

Otherwise known as ‘pen testing’, regular website and network penetration testing, for example, is vital to ensure hackers and cyber attackers are not given easy vulnerabilities to exploit. All internet-facing networks and resources are subject to automated, malicious probing.

When a vulnerability is detected, the exploitation of that vulnerability is also usually automatic. In a world where attacks on networks and applications are growing at an exponential rate, effective pen testing is the only way to establish true security. Quite rightly, the penalties incurred by organisations failing to defend themselves against such attacks are becoming ever steeper. Effective pen testing exposes and documents such weaknesses and recommends steps to reduce the risk.

Preparation is key

If knowledge is power, ignorance is danger – a danger that can impact banks on a number of fronts. If banks and financial institutions fail to refresh their data protection practices on a regular basis, educate their staff about the dangers of cyberattacks or enlighten their employees on the importance of data protection, they are at risk of being caught out by ever-more-sophisticated cyberattacks. Failure to prepare by adopting stringent security management standards is, ultimately, preparation to be vulnerable. .

Related articles

Tags: Computer crime, Computer security, cyberwarfare, iso 27001, National Security Strategy, USB flash drive

Nov 27 2012

New ISO27013 Standard helps integrate ISO27001 with ISO20000

Category: ISO 27kDISC @ 2:27 pm

IT Governance Ltd, the global leader in IT governance, risk management and compliance, has announced that the highly anticipated ISO27013:2012 Standard has been published and is now available to buy from the company’s online shop at ITG

ISO27013:2012 focuses exclusively on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 – two of the world’s leading and highly regarded standards. ISO/IEC 27001 deals with information security management systems (ISMS) and practically provides organisations with provides a powerful framework for sharing best practice and guidance on protection form cybercrime. ISO/IEC 20000-1:2011 is the international IT Service Management standard which enables organisations to ensure that their IT service management processes are aligned with the needs of the business.

The ISO27013:2012 Standard has been designed to help organisations implement both standards together, or implement one when one is already within the organisation. By doing this organisations can achieve increased customer satisfaction, competitive advantage, improved business operations and considerable cost-savings over time.

Organisations can purchase the ISO/IEC 20000-2:2012  and ISO 27013 from IT Governance .

Related articles

Tags: Information Security Management System, International Organization for Standardization, isms, ISO 27013, ISO/IEC 20000, ISO/IEC 27001

« Previous PageNext Page »