Jul 14 2011

The TickITplus Kick Start Guide has Been Launched

Category: Security ComplianceDISC @ 12:32 pm

Following the release late last month of the Base Process Library, the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched

/EIN Presswire/ — Following the release late last month of the Base Process Library (http://www.itgovernance.co.uk/products/3460), the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched. The guide can be purchased here www.itgovernance.co.uk/products/3469 in a PDF format or hard copy.

The guide will provide organisations that need to achieve compliance with the TickITplus scheme with information about identifying and selecting the scope of certification and developing in-house resources. It contains guidance on identifying processes, mapping them to TickITplus processes and establishing the assessment strategy. The TickITplus Kick Start Guide also offers advice on preparing for, participating in and following up an assessment.

TickITplus (www.tickitplus.org) is the successor of TickIT and provides improved process modelling to facilitate more efficient business and quality systems planning and improvement. TickITplus gives entry level access to capability grading for small IT organisations and offers significant cost savings for those already pursuing both ISO9001 and Capability Maturity Measurements.

As an introductory guide, the TickITplus Kick Start Guide concentrates specifically on achieving the Foundation level of the scheme, either through initial entry or transition from the existing TickIT scheme.

The Kick Start Guide can be purchased today from www.itgovernance.co.uk/products/3469

Tags: TickITplus

May 09 2011

The Business Case for Information Security Management System

Category: Information Security,ISO 27k,Security ComplianceDISC @ 2:10 pm

Today’s economy is about protecting the information assets which is essential to existence of an organization. After a major incident or a security breach it is unthinkable to say it is not going to affect your bottom line. Most of the organization has to comply with various standards and regulations and a breach in a state of non compliance will be business limiting factor, and the organization may be liable to contractual penalties and loss of potential business from current and future customers.

So Information Security Management System defined as a protection of information from various threats and risks on daily basis. Therefore mitigating information security risks are becoming a critical corporate discipline alongside with other business functions such as HR, IT or accounting.

Mitigating business risks not only improve the business efficiency but also maximize the return on investment and business opportunities.

It is a mistake to assume that information security is solely a technical problem left for IT to solve. These titles below are a non-technical discussion of security information management. It offers a framework that will help business leaders better understand and mitigate risks, prioritize resources and spending, and realize the benefits of security information management.

Mar 07 2011

Manager’s Guide to Compliance

Category: Security ComplianceDISC @ 1:45 pm

Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies (Manager’s Guide Series)




A Wall Street Journal/Harris poll revealed that two thirds of investors express doubts in the ability of corporate boards of directors to provide effective oversight. In the shadow of recent global scandals involving businesses such as Parmalat and WorldCom- Manager’s Guide to Compliance: Best Practices and Case Studies is essential reading for you- whether your organization is a major corporation or a small business.

This timely handbook places U.S. and global regulatory information- as well as critical compliance guidance- in an easy-to-access format and helps you make sense of all the complex issues connected with fraud and compliance.

‘Wide perspectives and best practices combined deliver a punch that will knock your “SOX” off! The author has blended together a critical mix necessary for effectively handling the requirements of SOX.’
Rob Nance- Publisher- AccountingWEB- Inc.

‘Robust compliance and corporate governance is an absolute necessity in today’s business environment. This new book by Anthony Tarantino is an authoritative guide to understanding and implementing compliance and regulatory requirements in the United States and around the world. From SOX to COSO to ERM- this book covers them all.’
Martin T. Biegelman- Certified Fraud Examiner- Fellow and Regent Emeritus of the Association of Certified Fraud Examiners- and coauthor of Executive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance

‘If compliance wasn’t difficult enough- now companies are faced with a barrage of technology vendors claiming to automate compliance as if it were a project. In his new book- Dr. Tarantino paints the reality of the situation: companies need to embrace the broader tenets of governance and use technology to embed governance policies and controls into their daily business processes. Only then can they gain business value from their compliance investments.’
Chris Capdevila- CEO and cofounder- LogicalApps

Here is a link to this book: Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies (Manager’s Guide Series)

Tags: ASX 10, BASEL II, Best Practices, COBIT, COSO, ERM, IFRS, OECD Principles, OMB's A-123, Sarbanes-Oxley, Turnbull Guidance

Sep 21 2010

ArcSight offers $49.00 entry-level audit logging package

Category: Security ComplianceDISC @ 9:25 am
Image representing ArcSight as depicted in Cru...
Image via CrunchBase

Security Log Management: Identifying Patterns in the Chaos

Arcsight offer $49 entry level logging solution – a monumental change from the SIEM vendors, since they were trouncing their clients at price of 200K and up.

Data security and compliance specialist ArcSight has taken the wraps off a slew of product updates – Enterprise Security Manager 5.0, Identityview 2.0 and Logger 5.0 – with the offer of a $49.00 version of Logger, its universal log management software.

For more detail on the article: ArcSight offers $49.00 entry-level audit logging package

Related articles by Zemanta

Tags: ArcSight, Consultants, General and Freelance, Identityview 2.0, Logger 5.0, Security, Security event manager

Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security ComplianceDISC @ 2:13 am

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.


  • From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

  • Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.



    • Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
    To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

    The Nevada PCI DSS Law:

    The PCI DSS requires you to:

  • apply a number of specific controls, or safeguards.

  • These include documented policies and procedures; as well as

  • a number of technical IT and network configurations.

  • You will also have to provide staff with appropriate training; and

  • You will have to have quarterly scans.



    • PCI DSS v1.2 Documentation Compliance Toolkit
    toolkit-book-pci-dss

    This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).


    201 CMR 17.00 – The Massachusetts Data Protection Law:

    201 CMR 17.00 & ISO 27001 Toolkit
    mass_dpa_law

    will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

    This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386

    Sep 01 2009

    Audit of security control and scoping

    Category: Risk Assessment,Security ComplianceDISC @ 3:53 pm

    scope

    Information Technology Control and Audit

    The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

    Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

    The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

    Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

    Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

    Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.


    Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

    Aug 24 2009

    Vulnerability management and regulatory compliance

    Category: Security ComplianceDISC @ 8:09 pm

    Threat and Vulnerability Management in the Ent...
    Image by Michele Mondora via Flickr

    Information security requirements are growing for financial, healthcare and government sectors. Especially a new ARRA and HITECH provision for HIPAA mandates compliance for business providers/vendors.
    The business owners have seen growing number of government and industry specific regulations for protecting the confidentiality, integrity and availability of data from ever growing threat landscape. Now most of the regulatory compliance has some teeth, organizations who may not fully comply shall face serious penalties which include but not limited with fines, civil and criminal penalties.

    Those days are gone when manual vulnerability management use to be sufficed to satisfy the auditors. Vulnerability management can assist management in operational compliance. Most of vulnerability management organizes vulnerabilities by severity level. Severity level is determined by business impact and how easily the attacker can exploit the vulnerability. Remediation can be prioritized based on the asset categorization. Asset categorization is based on company scale (L,M,H) which is associated with overall business impact of an asset to the company.
    The best way to automate vulnerability management is to use software as a service (SAAS). SAAS vendor run their application on a secure server (web, database), which user operate with a web browser on a secure SSL connection. SAAS provider handles all the maintenance of SAAS infrastructure. Organization security staff can spend most of their time on remediation rather than running manual vulnerability management. Automated vulnerability management shows ongoing compliance with standards and regulations and provides documentation for audits.


    Reblog this post [with Zemanta]

    Tags: Security, Security Scanners, vulnerability

    Aug 08 2008

    PCI DSS significance and contractual agreement

    Category: pci dss,Security ComplianceDISC @ 11:52 pm





    The PCI DSS (Payment Card Industry & Data Security Standard) was established by credit card companies to create a unified security standard for handling credit card information.  The retail service industry now understands the strategic significance of PCI DSS compliance, which was demonstrated when TJX announced that their system was compromised for more than 17 months, where well over 50 million customers’ credit and debit cards were breached. Retail business which fails to comply will be subject to penalties and fines, possibly lawsuits, and may lose their credit card processing capability. Non-compliance will not only expose businesses to fines and penalties but also make it vulnerable to many threats, which can exploit the vulnerabilities in the system and put your business to unnecessary risk. These risks could have been avoided with some due diligence. When business is non-compliant, any major breach will have a significant impact on business viability.


    To start a process of PCI compliance, a merchant should determine if PCI DSS applies to their organization.  PCI DSS is applicable if your customer PAN (Primary Account Numbers) is stored, processed or transmitted in your organization. After determining the applicability of the standard, the merchant needs to determine where their business falls in the categorization of businesses by their bank in terms of merchant level.


    Before commencing the risk assessment the assessor will perform the system profile to determine the applicability of the scope and set the boundaries of the system covered under PCI-DSS assessment. Planning is the key to success of a project; this is the phase where all the planning and project preparation will take place.   Now the key to the success of your on-going compliance is to simplify the scope of the project. The best way to achieve this to put all the PCI related assets in a precise segment to limit the merchant card holder environment.


    Comprehensive risk assessment will be performed on the identified scope where risk analysis will identify the gaps based on PCI DSS standards and risk rating will prioritize the gaps for risk management.  Thorough risk analysis will generate a quality technical and process gap analysis, where you decide the mitigation/compensating controls to comply with PCI DSS.  After completion of the risk assessment the task of the risk management begins, to eliminate the gaps in your environment and to comply with the standard. Depending on the numbers of gaps the risk management team should set realistic goals to complete the tasks in hand.  Best practices recommendations suggest that the organization should eliminate/mitigate the high risks (high impact & probability) gaps to the organization, but sometime organizations decide to go after the low hanging fruits to start with their risk management process.


    When the risk management process gets close to finishing and you are well on your way to comply with PCI DSS, you might think that perhaps your job is done. Well in a way, it’s just a beginning of a process where your organization is supposed to maintain the compliance with PCI DSS.  Based on expert opinion, PCI DSS is a process not a project. What you have done so far, is baseline your environment. Ongoing compliance is achieved by monitoring the relevant PCI DSS controls. Ongoing compliance will depend on the quality of the merchant’s information security management system (ISMS). A strong  ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time.  You can develop an automated PCI monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.


    In a sense, PCI is neither a regulation nor a standard but a contractual agreement between the merchant and their acquirer bank, when merchants start transmitting PAN data that makes them contractually obligated to comply with PCI DSS. To understand their obligations, the merchant should make a proactive effort to understand their acquirer’s particular interpretation of PCI DSS requirements to get compliant.  Ongoing compliance will require adequate resources and automated controls in place to routinely monitor, maintain, review and improve the required systems. Ultimately, ongoing PCI compliance will enhance business efficiency and reduce the potential impact of adverse publicity on your business image.


     












    Documentation Compliance Toolkit

    PCI Compliance

    Practical guide to implementation (Soft Cover)

    Practical guide to implementation (Download)



    PCI Compliance
    httpv://www.youtube.com/watch?v=0NUTs-aFtOA

    Tags: business efficiency, business image, compensating controls, comprehensive, contractual agreement, gap analysis, isms, iso 27001, merchant card holder, mitigate, pan, pci compliance, pci dss, risk analysis, Risk Assessment, risk management process, tjx

    « Previous Page