DISC InfoSec blogSecurity Risk Assessment Archives | Page 3 of 4

Dec 21 2015

Assessing Information Security

Category: Information Security,Security Risk Assessment — DISC @ 2:07 pm

Assessing Information Security – Strategies, Tactics, Logic and Framework draws on the work of Clausewitz and Sun Tzu, and applies it to the understanding of information security that the authors have built up through their extensive experience in the field. The result is expert guidance on information security, underpinned by a profound understanding of human conflict.

Assessing Information Security – Strategies, Tactics, Logic and Framework, Second edition

Shows how to use principles of military strategy to defend against cyber attacks, enabling organizations to have a more structured response to malicious intrusions.
Explains the priorities for robust cybersecurity , helping readers to decide which security measures will be the most effective.
Buy today and discover how to integrate cybersecurity into your organization’s normal operations.

Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001.

“Gives you new practical perspective and new way how to think about infosec, many views nicely packed in one book.” Ivan Kopacik

Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001:2103.

Product overview:

Information Security Auditing and Strategy
Security Auditing, Governance, Policies and Compliance
Security Assessments Classification
Advanced Pre-Assessment Planning
Security Audit Strategies and Tactics
Synthetic Evaluation of Risks
Presenting the Outcome and Follow-Up Acts
Reviewing Security Assessment Failures and Auditor Management Strategies

Available in: Softcover, Adobe eBook, ePub, Kindle ===>>> Buy now

Buy today and discover how to integrate cyber security into your organisation’s everyday operations >>

Comments (0)

Feb 18 2014

Comprehensive Cyber Security Risk Management Toolkit

Category: cyber security,Security Risk Assessment — DISC @ 11:30 am

Govern and manage Cyber Security risk with this unique comprehensive toolkit suite

Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular

There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.

• PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
• ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
• The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
• Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
• ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.

Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.

This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.

Included in this comprehensive toolkit suite is:

Tags: Cloud Security Alliance, ISO/IEC 27001, National Institute of Standards and Technology, Risk management

Comments (1)

Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk Assessment — DISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool

httpv://www.youtube.com/watch?v=M8acvay4FmU

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
Gives comprehensive best-practice alignment
It’s easy and straight-forward to use
Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards

Comments (0)

Apr 23 2013

Cyber Security and Risk Assessment

Category: cyber security,Security Risk Assessment — DISC @ 9:19 am

Cyber security is the protection of systems, networks and data in cyber space.

If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.

To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.

Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.

Tools and techniques which work in mitigating cyber risks

The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management

Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.

The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks

Tags: Computer security, cyberwarfare, Information Security, Information Security Management System, Risk Assessment, Risk management

Comments (0)

Jan 29 2013

Impact of an Effective Risk Assessment to ISO 27001

Category: Security Risk Assessment — DISC @ 11:08 pm

First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.

The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.

To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:

1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance

Risk Assessment Basic Steps for ISO 27001:

o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods

Risk Assessment Titles from eBay | Risk Assessment Titles from DISC InfoSec Store

Tags: Corporate governance of information technology, Information Security Management System, ISO/IEC 27001, Risk Assessment, Risk management

Comments (2)

Jan 11 2013

Why SoD should be reviewed in every assessment

Category: Information Security,Security Risk Assessment — DISC @ 2:33 pm

Similar to other controls SoD (Segragation of Duties) plays an important role in reducing certain potential risk of an organization.

SoD minimize certail risks, by deviding a task so it will take more than one individual to complete a task or a critical process. SoD control has been traditionally used in accounting to minimize risk of collusion. For separation of duties we don’t want to give any individual so much control that they become a security risk without proper check and balance inplace. SoD is utilized to avoid unauthorized modification of data and to make sure critical data is available when needed by authorized personals, which includes but not limited to the availability of the services.

Separation of Duties (SoD) is not only an important principle of security but SoD control A10.1.3 of ISO 27001 wants organizations to implement this control.

Possible Controls to Implement SoD:

* Separate the IT Dept from user function, meaning user should not be able to perform its own IT duties.

* Separate the InfoSec and IT Dept. The individual responsible for the InfoSec has unique knowledge of organization security infrastructure, basically a knowledgeable InfoSec individual will have keys to the knigdom and should be segregated from the rest of the IT department. Also InfoSec individual should not be reporting to the IT director which is not only independence issue but conflict of interest. IT Dept is responsible for the avaiability of service whereas security professional is responsible for security (adding controls) to the same service.

* The development and testing of application should be segregated. There should be a complete segregation of App development and App testing function. Also the person who put the App into production/operation and maintain should be a different individual.

* Operation of IT should be seprate from maintenance of IT function in different teirs, meaning avaiability of the information should be separated from support & maintenance.

* The database admin should be segregated from other IT function. DBA individuals are very knowledgeable super user and should not have any other IT duties.

* Last but not the least about the main Uber user the Sys Admin (router, FW, Server, DT) should have a separate account when performing regular user function. These super users should be logged and audited on regular basis.

PCI view of Risk Assessment

Category: pci dss,Security Risk Assessment — DISC @ 11:02 pm

Organizations that need to comply with PCI-DSS need to create their own risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).

PCI Risk Assessment Special Interest Group says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.

Key recommendations include:

• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner

• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)

• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization

PCI view of things:

The announcement
https://www.pcisecuritystandards.org/pdfs/pr_121116_risk_sig.pdf

And the V1 document (also attached)
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

Below is my post on Risk management from prespective of ISO 27001 which has an Expert guidance on planning and implementing a risk assessment and protecting your business information

Information Security Risk Management for ISO 27001

Tags: International Organization for Standardization, ISO/IEC 27001, Methodology, Payment card industry, Payment Card Industry Data Security Standard, Risk Assessment, Risk management

Comments (0)

Aug 22 2012

5 reasons why vsRisk v1.6 is the definitive risk assessment tool

Category: ISO 27k,Security Risk Assessment — DISC @ 12:36 pm

by Melanie Watson

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.6 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
Gives comprehensive best-practice alignment
It’s easy and straight-forward to use
Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>

Staff awareness training – an essential component of ISO27001 (deurainfosec.com)
ISO 27001 Information Security Incident Management (deurainfosec.com)
Download the full version of the ITIL and/or ISO27001 toolkit today! (deurainfosec.com)

Tags: Information Security Management System, iso 27001, Risk Assessment

Comments (2)

May 13 2012

The Cybersecurity Risk Assessment Tool

Category: ISO 27k,Security Risk Assessment — DISC @ 9:24 pm

With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis – and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure

vsRisk – The Definitive Cyber Security Risk Assessment Tool
The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
• Assessing key areas such as Groups, Assets and Owners
• Capturing your IS policy, objectives and ISMS scope
• In-built audit trail and comparative history
• Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
• Comprehensive reporting and gap analysis

Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
Watch the video now >>>

This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
Join the professionals and orders your today >>>

vsRisk and Security Risk Assessment

Comments (0)

Apr 18 2012

Risk Assessment control selection and cost savings

Category: Risk Assessment,Security Risk Assessment — DISC @ 10:13 am

In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks

• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)

Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system

Comments (0)

Mar 20 2012

Risk Management and Business Life Cycle

Category: Security Risk Assessment — DISC @ 1:29 pm

Risk management is a business process and all the business decisions should have a business development life cycle

Risk management is a management responsibility, must be supported by senior management and that concept of Ownership of assets must be established

In Pre screening of critical assets, assets sensitivity must be established based on business, legal and contractual values for confidentiality, integrity and availability. this risk analysis process will determine which critical assets needs to go through the risk assessment process

Organizaions use risk assessment to determine what threats exist to a specific asset and the associated risk

The risk acceptance threshold will provide the organization with the information needed to select effective control measures or safeguards to lower the risks to an acceptable level

Risk is a function of the probability that an identified threat will occur and then the impact that threat will have on the asset

Risk Assessment should include the followings primary steps:
* Critical Asset Sensitivity (impact analysis) level affecting business, contractual and legal imapct
* Threats identified
* Vulnerabilities related to the threats
* Probablity of occurance that the specific threat will exploit the given vulnerability
* Impact of the loss if the specific threat will exploit the given vulnerability
* Risk level identified
* Control recommendations based on risk acceptance
* Results documentation

How to Complete a Risk Assessment in 5 Days or Less

Tags: Risk Assessment, Security Risk Assessment, Tom Peltier

Comments (0)

Dec 06 2011

vsRisk The Ultimate Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk Assessment — DISC @ 11:05 am

vsRisk and Security Risk Assessment

Comments (1)

Jul 05 2011

Newly released ISO/IEC 27005:2011 helps improve risk management

Category: ISO 27k,Security Risk Assessment — DISC @ 12:55 pm

/EINPresswire.com/ ISO 27005:2011, the newly released international information security risk management standard, is now available to the international community of business continuity and information security practitioners.

Information security risk management is one of the core competencies of information security. This Standard is an essential companion to ISO/IEC 27001 and ISO/IEC 27002 and replaces ISO/IEC 27005:2008.

ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. The Standard is applicable to all organisations of all types and sizes, which intend to manage risks that could compromise the organisations information security.

IT Governance Ltd, an international distribution partner for IEC and a global leader in ISO27001 information, products and services, is making ISO/IEC 27005:2011 available from all its main websites. ISO 27005:2011 ISRM, can be downloaded today from www.itgovernance.co.uk/products/1852 .

“The new ISO/IEC 27005:2011 is a much better standard than was the 2008 version”, comments Alan Calder, CEO of IT Governance, “First, it is a better written, more coherent standard. Second, it is aligned with the risk management standard ISO31000, which makes it easier to integrate Enterprise Risk Management approaches with information security risk management. Third, it provides good, practical guidance on carrying out the risk assessment required by ISO27001, together with clear guidance on risk scales. Fourth, it has good guidance on threats, vulnerabilities, likelihoods and impacts. ISO27005 should become standard additional guidance on risk assessment – the ISMS core competence – for all organisations tackling ISO27001.”

Organisations that would like to save time and money whilst implementing the new Standard should consider applying vsRisk – an ISO27001:2005 compliant information security risk assessment tool produced by Vigilant Software, the specialist software subsidiary of IT Governance.

vsRisk (www.itgovernance.co.uk/products/744) simplifies each step of an ISO27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. The tool makes ISO27001 compliance achievable for a far wider range of organisations and professionals by minimising the need for specialist knowledge and significantly undercutting the cost of generalist risk management tools.

As well as supporting ISO/IEC 27001:2005 and ISO/IEC27002, vsRisk complies with BS7799-3:2006, ISO/IEC27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.

A copy of the ISO27005:2011 standard can be downloaded immediately from www.itgovernance.co.uk/products/1852 and the vsRisk CD-ROM can be ordered from www.itgovernance.co.uk/products/744 .

Comments (2)

May 13 2011

Enterprise Risk Management: From Incentives to Controls

Category: Security Risk Assessment — DISC @ 12:03 pm

Enterprise Risk Management: From Incentives to Controls

Enterprise risk management is a complex yet critical issue that all companies must deal with as they head into the twenty-first century. It empowers you to balance risks with rewards as well as people with processes.

But to master the numerous aspects of enterprise risk management- you must first realize that this approach is not only driven by sound theory but also by sound practice. No one knows this better than risk management expert James Lam.

In Enterprise Risk Management: From Incentives to Controls- Lam distills twenty years’ worth of experience in this field to give you a clear understanding of both the art and science of enterprise risk management.

Organized into four comprehensive sections- Enterprise Risk Management offers in-depth insights- practical advice- and real world case studies that explore every aspect of this important field.

Section I: Risk Management in Context lays a solid foundation for understanding the role of enterprise risk management in todays business environment.

Section II: The Enterprise Risk Management Framework offers an executive education on the business rationale for integrating risk management processes.

Section III: Risk Management Applications discusses the applications of risk management in two dimensions – functions and industries.

Section IV: A Look to the Future rounds out this comprehensive discussion of enterprise risk management by examining emerging topics in risk management with respect to people and technology.

Failure to properly manage risk continues to plague corporate America from Enron to Long Term Capital Management. Don’t let it hurt your organization. Pick up Enterprise Risk Management and learn how to meet the enterprise-wide risk management challenge head on and succeed.

Here are the contents of the book.

Authors: James Lam
Publisher: John Wiley
ISBN 10: 0471430005
ISBN 13: 9780471430001
Pages: 336
Format: Hard Cover
Published Date: 24/06/03

“I would highly recommend this book to anyone with a serious interest in understanding risk management from a holistic perspective.”

Tags: Enterprise Risk Management, Risk Assessment, Security Risk Assessment, security risk assessment process

Comments (0)

Dec 26 2010

Information Security Risk Management for ISO27001/ISO27002

Category: ISO 27k,Security Risk Assessment — DISC @ 8:56 pm

Expert guidance on planning and implementing a risk assessment and protecting your business information. In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002. As the code of practice explains, information security management enables organisations to ‘ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’.

ISMS requirements
The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management. This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

International best practice
Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.

Benefits to business include:

Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.

Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses. However, having too many safeguards in place will make information security system expensive and bureaucratic; so without accurate planning your investment in information security controls can become unproductive. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment.

Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day. If you set up an ISMS in line with ISO27001, then, after an assessment, you can obtain certification. Buyers now tend to look for the assurance that can be derived from an accredited certification to ISO27001 and, increasingly, certification to ISO27001 is becoming a prerequisite in service specification procurement documents.

Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.

Order this book for advice on information security management that can really benefit your bottom line! Information Security Risk Management for ISO27001 / ISO27002

About the authors

Alan Calder is the founder director of IT Governance Ltd. He has many years of senior management and board-level experience in the private and public sectors.

Steve G Watkins leads the consultancy and training services of IT Governance Ltd. In his various roles in both the public and private sectors he has been responsible for most support disciplines. He has over 20 years’ experience of managing integrated management systems, and is a lead auditor for ISO27001 and ISO9000. He is now an ISMS Technical Expert for UKAS, and provides them with advice for their assessments of certification bodies offering certification to ISO27001.

Comments (4)

Jun 08 2010

U.S cybersecurity policies update

Category: Information Warfare,Security Risk Assessment — DISC @ 12:47 am

: Image via Wikipedia

By Greg Masters

The U.S. House of Representatives has passed a defense bill that contains an amendment aimed at regulating the information security responsibilities and practices of federal agencies.

The amendment, sponsored by Rep. Jim Langevin, D-R.I., and Rep. Diane Watson, D-Calif., updates the Federal Information Security Management Act (FISMA) and establishes a National Office for Cyberspace in the Executive Office of the President.

The amendment was attached to the National Defense Authorization Act for Fiscal Year 2011, which passed the House Friday by a 229-186 vote.

“The passage of this amendment comes after a great deal of work to raise awareness about the cybervulnerabilities that exist throughout our federal government,” Langevin, co-chair of the House Cybersecurity Caucus, said in a news release. “These provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace.”

The measure integrates a number of policy recommendations made by the Obama administration’s 60-day Cyberspace Policy Review, the CSIS Commission on Cybersecurity for the 44th Presidency and the U.S. Government Accountability Office (GAO), which has offered suggestions for remedying security vulnerabilities across federal agencies.

The amendment establishes the National Office for Cyberspace (NOC) within the Executive Office of the President.

A director, appointed by the president and confirmed by the Senate, would be charged with coordinating and overseeing the security of agency information systems and infrastructure. In addition, a CTO would be hired.

Also, a Federal Cybersecurity Practice Board within the NOC would be charged with overseeing the implementation of NIST-approved standards and guidelines, in addition to defining policies that agencies must adhere to in order to comply with FISMA requirements.

Further, agencies would be required to undertake automated and continuous monitoring of their systems to ensure compliance and to identify potential risks to assets. An annual independent audit of information security programs to determine their overall effectiveness and compliance with FISMA requirements would also be required.

The amendment also calls for developing policies to be used in the purchasing of technology products and services.

A version of the bill currently making its way through the Senate does not contain the Watson-Langevin amendment, but it could be altered before it is voted on by the upper chamber. Adjustments between the two versions of the bill could be made in conference before it is presented for President Obama’s signature. The Senate version passed the Armed Services Committee

The amendment combines two previous bills: Watson’s Federal Information Security Amendments Act and Langevin’s Executive Cyberspace Authorities Act.

FISMA Reform Inches Forward (blogs.splunk.com)
Slippery Slope Alert: “National Office for Cyberspace” Proposed (pff.org)
Telos Provides Cybersecurity Expertise For Administration Web Initiative (eon.businesswire.com)
Panel Backs Measure To Boost Federal Cybersecurity (techdailydose.nationaljournal.com)
Federal Cybersecurity Monitoring Goes Real Time (techdailydose.nationaljournal.com)
Telos Awarded Blanket Purchase Agreement with Office of Governmentwide Policy (eon.businesswire.com)

Tags: Diane Watson, Federal government of the United States, Federal Information Security Management Act of 2002, FISMA, Information Security, Security, Senate, United States

Comments (0)

May 11 2010

OCR draft guidelines for security risk analysis

Category: hipaa,Security Risk Assessment — DISC @ 12:42 am

: Image by veeliam via Flickr

The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.

The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHS’ Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.

Risk analysis is a technique used to identify and assess threats and vulnerabilities that may hamper the success of achieving bsuiness goals. In risk analysis determines if the security controls are appropriate compare to the risk presented by the impact of threats and vulnerabilities.

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

Some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST), OCR said

OCR guidance document explains several elements a risk analysis must incorporate, regardless of the method employed. So basically the auditor will be looking for all the elements required by the guidelines during an audit.

OCR dratf guigelines details

Information Security Risk Analysis, Tom Peltier

Tags: Business, Civil and political rights, Health care, health insurance, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, Optical character recognition, Security

Comments (2)

Feb 16 2010

Security risk assessment process and countermeasures

Category: Security Risk Assessment — DISC @ 4:01 pm

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

• Identify the business needs of the assessment and align your requirements with business needs.
• Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
• Review and analyze the existing assets threats and vulnerabilities
• Analyze the impacts and likelihood of threats and vulnerabilities on assets
• Assess physical controls to network and security infrastructure
• Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
• Review logical access and physical access and other authentication mechanism
• Review the level of security awareness based on current policies and procedures
• Review the security controls in service level agreement from vendors and contractors
• At the end of review develop a practical recommendations to address the identified gaps in security controls

To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

• Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
• Preventive controls reduce exposure. Firewall is an example of preventive control
• Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
• Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.

What is a risk assessment framework (deurainfosec.com)
Way beyond the edge and de-perimeterization (deurainfosec.com)

Tags: authentication, countermeasure, Firewall, phishing, Risk Assessment, security controls, Security policy, security review, Security Risk Assessment, security risk assessment process

Comments (0)

Sep 21 2009

Due Diligence, and Security Assessments

Category: Information Security,Security Risk Assessment — DISC @ 9:21 pm

: Image via Wikipedia

Fighting Computer Crime: A New Framework for Protecting Information

Risk assessment demands due diligence, which makes business sense and derives organization mission. Due care care is also about applying the specific control that counts. In information security, due diligence means a complete and comprehensive effort is made to avoid a security breach which could cause detrimental effects and identify various threats that may be exploited for a possible security breach.

Donn Parker defines due care as a “use of resonable safeguards based on the practices of similiar organizations”

Fred Cohen defines “due diligence is met by virtue of compliance review.”

Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
(FIPS 200, Section 3, Minimum Security Requirements)

Tags: donn parker, due care, due diligence, Fred Cohen, security controls

Comments (6)

Aug 18 2009

Control selection and cost savings

Category: Security Risk Assessment — DISC @ 3:53 pm

Information Security Risk Analysis

In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks

• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)

Tags: common control, iso 27002, iso assessment, ISO audit, NIST 800-53, NIST audit, risk analysis, Risk Assessment, Risk management

Comments (2)

« Previous Page — Next Page »

DISC InfoSec blog

Assessing Information Security

Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001:2103.

Product overview:

Information Security Auditing and Strategy

Security Auditing, Governance, Policies and Compliance

Security Assessments Classification

Advanced Pre-Assessment Planning

Security Audit Strategies and Tactics

Synthetic Evaluation of Risks

Presenting the Outcome and Follow-Up Acts

Reviewing Security Assessment Failures and Auditor Management Strategies

vsRisk – The Cyber Security Risk Assessment Tool

Cyber Security and Risk Assessment

Cyber security is the protection of systems, networks and data in cyber space.

Tools and techniques which work in mitigating cyber risks

Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.

Impact of an Effective Risk Assessment to ISO 27001

Why SoD should be reviewed in every assessment

PCI view of Risk Assessment

5 reasons why vsRisk v1.6 is the definitive risk assessment tool

The Cybersecurity Risk Assessment Tool

Risk Assessment control selection and cost savings

Risk Management and Business Life Cycle

vsRisk The Ultimate Cyber Security Risk Assessment Tool

Newly released ISO/IEC 27005:2011 helps improve risk management

Enterprise Risk Management: From Incentives to Controls

Information Security Risk Management for ISO27001/ISO27002

U.S cybersecurity policies update

OCR draft guidelines for security risk analysis

Security risk assessment process and countermeasures

Due Diligence, and Security Assessments

Control selection and cost savings

Follow DISC InfoSec blog

DISC InfoSec Titles

>>> DISC InfoSec Facebook Page <<<

DISC online store for recommended InfoSec products

vCISO as a service

Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001:2103.

Product overview:

Information Security Auditing and Strategy

Security Auditing, Governance, Policies and Compliance

Security Assessments Classification

Advanced Pre-Assessment Planning

Security Audit Strategies and Tactics

Synthetic Evaluation of Risks

Presenting the Outcome and Follow-Up Acts

Reviewing Security Assessment Failures and Auditor Management Strategies

Related articles

Govern and manage Cyber Security risk with this unique comprehensive toolkit suite

Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular

Related articles

Related articles

Cyber security is the protection of systems, networks and data in cyber space.

Tools and techniques which work in mitigating cyber risks

Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.

Related articles

Related articles

Related articles

Related articles by Zemanta

Related articles by Zemanta

vCISO as a service