InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
May 20 2013
IT Governance 5: An International Guide to Data Security and ISO27001/ISO27002
This manual provides clear, unique guidance for both technical and non-technical managers. It details how to design, implement and deliver an ISMS that complies with ISO 27001.
Now in its fifth edition, this title has been fully updated to take account of the latest regulatory and technological developments, and the International Board for IT Governance Qualifications
Apr 23 2013
If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.
To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.
Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.
The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management
The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.
Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks
Apr 15 2013
Below are some free online resources which any smaller business or home owner will find useful:
Safeguard your computer
* Workstations should be set up in a secure, clean, calm, stable environment.
* Don’t have loose cables that might be a safety hazard; tripping over a cable and pulling it out of the computer
* Always log out of and shut down Windows, and switch your computer off when it’s not in use.
* The biggest risk associated with laptops (also known as notebooks) is, in fact, the loss or theft of the laptop.
The Essential Guide to Home Computer Security
Apr 12 2013
Thousands of companies worldwide are reaping the benefits from implementing the ISO9000 Quality Management standard. However, there are many conflicting opinions about the best approach. Some companies have delayed applying the standard, or have chosen not to implement it at all. This might be because of a lack of time and resources to investigate it properly, or because of misunderstandings about the way it works. So, how do we know who and what to believe?
In Exploding the Myths Surrounding ISO9000, Andrew W Nichols debunks many of the common misconceptions about the standard, and describes the many advantages it brings. Drawing on more than 25 years of hands-on experience, Andy gives clear, practical and up-to-date advice on how to implement ISO9000 to maximum effect. Full of real-life examples, this book will enable you to:
• read and interpret the ISO9000 documentation in order to realize its benefits for your company
• estimate your company’s implementation needs
• benefit from the results of this management system as positive change is effected throughout the company and down the supplier chain
• increase efficiencies and reduce waste
• grow sales as you understand and meet your customers’ needs
Read this unique book and make ISO 9000 work for you.
Apr 03 2013
| Nine Steps to Success: an ISO 27001 Implementation Overview This is the ideal guide for anyone tackling – or about to tackle – ISO27001 for the first time. |
Mar 28 2013
Download one of IT Governance industry leading ebooks. IT Governance source and publish titles on cyber security, compliance, project management, risk and IT service management.
Fantastic Reads… All Better Priced Than Amazon
Learn and stay ahead on your topic of choice. download an ebook today!
|
|
ISO22301: A Pocket Guide is designed to help you do what is necessary to satisfy the requirements of ISO22301. With the expert advice contained in this guide, you can ensure your organisation develops a business continuity plan that is fit for purpose.
|
|
|
30 Key Questions that Unlock Management 30 Key Questions that Unlock Management is a book that provides direct responses to real questions posed by real people in management. Each section contains practical advice and immediate steps you can take to deal with the issue at hand.
|
 |
Managing Business Transformation: A Practical Guide
Brush up on your soft skills and see the working relationships with your IT Audit clients flourish. Exploring how and why an auditor can remain trapped in an ascribed role, this book fills a gap in the market by helping the reader to avoid the traditional finger-pointing stance and instead become a convincing partner with business and technology counterparts.
|
 |
Running IT like a Business: A Step-by-Step Guide to Accenture’s Internal IT
Running IT like a Business will show you how your IT function can add real value to your business, taking guidance from Accenture who doubled its revenue in ten years. With clear strategies, helpful diagrams and real-life examples, this book will give you the keys to unlocking your IT function’s hidden potential.
|
|
|
Understand how to bring your SAP projects in on time and within budget with the help of this guide, written by Project Management Professional and Certified ScrumMaster, Sean Robson.
|
Mar 28 2013
By Liberman Software @ Identity Week
If you’re a fan of old war movies – and especially if you’re a child of the Cold War – then you no doubt recall watching scenes where prior to launching a nuclear missile, two operators will turn their launch keys simultaneously in order to initiate the launch. The military refers to this security process as “The Two Person Concept” or “The Two Man Rule”. Sometimes the phrase “Double Safekeeping” is used.
The concept is that double safekeeping is an effective control mechanism for ensuring the highest levels of security during critical operations. That’s because the process requires two or more authorized personnel to be involved before sensitive resources or information can be accessed.
So it’s only logical to assume that if double safekeeping can prevent something as crucial as the accidental or malicious launch of nuclear weapons by a single person, then the practice can be extended into other realms of security.
And that’s exactly what my company did recently within the field of privileged account management. Our flagship privileged identity management product, Enterprise Random Password Manager™ (ERPM), now includes a version of double safekeeping that controls privileged passwords.
ERPM is a security product that automatically discovers, secures, tracks and audits privileged accounts across multiple operating systems. It continuously changes privileged passwords, and helps prevent unauthorized users and programs from being able to access an organization’s most sensitive data.
Now, with its new double safekeeping feature, ERPM can release different password segments to different authorized IT personnel. It breaks up privileged account passwords into different parts, and each part is assigned to an authorized user, in a fully audited manner.
For example, an IT manager may have one segment of the password, and a systems administrator may have the other segment. Together both people have the entire password, and the ability to access the corresponding privileged account. Separately, neither one can use the powerful account to anonymously change configuration settings, extract confidential data or install programs on their own.
And while this may be the first time you’re hearing about such a capability, I’m betting it won’t be the last. Some regulatory compliance mandates, like BASEL II, are now requiring organizations to store sensitive information – including passwords – in multiple parts so that one person can’t maintain key secrets individually.
This whole thing reminds me of an old saying that goes something like: “If one man can single handedly save the ship, then it stands to reason that the same man can also single handedly sink the ship.” Take precautions.
Mar 11 2013
IT Governance the global leader in information security and compliance solutions, has released a BYOD Policy Template Toolkit. BYOD (Bring Your Own Device) promises improved productivity, reduced capital expenditure and better work-life balance for employees. It also promises security and compliance problems for organisations that have inadequate BYOD policies. Organisations can use this easy-to-customise BYOD policy template, and its supporting ‘Acceptable Use Agreement’, to structure, focus and document their own organisational approach to BYOD, and to get informed sign-up from every employee who wants to benefit from a BYOD option. Fully up-to-date for the March 2013 official guidance on data management and security from the UK’s Information Commissioner, this BYOD Policy Template Toolkit puts affordable best-practice at the fingertips of CIOs and Security Managers everywhere. This toolkit is compatible and can be used within an ISO27001 Information Security Management System (ISMS) and also reflects the requirements of the Business Continuity Management Standard, ISO22301.
To purchase this extremely cost-effective, easy-to-use and DPA-compliant toolkit, visit
Mar 06 2013
by James Warren
Inadequate security can lead to the theft of customer data and, in the event of technological failure or a cyberattack, your business could lose its ability to function altogether. An effective risk management strategy is, therefore, vital to your company’s survival.
 |
Cyber Risks for Business Professionals: A Management Guide
|
Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks. As the leading provider of cyber security products and services, ITG can help you with any aspect of your project:
Cyber Security Risks for Business Professionals: A Management Guide >> ITG | eBay | Amazon
Mar 02 2013
/EINPresswire.com/ Keeping up-to-date with information security issues and responding to new cybersecurity challenges can be time-consuming. However, it is essential that anyone concerned with information security, from IT professionals through to the Board members, dedicates time to learning and understanding these issues.
Last week, for example, the UK’s National Audit Office highlighted a severe lack of skilled cybercrime fighters in the UK. Cybercrime is costing the UK economy an estimated £18-27 billion each year.
So, is there a fast route to getting up to speed with what’s happening and what the modern means are to fight cybercrime?
Information security experts at IT Governance advise there is an easy way to catch up with the latest developments and fill in the knowledge gap. They recommend three essential books that can greatly improve everyone’s understanding of information security, data protection and risk management, whilst providing them with enjoyable and useful reading.
Once more unto the Breach – Managing information security in an uncertain world is based on a typical year in the life of an information security manager. The book examines how the general principles can be applied to all situations and discusses the lessons learnt from a real project. The book can be purchased as softcover and eBook from >> Once more unto the Breach – Managing information security in an uncertain world
IT Governance – An International Guide to Data Security and ISO27001/ISO27002 is the definitive guide to implementing an ISO27001 compliant Information Security Management System (ISMS). Written by industry experts, Alan Calder and Steve Watkins, it contains clear guidance on all aspects of data protection and information security. Book reviewers describe it as ‘unparalleled’, a critical source when preparing and managing the ISMS’ and ‘a comprehensive guide as to actions that should be taken’. The book can be ordered online at >> IT Governance – An International Guide to Data Security and ISO27001/ISO27002
Managing Information Security Breaches – Studies from real life provides a general discussion of, and a source of learning about, what information security breaches are, how they can be treated and what ISO27001 can offer in that regard, spiced with a number of real-life stories of information security incidents and breaches. This book is highly relevant and will help every team to prepare a strategic framework for handling information security breaches. Buy a softcover or eBook from >> Managing Information Security Breaches – Studies from real life
Feb 28 2013
This handy pocket guide explains what the ISO22301 Business Continuity Standard is and how to start planning a Business Continuity Management System (BCM) that complies with this international standard.
Buy Today »
This book provides guidance on implementing ITSM Best Practices in an organisation using an easy to follow ten step approach.
Buy Today »
A direct response to real questions posed by real people doing real jobs. Each section contains practical advice and immediate steps you can take to deal with the issue at hand.
Buy Today »
‘Charles has really nailed it for any executive struggling with IT strategy. How IT got here and where it’s going.’ – Randy Steinberg, Author, ITIL Service Operation, 2011 Edition, Principal – Migration Technologies.
Buy Today »
Running IT like a Business will show you how your IT function can provide much more than products and services and add real value to your business.
Buy Today »
In this book management systems expert Andrew Nichols, who has over 25 years industry experience, explains in detail how to implement ISO9000 to maxium effect.
Buy Today »
Thousands of organisations every year adopt ITIL, however many fail to achieve significant benefits. This book examines how to avoid common pitfalls and how to clear the many hurdles that can obstruct progress.
Buy Today »
Based on practical experience and real-life models, this new book covers key principles and processes for the introduction of new technologies and examines how to establish an appropriate standard of security and control.
Buy Today »
This book doesn’t just cover the information required to pass the foundation exam, but goes beyond this in providing practical guidance for when newly qualified practitioners enter the real-world.
Buy Today »
Feb 25 2013
Penetration testing (often called “pen testing” or “security testing”) establishes whether or not the security in place to protect a network or application against external threats is adequate and functioning correctly. It is an essential component of most ISO27001 and UK public sector contracts.
In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective penetration testing is the only way of establishing that your networks and applications are truly secure. Penetration testing is also an essential component in any ISO27001 ISMS – from initial development through to on-going maintenance and continual improvement.
There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:
1. As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
2. As part of the Risk Treatment Plan ensuring controls that are implemented do actually work as designed.
3. As part of the on-going corrective action/preventive action (CAPA) and continual improvement processes; ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.
The Basics of Hacking and Penetration Testing
This guide will show you how to undertake a penetration test or as it is sometimes known an ethical hack. This book focuses on how to hack one particular target, this allows you to see how the tools and phases of the pen test relate. to get your copy of The Basics of Hacking and Penetration Testing
ITG | eBay | Amazon
Penetration Testing – Protecting Networks and Systems
An essential guide to penetration testing and vulnerability assessment, which can be used as a Certified Penetration Testing Engineer Exam Prep Guide. to get your copy of your Penetration Testing – Protecting Networks and Systems
ITG | eBay | Amazon
Feb 12 2013
Now a days, the ISO27001 standard has become an almost unavoidable factor in the field of information security. Compliance is unavoidable because most industries are heavily regulated. Seems like more legislations are on our way to redefine our actions on the internet. Because ISO 27001 requirements are largely a superset of other major standars and regulations, achieving ISO 27001 certification positions most organizations to be well on their way to meeting the requirements of PCI, SOX, HIPAA and GLBA.
1. Business managers of the organizations will make informed decisions regarding potential risk and should be able demonstrate compliance with standards and regulations such as SOX, GLBA, HIPAA, DPA to their critical information on regular basis.
2. An ISMS is a defensive mechanism to any APT (advanced persistent threat) to minimize the impact from these external threats of various cybercrime.
3. Informed information security decisions will be made based on risk assessment to implement technical, management, administrative and operational controls, which is the most cost effective way of reducing risk. Highest priority risks are tackled first to attain best ROI in information security.
4. Information security is not an IT responsibility; In general everybody in an organization is responsible for protecting information assets and more specifically business manager. The business manager may delegate their responsibility.
5. Organization will improve credibility and trust among internal stakeholder and external vendors. The credibility and trust are the key factors to win a business.
6. ISMS raises awareness throughout the business for information security risks, involve all employees throughout an organization and therefore lower the overall risk to the organization.
Nine Steps to Success: an ISO 27001 Implementation Overview“It’s like having a $300/hr consultant at your elbow as you consider the aspects of gaining management support, planning, scoping, communication, etc…” Thomas F. Witwicki (amazon.com review)
IT Governance: An International Guide to Data Security and ISO27001/ISO27002
Covers simply everything you need to know about information security and ISO27001. It is also the UK’s Open University’s post-graduate information security textbook. All aspects of data protection / information security are covered including viruses, hackers, online fraud, privacy regulations, computer misuse, investigatory powers etc.
ISO27000 Standards
Official standards available in hardcopy and downloadable formats.
Standalone ISO 27001 ISMS Documentation Toolkit
This toolkit contains all the documents, procedures and templates you need to massively simplify your progress to certification. It will save you months of work, help you avoid costly trial-and-error dead-ends and ensure everything is covered to the current ISO 27001 standard.
Feb 11 2013
BYOD Usage (Photo credit: IntelFreePress)
These days smart phones certainly add additional risk to Bring Your Own Device (BYOD) to office. Like it or not Bring Your Own Device is a growing trend at all scales and levels. An important thing to understand is that today’s user like and prefer to use their own devices and applications at work.
As we know some organizations have pretty strict policies around Bring Your Own Device. When it comes to BYOD, it should be addressed in structured manner considering information security policies and procedures. Utilize IT Governance framework to align the with business goals. In this regard, an organization may have to amend some of their own policies to allow BYOD instead of making user to circumvent the potential existing policies. Security professional must reassess their current Bring Your Own Device policies to find new balance which work for users and also match the organization business objectives and security needs.
Organizations of all sizes are dealing with the – mobility – before they even have had adequate time to manage the risks: How do we secure the systems and data accessed broadly by employees’ mobile devices?
• Address the allowed and supported mobile platform for user community
• Address stolen and misplaced devices to avoid data loss
• Address remote access to corporate resources which should be secure using (TLS, SSL)
• Also address exceptions in remote access where application does not support TLS or SSL
• Address the use Implicit authorization instead of traditional explicit authorization
• Implicit authorization uses SIM based Extensive Auth Protocol (EAP)
• Implicit authorization is less risky than explicit authorization in BYOD
Feb 10 2013
This pocket guide describes the crucial issues of Corporate IT governance and guides how to align with organization business objectives.
This book is easy to read and understand for both technical and non-tecnical readers and very useful for IT Governance, IT Audit and information security professionals. This book include the IT Governance framework (Calder Moir) which guides the professional on how to align the IT governance with business goals of an organization.
This pocket guide covers:
This is a good overview of this important subject from the author of IT Governance: Guidelines for Directors.
Get the copy of your IT Governance Pocket Guide Today! (available in soft copy, epub, adobe, kindle)
Wouldn’t it be nice to have someone doing all the dull stuff for you?
1. The IT Governance documentation toolkit contains 1591 pages of pre-written policies, procedures, checklists, guidance, presentations, planning tools and diagrams.
2. The IT Governance documentation toolkit can save you thousands of pounds, countless hours of time and an awful lot of stress.
3. The IT Governance framework integrates CobiT, ITIL, ISO27001/2, ISO20000, Prince2, PMBOK, TOGAF and many other concepts.
4. The IT Governance documentation toolkit is cheaper than one day of consultancy.
The IT Governance Documentation Toolkit
Feb 05 2013
Biometric device rely on measurement of biological characteristic of an individual such as fingerprinting, hand geometry, voice recognition and Eris pattern. In this post we will discuss if biometric authorization is going to become a standard technology in the future especially the Finger Print technology which matches with loops and whorls of the finger and compare with the stored data template of an individual and when match is found, access is granted.
Significant issues when considering biometric technology is counterfeiting, data storage, user acceptance and reliability. The most significant issue of this technology is the integration with existing infrastructure, more specifically integration with network access software. Continue reading “Is biometric authentication a new standard for Smartphone’s”
Jan 31 2013
Industry Update
It has been announced that new Drafts of the two international information security standards ISO27001 (ISMS Requirements) and ISO27002 (Code of Practice) have been published.
These Drafts have been published for the purpose of public consultation. As these are international standards, the consultation process operates internationally, via national standards bodies.
Anyone can comment on the proposed standard and all the comments will then be assembled and reviewed by the committee. The public consultation period closes on 23 March 2013.
To help you understand the proposed changes and implications of these new draft standards we have created an information page.
Click here to read in full about the ISO27001/ISO27002: 2013 Draft Standards
You can also purchase your own copies of the draft standards here:
We will keep you updated with the progress of these standards. Once the new standards are officially published, the existing standards will be withdrawn, however there will be a transition timetable that enables organisations to move from the existing standard to the new one.
Click here to read in full about the ISO27001/ISO27002: 2013 Draft Standards
Jan 29 2013
First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.
The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.
To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:
1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance
Risk Assessment Basic Steps for ISO 27001:
o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods
Risk Assessment Titles from eBay | Risk Assessment Titles from DISC InfoSec Store
Related articles
Jan 25 2013
ITG Pocket Guide for An Introduction to Hacking & Crimeware is concise subject focused and easy to read. Whether used as a training aid, induction material or just as further reading they offer powerful and valuable insight.
Defend your business, protect your livelihood, safeguard your future.
Cybercrime is on the rise. Unchecked, it could destroy the entire global cyber infrastructure and wipe out many businesses. We need to defend ourselves against it, and we must fight back. Toolkits to create malware are now readily available to anyone wishing to defraud and do damage. For your business to survive and thrive, it is vital to stay informed about the threats and the risks, and arm yourself against them.
Know your enemy
An Introduction to Hacking & Crimeware is a comprehensive guide to the most recent and the more serious threats. Knowing about these threats will help you understand how to ensure that your computer systems are protected and that your business is safe, enabling you to focus on your core activities.
Fighting back
In this pocket guide, the author:
• defines exactly what crimeware is – both intentional and unintentional – and gives specific, up-to-date examples to help you identify the risks and protect your business
• explores the increasing use of COTS tools as hacking tools, exposing the enemy’s tactics gives practical suggestions as to how you can fight back
• provides a valuable list of up-to-date, authoritative sources of information, so you can stay abreast of new developments and safeguard your business.
An Introduction to Hacking & Crimeware: A Pocket Guide (ITG – Softcover, Adobe, ePub, Kindle)
An Introduction to Hacking & Crimeware: A Pocket Guide (eBay)
An Introduction to Hacking & Crimeware: A Pocket Guide (Amazon)
Jan 24 2013
ISO 27002 control A 10.4.2 of the standard requires that mobile code execution should be restricted to an intended environment to support an authorized organization mobile code policy.
What is a mobile code so let’s first start with the definition: ‘Program or a code that can execute on remote locations without any modification in the code can travel and execute from one machine to another on a network during its lifetime.’ Some of the computer languages used for mobile code include but not limited to Java, JavaScript, Active x, VB script, C++, C#, ASP.NET, macros and postscripts.
Mobile code could be use for some benign to a very malicious activity which basically depend on coder intentions. Malicious activities may include collection of personal and private information, patient healthcare information, introducing Trojans & worms, and sometime used to modify or destroy information.
Different mobile code languages are used to achieve various goals by the the coder, most pop-ups are coded in JavaScript, Active x for downloading apps and patches. Only If a coder/hacker is enable to execute a mobile code on an organization infrastructure (PC, router, switch, server..) will make it possible to download, collect personal and private information and for that matter any other malicious activity.
example, if one window or frame hosted on one server tries to access the properties of a window or a frame that contains a page from a different server, then the policy of the browser comes into play and restricts that type of action from happening. The idea behind such restrictions is to prevent hackers from putting their pages inside the original page and extract unauthorized information where codes inside their pages are written for that purpose
Protections for Mobile Code
One of the solutions to secure the JavaScript from using it to write a mobile code and run it on the client-side is to perform parsing of the code before execution. If the code can be parsed before execution i.e. having access to the stack, where control over the execution of the code can be achieved the malicious virus can be prevented.
The best and the easiest way to block mobile code is to have an authorized policy to ban or restrict the mobile code into your organization. To implement this policy, an organization can build a rule set on their firewall to block all the mobile code at the perimeter and stop entering into the organization. At the same this may not be feasible for many organizations since languages like JavaScript and active x are used heavily in building website to add bells and whistles. This takes us back to familiar risk assessment question, how much and what mobile code should be allowed into the organization. Organization should assess the related risk to each mobile code and allow or disallow based on the risk it pose to business. If there’s an exception make sure the business owner sign off the exemption form.
Ongoing user awareness to mobile code policy and risk assessment process will be necessary to minimize risk. Block mobile code should be monitored or scanned based on the policy and appropriate measures should be taken if rogue mobile code is detected.
Do you check your verdors or partners are not downloading malicious mobile code on your website?
To know more about Mobile Code….
Titles on eBay
Titles on DISC InfoSec Store
