Sep 21 2012

Build resilience into your management system

Category: Information Security,ISO 27kDISC @ 10:15 am

 

Related BCP titles

ISO22301 and ISO27001 – The building blocks of organization management system resilience

The importance of mitigating the disruption to information technology services has been at the heart of disaster recovery and business continuity plans for many years. With the growth and dependency on IT and the increased risk of attack from outside sources (cyber-attack), the survival of all organisation will depend upon the protection of their critical information assets and building security at every layer.

The idea of cyber resilience – that an organisation’s IT systems and processes should be resilient against natural disaster or outside attack is a key principle underlining the best practice and compliance to the ISO22301 and ISO27001 standards.

ISO 22301:2012 (formerly BS25999) is the international standard for business continuity within organisations and defines the specification and best practice for developing and implementing a robust business continuity management system.

ISO/IEC 27001:2013 helps businesses throughout the world mitigate the risks associated with cybercrime and provides the security assurance demanded by your board, shareholders, regulators and most importantly, your customers.

Related articles

Sep 18 2012

HR controls during employment and ISO 27001

Category: ISO 27kDISC @ 5:06 pm
196028_388219694546440_755335974_n

This post is the continuation of our previous post on this topic Human Resources Security and ISO 27001, where we discussed some HR misconceptions and ISO 27001 controls related to pre-employment, in this post we will address the importance of ISO 27001 controls during employment.

Control 8.2 states that the organization should make sure employees, contractors and vendors are well aware of information security controls related to HR and how these controls relate to them and more specifically what are they responsible and liable for when security threats materialized. The users who have assigned responsibilities to manage the Information Security Management System (ISMS) are aware of the threats and vulnerabilities related to their assigned controls.

Control 8.2.1 requires management to ensure that everyone in an organization if following the security policies and procedures in their area of responsibility. This control also ensures that staff are properly trained and briefed on their responsibilities before they are granted an access to classified information.

Control 8.2.2 is related to information security awareness and training, which is basically an extension of previous control. All employees who are responsible of maintaining, managing and improving of ISMS must receive appropriate awareness training. Make sure you keep the records of all these training for the auditors to verify later.

Here are the general areas which should be included in the awareness training:

  • General ISMS awareness – importance of maintain and improving ISMS
  • Asset classification and information assets within the scope
  • How to report an incident and difference between event and an incident
  • User access controls and procedures
  • Business continuity and procedures
  • Related legal compliance
  • Internal audit and certification audit schedule
Related articles

Sep 10 2012

5 Reasons Why Patch Management Is Vital To Your Information Security

Category: Information SecurityDISC @ 10:53 am

Related Patch Management titles

Patching is a critical part of systems administration. I don’t think anyone would argue that. But if your patching regimen consists of turning on Automatic Updates and calling it a day, or staying up until the middle of a Saturday night logging on to each server at a time to apply patches, you are missing the point. Patching is a task; patch management is how to perform that task easily, completely and in a scalable way. Patch management is vital to your information security because it is the only way to be sure you have taken care of all of the patching needs in your environment, and that you can audit and confirm that. Let’s look at some of the reasons why patch management is so important.

1. Patch management is about more than just operating systems
While it’s extremely important to ensure you have patched your operating systems, there are dozens of other applications out there that your users are running, which could be exploited by an infected attachment, a malicious script, and/or a compromised web page. Patch management applications can go beyond a Windows Update, addressing patches for operating systems, Microsoft and other third party applications, web browsers, media players and more. Patch management helps you ensure that no vulnerable apps are on your network.

2. Patch management is the most efficient way to handle both servers and workstations
You could probably manage to patch by hand all of your servers, and there’s a limited number of apps running on them, but trying to patch all your workstations and all the third party apps would be an impossible task without a patch management application to assess all the systems and their software, delivering those critical updates to each and every system that needs it. 100% compliance is the surest way to avoid incidents.

3. Patch management makes testing easy
Patching involves testing, and that’s why so many admins don’t patch regularly. They fear a patch might introduce an incompatibility, and would rather take their chances since they don’t have to time test. Patch management applications make it easy to push a patch to a group of systems for testing, before deploying to the rest of the network.

4. Patch management makes rollbacks easy
Sometimes, a patch needs to be rolled back, and doing that manually is out of the question. You are much more likely to deploy patches fully and on time if you can easily roll back if something turns out to be incompatible with a critical app, and a patch management application can uninstall patches from any or all systems just as easily as it can push them out.

5. Patch management makes reporting easy
One of the scariest things about relying on Automatic Updates is that you have no idea whether or not systems are actually patched, until you check them, one by one. With a patch management application, you can quickly and easily run reports to confirm that critical update for the zero day exploit really did get out to all your servers and workstations, and if one was missed, you can immediately identify and remediate it, before something bad happens.

Patch management is not a silver bullet. It won’t stop users from sharing passwords and it cannot prevent an admin from leaving a default configuration in place, but what it will do is enable you to keep your workstations, servers and critical applications up-to-date, fully patched and as secure as possible from hackers looking to exploit vulnerabilities in the software. That way you can spend more time on training users and verifying configs, and less time running around trying to update Flash for the tenth time this year.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.

Related articles

Tags: GFI, Patch (computing), Security, Windows Update

Sep 04 2012

Human Resources Security and ISO 27001

Category: ISO 27kDISC @ 3:19 pm
English: A candidate icon for Portal:Computer ...

 
Pre-Employment Background Investigations for Public Safety Professionals

One of the most popular misconceptions about ISO27001 is that this standard may only deal with IT related information security controls. The truth is ISO27001 covers information security controls for several different business functions of an organization including human resources.

Section 8 of ISO27001 specification in annex A is regarding human resources security. Human resources domain addresses three different stages of the employment: pre-employment, during employment and post employment. In this post we will address the importance of pre-employment controls for personnel who may manage ISMS or handle the sensitive information in an organization. Control A8.1 deals with pre-employment. The basic objective of this control is to minimize the loss of information which may occur but not limited to fraud and human mishandling. This control requires organization to document the roles, responsibilities and accountability to manage and maintain ISMS (Information Security Management System)

Control A8.1.2 requires organization to perform verification checks on permanent employees, contractors and third parties. Any screening must be carried out in accordance with the relevant local laws. This may be especially true for the international organizations which have presence around the world. Control A8.1.3 requires organization to ensure that the employees, contractors and third parties all agree and sign the employment contract that contains terms and conditions covering, their and the organization’s responsibilities for information security.

Below are the basic job verification checks which must be completed:

  1. Character reference check for at least one personal and one business reference. Take comprehensive notes for the records.
  2. Verify the accuracy of employee’s resume.
  3. Conformation of academic and professional qualifications.
  4. Passport verification for identity check
  5. Verify that an individual has an authorization to work in the country

Bear in mind the personnel vetting process may vary for government jobs or for the personnel handling highly classified material/data.

Related articles

Tags: Human resources, Information Security Management System, iso 27001, ISO/IEC 27001

Aug 22 2012

5 reasons why vsRisk v1.6 is the definitive risk assessment tool

Category: ISO 27k,Security Risk AssessmentDISC @ 12:36 pm

by Melanie Watson

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.6 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>

Related articles

Tags: Information Security Management System, iso 27001, Risk Assessment

Aug 15 2012

Staff awareness training – an essential component of ISO27001

Category: Information Security,ISO 27kDISC @ 1:53 pm

Staff awareness and training are key for effective information security management and for achieving compliance with the ISO/IEC 27001:2005 standard.

As clause 8.2.2 of ISO 27002 (the Code of Practice for Information Security Management) sets out, it is imperative that security issues are addressed at the employee level and that a firm foundation is built for an employee to understand the implications of his/her actions and be mindful of these in their daily activities.
More importantly, you need to keep evidence that you have conducted formal staff awareness training.

What better way to obtain this evidence than deploying Information Security Staff Awareness eLearning within your organization?

The software enables your own corporate e-learning management portal to automatically retain records of which staff have accomplished the course. You can easily monitor the compliance status of the organization and see hard evidence of each employee’s level of understanding.

Information Security & ISO27001 Staff Awareness eLearning course offers you tangible benefits whilst enabling you to impart basic, and yet fundamental training on information security within your organization

Benefits of this eLearning include:
• Massive financial cost savings in comparison to traditional training options
• Minimal office disruption – staff train at their desks
• Minimal administration – comprehensive reports available
• Systematic evidence that training has actually been provided – underpinning disciplinary actions
• Simple to use with relevant and informative content

Related articles

Aug 11 2012

ISO 27001 Information Security Incident Management

Category: ISO 27k,Security IncidentDISC @ 10:37 pm
English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

Section 13 of Annex A handle information security incident management. One of the important thing to know about this section is the difference between an event and an incident.

Information Securty Event: is an occurance of a system, service or netwrok state indicating a possible breach of information security policy or failure of safeguards.

Informtaion Security Incident: is indicated by a single or series of unwanted information security events that have a significant probability of compromising business operations.

IT Governance: An International Guide to Data Security and ISO27001/ISO27002

This video covers Section A.13 of ISO 27001. This refers to the reporting of information security events and weaknesses and the management of information security.

Related articles

Tags: Information Security, Information Security Management System, ISO 27001 Lead Implementer, ISO/IEC 27001, Policy

Jul 30 2012

Six main benefits of Information Security Management System

Category: ISO 27kDISC @ 3:11 pm

 

Information Security Wordle: RFC2196 - Site Se...

Information Security Wordle: RFC2196 - Site Security Handbook (Photo credit: purpleslog)

 

1. Business managers of the organizations will make informed decisions regarding potential risk and should be able demonstrate compliance with standards and regulations such as SOX, GLBA, HIPAA, DPA to their critical information on regular basis.

2. An ISMS is a defensive mechanism to any APT (advanced persistent threat) to minimize the impact from these external threats of various cybercrime.

3. Informed information security decisions will be made based on risk assessment to implement technical, management, administrative and operational controls, which is the most cost effective way of reducing risk. Highest priority risks are tackled first to attain best ROI in information security.

4. Information security is not an IT responsibility; In general everybody in an organization is responsible for protecting information assets and more specifically business manager. The business manager may delegate their responsibility.

5. Organization will improve credibility and trust among internal stakeholder and external vendors. The credibility and trust are the key factors to win a business.

6. ISMS raises awareness throughout the business for information security risks, involve all employees throughout an organization and therefore lower the overall risk to the organization.

Related articles

Jul 11 2012

Comprehensive business continuity guide

Category: BCPDISC @ 3:01 pm

IT Governance Publishing, the specialist publishing arm of IT Governance, has launched its latest book on business continuity and disaster recovery planning Everything you want to know about Business Continuity

The book focuses particularly on the new ISO/IEC 22301:2012 standard and provides practical guidance on how to implement best practice business continuity management within your organisation.

Everything you want to know about Business Continuity will show you how business continuity management can help your organisation to:

    * Carry out realistic risk identification and assessment and focus on assets which need BCP
    * Put in place a cost-effective, ‘fit-for-purpose’ business continuity plan to be more competitive
    * Enjoy greater customer loyalty and return on investment
    * Conform to the legal requirements in terms of accountability, compliance, risk awareness
    * Return to ‘business as usual’ as quickly as possible after an unforeseen incident.

The author, Tony Drewitt, held a number of technical, commercial and senior management positions before becoming a full-time management consultant 10 years ago. He was one of the first consultants in the UK to achieve full certification under BS25999-2 and has been a practising business continuity consultant, trainer and technical expert since 2001.

Jul 03 2012

Information Security Awareness

Category: Security AwarenessDISC @ 2:06 pm

Managing an Information Security and Privacy Awareness and Training Program

Jun 27 2012

Download the full version of the ITIL and/or ISO27001 toolkit today!

Category: ISO 27kDISC @ 2:01 pm

Over the past several months IT Governance has been telling us about two of their most popular toolkits – the ITSM, ITIL and ISO20000 Implementation toolkit and the Standalone ISO27001 ISMS Documentation Toolkit.

You may have already downloaded free demo versions of these toolkits, in which case now is the perfect time to download the full version.

ITSM, ITIL® & ISO/IEC 20000 Implementation Toolkit
This toolkit is a collection of documents (policies, procedures and work templates) that will make IT Service Management easier to implement and improve.

Buy the full version here >>

Standalone ISO27001 ISMS Documentation Toolkit
The toolkit is a collection of documents (policies, procedures and work templates) that will ensure your Information Security Management System (ISMS) paperwork is in line with the requirements of ISO27001.

Buy the full version here >>

Tags: iso20000, ISO27001, ITIL

Jun 19 2012

Achieve Best Practice & Win New Business with International IT Standards

Category: cyber security,ISO 27kDISC @ 3:38 pm

International IT Standards help organizations achieve best practice systems and management of their IT processes. Certification against standards can help organizations protect their critical assets, rebuff cyber attacks, help win new business and achieve compliance against regulatory requirements.

ISO27001: Cyber Security Standard (Cheapest price on the web)
ISO27001 helps businesses create a best in class Information Security Management System (ISMS), safeguarding its information assets, protecting its reputation
.
ISO22301: Business Continuity Standard (Published last Month)
ISO22301 sets out the requirements for a Business Continuity Management System (BCMS) and helps organizations ensure they are prepared should an disruptive incident occur, and more importantly, continue trading and return to business as usual as quickly as possible

ISO20000: IT Service Management Standard (Best Seller)
ISO20000 enables IT organizations (whether in-house, outsourced or external) to ensure that their IT service management processes are aligned. This standard specifies the requirements for an service management system (SMS). This standard will help you develop, implement, establish an SMS.

Tags: BCMS, isms, iso 27001, iso20000, ISO22301, SMS

Jun 04 2012

Learn how to tackle the Flame

Category: cyber security,CybercrimeDISC @ 9:25 pm

A vicious piece of malware (known as Flame) was uncovered this week and is believed to have infected over 600 targets, be 20 times larger than Stuxnet and to have been backed by state sponsorship.
Realize the underground economy of hacking and crimeware with this handy pocket guide. It will provide you with a valuable list of up-to-date, authoritative sources of information, so you can stay abreast of new developments and safeguard your business.

An Introduction to Hacking & Crimeware: A Pocket Guide (eBook)

Know your enemy: An Introduction to Hacking & Crimeware is a comprehensive guide to the most recent and the more serious threats. Knowing about these threats will help you understand how to ensure that your computer systems are protected and that your business is safe, enabling you to focus on your core activities.

Fighting back
In this pocket guide, the author:

• defines exactly what crimeware is – both intentional and unintentional – and gives specific, up-to-date examples to help you identify the risks and protect your business
• explores the increasing use of COTS tools as hacking tools, exposing the enemy’s tactics gives practical suggestions as to how you can fight back
• provides a valuable list of up-to-date, authoritative sources of information, so you can stay abreast of new developments and safeguard your business.

May 27 2012

Social Engineering: An essential book and must have competency

Category: social engineeringDISC @ 11:11 pm

Chris Hadnagy has a website on the topic of Social Engineering and assisted in developing Social Engineering Toolkit (SET). This topic and knowledge apply to every person who keep sensitive information and organization who want to protect private information leakage into public domain via people. If you are interested in knowing the art of social engineering, this is an outstanding book.

Hadnagy recommends tools to store information you obtain during target investigation. He covers Google hacks in this book and mentioned Johnny Long as a source. He covers pretexting (disguise) or “creating an invented scenario to persuade a target victim to release information or perform some action.” He provides preparation tools for social engineer for the situation at hand and also warns you about legality if you are crossing the line. There is an important section on “Building Instant Rapport” which is an essential read. Hadnagy describe the powers of persuasion to take over the target and provides eight tactics for influencing people.

Social Engineering: The Art of Human Hacking“, by Chris Hadnagy is a must have book.”

Discover the secrets of expert con men and human hackers

No matter how sophisticated your security equipment and procedures may be, their most easily exploitable aspect is, and has always been, the human infrastructure. The skilled, malicious social engineer is a weapon, nearly impossible to defend against.

This book covers, in detail, the world’s first framework for social engineering. It defines, explains, and dissects each principle, then illustrates it with true stories and case studies from masters such as Kevin Mitnick, renowned author of The Art of Deception. You will discover just what it takes to excel as a social engineer. Then you will know your enemy.

  • Tour the Dark World of Social Engineering

    Learn the psychological principles employed by social engineers and how they’re used

    Discover persuasion secrets that social engineers know well

    See how the crafty crook takes advantage of cameras, GPS devices, and caller ID

    Find out what information is, unbelievably, available online

    Study real-world social engineering exploits step by step

    • Get your copy today Social Engineering: The Art of Human Hacking

    May 25 2012

    10 essential books for IT Professionals

    Category: Information SecurityDISC @ 11:54 am

    All books are available in softcover, eBook and Kindle-compatible formats at a better price than Amazon! *

    Below are 10 latest publications from IT Governance:

      1)      30 Key Questions that Unlock Management
    by Brian Sutton and Robina Chatham
         

     

      2)      The Concise PRINCE2
    by Colin Bentley
         

     

      3)      50 Top IT Project Management Challenges
    by Premanand Doraiswamy and Premi Shiv
         

     

      4)      Everything you wanted to know about Business Continuity
    by Tony Drewitt
         

     

      5)      Everything you wanted to know about Agile
    by Jamie Lynn Cooke
         

     

      6)      Cloud Computing: Assessing the Risks
    by Jared Carstensen, Bernard Golden and JP Morgenthal
         

     

      7)      The ITSM Iron Triangle: Incidents, Changes and Problems
    by Daniel McLean
         

     

      8)      Managing Business Transformation: A Practical Guide
    by Melanie Franklin
         

     

      9)      Running IT like a Business: Accenture’s Step-by-Step Guide
    by Robert E. Kress
         

     

      10)  21st Century Chinese Cyberwarfare (Pre-order)
    by Lieutenant Colonel Hagestad

     
     
     

    May 21 2012

    Organisations can achieve ISO9001 QMS certification quicker with a bespoke toolkit

    Category: Information SecurityDISC @ 1:40 pm

    Check out the ITG site for details

    Ely, England, 21 May 2011 – IT Governance Ltd, the global leader in management system standards, information, books and tools, is advising organisations that the quicker they implement the Quality Management System standard ISO9001, the bigger their chances are to attract new customers in the current economic conditions.

    Vendors who have been asked by their clients to implement the ISO9001 standard can now achieve this quickly and effectively by using the ISO9001 QMS Quality Management System Documentation Toolkit. It contains over 60 separate documents that will help organisations accelerate the development and implementation of an ISO9001 quality management system. The toolkit can be downloaded immediately here: QMS-ISO9001 Toolkit

    ISO9001 is the best practice specification that helps businesses and organisations throughout the world to develop a best-in-class Quality Management System (QMS). According to BusinessLink UK Government more than 1 million organisations are currently certified against ISO9001. The advantages to businesses from implementing ISO9001 include:

    •greater efficiency and less waste
    •consistent control of major business processes, through key processes lists
    •regulation of successful working practices
    •risk management
    •increased customer satisfaction
    •greater consistency in the quality of products and services through better control of processes
    •differentiation of your business from its competitors
    •increased profits

    The ISO9001 QMS Toolkit, developed by IT Governance, contains a quality management manual, and a full set of policies and procedures, in addition to the necessary forms, records and work instructions to underpin those policies and procedures. It is the complete toolkit for implementing an ISO9001 quality management system.

    ISO9001 in Plain English

    Tags: iso 9001, QMS

    May 13 2012

    The Cybersecurity Risk Assessment Tool

    Category: ISO 27k,Security Risk AssessmentDISC @ 9:24 pm

    With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
    Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis – and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
    vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure

    vsRisk – The Definitive Cyber Security Risk Assessment Tool
    The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
    • Assessing key areas such as Groups, Assets and Owners
    • Capturing your IS policy, objectives and ISMS scope
    • In-built audit trail and comparative history
    • Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
    • Comprehensive reporting and gap analysis

    Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
    Watch the video now >>>

    This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
    Join the professionals and orders your today >>>

    vsRisk and Security Risk Assessment

    Apr 29 2012

    Is ISO 27001 Worthwhile for Your Business?

    Category: ISO 27kDISC @ 9:31 pm

    ISO 27001 As A Business Tool
    More than ever, information security is a key part of a business’ overall plan and objective set. ISO 27001 can help businesses bring their information security practices together and develop a strategy to raise awareness and vigilance throughout the business.

    With ISO 27001, all of a business’ information security is brought together, meaning there is a far greater level of accountability across all levels of the organisation.

    ISO 27001 is a highly worthwhile tool, a world leading information security management system which integrates compliance into an organisation’s everyday tasks.

    Who Is Accountable For ISO 27001?
    The short answer is everybody, however there is more to it than that. ISO 27001 stands alone as an information security standard as it places the sole accountability on the business managers. That is, ultimately the buck stops with them, however it is up to them to spread responsibility and delegate as they see fit.

    It is down to the business leaders to clearly identify which information security risks apply to their particular business and then take the necessary action to remove the risk entirely, or reduce it to a workable, acceptable level. It is the full responsibility of the managers to check and maintain that ISO 27001 standards are being met across the business.

    One aspect which makes ISO 27001 a highly worthwhile tool is that there is room for each business to implement the standard in a way that best suits them. This is far removed from previous standards which have been “blankets”, leading to businesses at times putting things in place when in reality that scenario will never apply to them.

    ISO 27001 is only really worthwhile if a business and its leaders gives the necessary level of time and dedication to achieving its aims. The certificate of ISO 27001 is an acknowledgement that an information security management system exists, continuous work must be done to ensure that compliance standards are continually met and the business remains fully protected.

    Strong Reputation
    A business with an ISO 27001 certification will be highly reputable so long as the standards required are strongly upheld. A dedication to the protection of information, whether it be internal finances or customer details, is highly regarded throughout the world in an age where privacy is highly valued but not often respected.

    ISO 27001 raises awareness throughout the business of information security risks, involves all employees throughout a company and therefore delivers a significantly lower level of overall risk.

    Tags: iso 27001, iso 27002

    Apr 18 2012

    Risk Assessment control selection and cost savings

    Category: Risk Assessment,Security Risk AssessmentDISC @ 10:13 am

    In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
    Once risks have been assessed, risk manager utilize the following techniques to manage the risks

    • Avoidance (eliminate)
    • Reduction (mitigate)
    • Transfer (outsource or insure)
    • Retention (accept and budget)

    Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

    Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

    On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

    Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
    Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

    Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system

    Apr 10 2012

    The world’s only cyber security standard

    Category: ISO 27kDISC @ 12:03 pm

    ISMS Requirements

    Boardrooms are finally waking up to the importance of cyber security. In the digital age, winning new business, protecting your own assets and ensuring customer confidence are all dependent upon cyber security. And there is one international standard which can help you achieve all of this, ISO27001.

    But what do you really know about the ISO27001 Standard?
    ISO27001 is the international best practice standard for an information security management system (ISMS). An ISMS is a systematic approach to managing all your confidential and sensitive information so that it remains secure, whilst maintaining its availability, confidentiality and integrity.
    An ISMS encompasses people, processes and IT systems and ensures your security efforts and coherent, effective and proportionate. ISO27001 provides the requirements to help you design a best in class ISMS.

    If you are new to ISO27001 you can read more information and download a free white paper on cyber security and ISO27001 here >>>

    Download a copy of ISO 27001 ISMS Requirements

    « Previous PageNext Page »