Oct 05 2011
Information Security: Everything you need to know
To understand more about securing and protecting information assets and implementing ISO 27001 (Information Security Management System) then we recommend IT Governance: A Manager’s Guide to Data Security and ISO 27001 / ISO 27002, Fourth Edition. This book contains everything you need to know about information security and data protection, as it covers viruses, hackers, online fraud, privacy regulations, computer misuse and investigatory powers.
Oct 04 2011
New California Data Breach Notification Law
Information Security Law: The Emerging Standard for Corporate Compliance
At the beginning of September, there was an addition to the Data Breach Notification laws of California. S.B. 24 was signed into law and will take effect the first day of 2012. This law will require specific actions be taken in the event of a data breach. Those actions include a standardized notification process and a notification sent to the Attorney General of California (if the breach affects 500 or more California residents.)
Why is this relevant to you or yours customers? If you encrypt your customer’s personal information, you do not have to make the appropriate notifications, because you have safe guarded your customers’ data. This keeps you out of the press, out of lawsuits and helps you handle your customers’ data responsibly.
You can read more about this legislation here:
Oct 03 2011
CYBERCONFLICT
Our assessment is that cyberattacks will be a significant component of future conflicts. Over thirty countries are creating cyber units in their militaries. It is unrealistic to believe that each one will limit its capabilities to defense. Moreover, the centrality of information technology to the U.S. military and society virtually guarantees that future adversaries will target it.
to read more on The Pentagon’s cyberstrategy, one year later
Cyber-Conflict and Global Politics
Cyberpower and National Security (National Defense University)
Sep 28 2011
Department of Homeland Security Releases Cyber Security Evaluation Tool (CSET)
Homeland Security: A Complete Guide to Understanding, Preventing, and Surviving Terrorism
The Cyber Security Evaluation Tool (CSET) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. The tool is available for download, and the program also offers training and support at no cost to organizations engaged in administering networks that control facilities identified as being crucial to both the nation’s economy and national security.
CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization’s enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.
CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.
Key Benefits
•CSET contributes to an organization’s risk management and decision-making process
•Raises awareness and facilitates discussion on cybersecurity within the organization
•Highlights vulnerabilities in the organization’s systems and provides recommendations on ways to address the vulnerability
•Identifies areas of strength and best practices being followed in the organization
•Provides a method to systematically compare and monitor improvement in the cyber systems
•Provides a common industry-wide tool for assessing cyber systems
Sep 23 2011
IT GOVERNANCE PRAISES ISO27001 BUT WARNS AGAINST COMPLACENCY
Geneva, Switzerland, September 2011 – Alan Calder, Chief Executive of IT Governance (ITG), the one-stop shop for information security expertise, is today advising organisations globally to embrace the ISO27001 security management standard, yet warning nobody should be complacent.
Speaking at the United Nations’ Information Security Special Interest Group’s symposium in Geneva, Calder said: “ISO27001 is international best practice for any organisation seeking a structured framework to address cyber risks. ISO27001 has many strengths, including helping organisations secure the right balance of data availability, integrity and confidentiality. A further benefit of ISO27001 is the flexibility to integrate with other management standards. This point is vital – effective cybersecurity depends on establishing a comprehensive and interconnected defence strategy.
“Every organisation should remember, however, that ISO27001 certification does not equate with invincible security. ISO27001, effectively deployed, improves an organisation’s information security and resilience, but new threats are constantly evolving. Defences, therefore, need to evolve, too. There is no room for complacency. ISO27001 rightly expects you to continually reassess your business, risk and compliance environment in line with ‘real-world’ developments.
“There is never a time for complacency in information security. The need to keep strategies under constant review has never been greater. The revolutionary wonders of ‘Web 2.0’ can rapidly turn into ‘Threat 2.0’. The speed and degree of change in the modern business, compliance and security worlds is unprecedented, from new standards and threats to new technologies, such as Google+ and Android telephones. Any technological advance brings new security risks, as hackers immediately start finding ways to burrow in and exploit vulnerabilities. Everyone must be prepared.”
Sep 23 2011
Copy Machines, a Security Risk
Think you know how to keep your information safe? Think again.
Sep 12 2011
Mobile Malware
By Mandira Srivastava
Do you think it is safe to access sensitive data on mobile phone? Do you know that malware can steal valuable information from your phone? As smartphone sales are growing, the development of mobile malware, viruses that penetrate the security system of mobile devices, also increases.
Mobile malware has been around for many years, it has been a problem for computers for a long time and now because of the evolution of the smart phone it has started to hit mobile handsets. Because the smart phones are becoming increasingly more sophisticated and their operating systems are becoming more similar to a computer, it is now possible for them to be infected with malware and it is important for all business owners to be aware of this.
Just like computer malware, mobile malware is installed on your smartphone and will attempt to steal information and data stored on your phone. The information that can be stolen includes documents, passwords, email login details and even credit card details just like on a PC. Mobile malware has increased rapidly during the last year and there is more and more stealth malware appearing. Stealth malware is when the malware is running in the background on the phone without the user being aware of it.
With wireless payment systems and mobile shopping apps becoming more popular it is also possible that the malware will be able to intercept credit card details. Also, text messaging that is sometimes used to send banking codes could be used by the criminals to get sensitive information. If you are considering using a mobile payment system for your business, make sure it is tested and secure.
Malware has been found on all of the current phones and operating systems, including the iPhone and the Android phones.
One of the main ways that the malware can access your phone is through the Wi-Fi networks and Bluetooth. Because the smartphone can easily be connected to wireless networks this can make it easier to download the malware. You can avoid this happening to your phone by only using secure and trusted Wi-Fi networks and by only accepting Bluetooth connections from people whom you know and keeping the Bluetooth switched off when you aren’t using it.
Email has always been a popular target for the hackers and with text messaging being so popular, they have also used this to spread the malware as well as phishing scams to try to steal your identity. It is a good idea to apply the same precautions you use before opening a strange email before opening a suspicious text.
Mobile security is becoming more and more important especially for businesses and it is a good idea to implement some security measures in order to avoid the malware spreading. You can, for example, always use a password for your phone so no one else can use it if it is stolen and only download apps from official sites and not third parties.
Sep 05 2011
Risk Assessment Critical for the Security of Information Assets
Information Security Risk Management for ISO27001 / ISO27002
Today, there is hardly any organisation that doesn’t recognise the critical role that information technology plays in supporting its business objectives.
September 01, 2011 /24-7PressRelease/ — Today, there is hardly any organisation that doesn’t recognise the critical role that information technology plays in supporting its business objectives. As a result, IT security has come to the forefront and the ISO 27001 information security standard has been embraced by numerous organisations worldwide as a best practice approach for implementing Information Security Management System (ISMS).
Risk assessment plays an important role in managing ISO 27001 controls. This is the part with which many project managers struggle when implementing an ISMS. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Therefore it is imperative that a thorough risk assessment is being undertaken and no risk is left unexplored. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.
IT Governance Ltd, the global leader in information security products and services, has developed a risk assessment tool, vsRisk, that automates and accelerates the risk assessment process. It enables project managers to monitor the day-to-day execution and management of the controls as well as generating reports for audit purposes.
Uniquely, vsRisk (www.itgovernance.co.uk/products/744) can assess the confidentiality, integrity and availability for each of the business, legal and contractual aspects of information assets, as required by the ISO 27001 standard. The tool can serve as a day-to-day operational tool, showing at a glance where an organisation stands in its progress towards ISO 27001 compliance. A free trial version can be requested here www.itgovernance.co.uk/iso27001-risk-assessment.aspx
Alan Calder, CEO of IT Governance, comments, “vsRisk reduces the time and cost of undertaking an ISO 27001-compliant risk assessment. It simplifies each step of an ISO 27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. ”
vsRisk (www.itgovernance.co.uk/products/744) offers an in-built audit trail, comparative history, comprehensive reporting and gap analysis that radically reduces the manual record keeping traditionally associated with risk assessments. The tool minimises the need for specialist knowledge and significantly undercuts the cost of generalist risk management tools, thus, making ISO27001 compliance achievable for a far wider range of organisations and professionals.
As well as supporting ISO/IEC 27001:2005 and ISO/IEC 27002, vsRisk v1.5 complies with BS7799-3:2006, ISO/IEC 27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.
vsRisk is produced by Vigilant Software, the specialist software subsidiary of IT Governance and can be purchased online from www.itgovernance.co.uk/products/744.
Sep 01 2011
Information Security eBooks Download
information security eBooks download sites
Strategic-Information-Security
The-New-School-of-Information-Security
Insider’s Guide to Security Clearances
Information Security Risk Analysis by Thomas R. Peltier
Information Security Risk Analysis, 2 Ed. by Thomas R. Peltier
Information Security Risk Analysis By Tom Peltier shows you how to use cost-effective risk analysis techniques to identify and quantify the threats–both accidental and purposeful–that your organization faces. The book steps you through the qualitative risk analysis process using techniques such as PARA (Practical Application of Risk Analysis) and FRAP (Facilitated Risk Analysis Process) to:
Evaluate tangible and intangible risks
Use the qualitative risk analysis process
Identify elements that make up a strong Business Impact Analysis
Conduct risk analysis with confidence
Aug 27 2011
12 Steps to IT Security
This video outlines 12 steps to take to protect your business from the threat of e-Crime.
Aug 20 2011
ISO27002 Implementation Intro.m4v
Making the Implementation of ISO27001 easier for you to do within your organisation. This video is your introduction.
Aug 19 2011
If you See Something Say Something – DHS
“Dept Of Homeland Security Attempt To Induce A Permanent State Of Fear & Paranoia!”
DHS encourages floks in public to spy on others for the sake of security?
http://www.youtube.com/watch?v=gjeMCCQlCPA
Aug 12 2011
The End of Online Privacy? Fight the Internet Snooping Bill!
The End of Online Privacy? Fight the Internet Snooping Bill! (Must watch/share)
HR1981 would force the company you pay for Internet access to store a year’s worth of personal data and hand it over at the request of law enforcement. For sake of protecting childern from Pornographers does not mean that you start collecting everybody data “just in case” they may commit crime in future.
The New York Post noted that if legislators were required to assign bills honest names, this one would read: Forcing Your Internet Provider to Spy On You Just in Case You’re a Criminal Act of 2011.
CLICK HERE TO EMAIL YOUR LAWMAKERS: http://act.demandprogress.org/letter/snooping_bill/
Aug 08 2011
How to decide between ISO 27001 Cert and ISO 27002 Compliance
It is one of an important decision for your organization when you have to decide between ISO 27001 certification and ISO 27002 compliance. When continuous compliance with the standards may save you money in short run but ISO 27001(ISMS) certification outweighs benefits in long run. ISO compliance is a commitment for an organization when it has to be audited (internal) on regular basis to show to your vendors and partners. At the same time ISO certification has to be audited by independent external auditors.
Things that may affect your decision:
a) What will be the cost of achieving ISO compliance? Pick a scope and perform a gap analysis based on ISO 27002 to see where the gaps are. Find out the cost of treating the gaps for your organization including the cost of consultant, cost of tool, and cost of project management. These processes may vary from organization to organization.
b) Does ISO certification will benefit the organization because its competitors already have done it? (How much business an organization may lose or perhaps prospective new customers.)
c) Achieving certification may save money, time and efforts in long run by aiding your organization in compliance effort (PCI, HIPAA, SOX, NIST, GLBA). (Hey auditor we are already certified in specific controls, How much of the spending can be safe on other audits.)
d) Do enough customers will demand/require the certification in order to do business with them? Not having ISO certification may be a business disabler and organization may lose important customers which will affect company’s bottom line.
Risks of being non-compliant:
• No assurance to customers regarding InfoSec controls
• May lose customers in the long run
• May affect future business
Benefits of certification:
• Business enabler
• Align with the business goals
• Everyone is responsible for InfoSec
• De-facto InfoSec standards
• ISO 9000, ISO 14000, ISO 20000 compatible
• Commonly accepted best practice
• Capable of external certification
Aug 08 2011
Advanced persistent threats force IT to rethink security priorities
By Ellen Messmer
Network World – The biggest business challenge today, in the minds of many information security officers, is the stealthy online infiltration by attackers to steal valuable proprietary information. The reality, they say, is that these so-called “advanced persistent threats” are so rampant and unrelenting they are forcing IT to rethink network security.
“Tackling advanced persistent threats means giving up the idea that it’s possible to protect everything. This is no longer realistic,” states the Security for Business Innovation Council, the group of 16 security leaders from companies that include eBay, Coca-Cola Company, SAP, FedEx Corp., Johnson & Johnson and Northrop Grumman. The council today published a report — “When Advanced Persistent Threats Go Mainstream” — outlining the problems and challenges facing large organizations.
These advanced persistent threat (APT) infiltrations can emanate from nation-states and their hired-hand attackers as well as industrial competitors, or organized crime and “hactivists” like Anonymous. The term APT is thought to have originated within the U.S. military, primarily the Air Force, which used the phrase as shorthand to describe cyberattacks that seemed to originate from somewhere in mainland China.
The overall sense, according to the report, is that an APT is a “cyberattack that is highly targeted, thoroughly researched, amply funded, and tailored to a particular organization — employing multiple vectors and using ‘low and slow’ techniques to evade detection.”
This stealthy attack infiltration to steal important data has become widespread, with several companies and government agencies disclosing they’ve been targets, including Google, EMC’s security division RSA, Epsilon, Citigroup, The Washington Post and the Department of Energy research labs Oak Ridge National Laboratory and Pacific Northwest National Lab.
Timothy McKnight, chief information security officer at Northrop Grumman, who is a member of Security for Business Innovation Council, recently discussed how the aerospace and defense firm virtually every day has to defend itself against what it believes are a dozen separate groups of attackers trying to get into its network to steal sensitive data.
In the council report the 16 information security officers are advising security teams to work closely with their business managers to identity the “crown jewels” of the organization and protect these “core assets,” while “also moving away from a perimeter-centric view.”
“Focusing on fortifying the perimeter is a losing battle,” their report bluntly states. “Today’s organizations are inherently porous. Change the perspective to protecting data throughout the lifecycle across the enterprise and the entire supply chain.” And the report adds: “The definition of successful defense has to change from ‘keeping attacks out’ to ‘sometimes attackers are going to get in; detect them as early as possible and minimize the damage.’ Assume that your organization might already be compromised and go from there.”
To read the remaining article Advanced persistent threats force IT to rethink security priorities
Jul 27 2011
Tim O’Reilly: The Future of Business Intelligence is Now
When Tim O’Reilley talks, it’s better for all to listen very very carefully! This man is absolute visionary! I still remember how shocked I was at first, when he answered that the next big innovation(or change) is the off-line shopping! He is so damn right…
Jul 24 2011
Security as a Service and Office as a Service
The Windows Intune cloud service helps you centrally manage and secure your PCs through a simple web-based console, whether your IT staff or end users are in the main office, at a branch office, or on the road.
Click the fig below to see a video of Windows Intune benefits:
Windows Intune simplifies and helps businesses manage and secure PCs using Windows cloud services and Windows 7—so your computers and users can operate at peak performance, from virtually anywhere
Take an advantage of this free trial for a month to see if Windows Intune align with your business requirements, help you comply with industry standards and regulations, and if it’s cost effective for your business. To do that you may have to fnd out the total cost of existing infrastructure and support and maintenance fee. Also a gap analysis based on standard or regulation which apply to your business will help to find out how this security as a service can assist you in your compliance effort. We do need to manage and protect our PCs from malwares and it’s cost of doing business these days. For cost analysis, you should keep in mind that implementation of a control (Intune) should not be greater than the cost of the impact of the risk should a malware exploit your network.
Intune manage updates
Centrally manage the deployment of Microsoft updates and service packs that you choose to all your PCs from the Windows Intune console.
Intune protect PCs from malware
Help safeguard your PCs from the latest threats with centralized endpoint protection built on the award-winning Microsoft Malware Protection Engine and using the same trusted technologies as Microsoft Forefront Endpoint Protection and Security Essentials
Leverage location agnostic Security as a Service to Defend your information assets
** Windows Intune™ – Trial **
Try Windows Intune™ for 30 days to see how businesses can simplify PC management and security by using Windows® cloud services.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Every business has needs and yours is no different. Your people need to stay connected and you need to maintain essential security and control. So why not have both? Make productivity easier by giving everyone endless ways to work and collaborate from anywhere at any time and on any device. In the cloud you make the rules.
Leverage access to e-mail, documents, contacts and calendars on nearly any device
** Office 365™ – Trial **
Office 365 trial for professional and small businesses
Office 365 trial for Kiosk worker plan
Office 365 trial for Enterprise level plan
Microsoft Exchange Online Archiving provides an enterprise-class service to assist organizations with their archiving, compliance, regulatory and e-discovery challenges while simplifying their on-premises infrastructure, enabling cost savings and easing the burden on IT.
** Exchange Online Archiving™ – Trial **
Exchange online archiving trial
Related article:
City and County of San Francisco Adopts Microsoft Cloud Solution
« Previous Page — Next Page »
