Aug 08 2011

How to decide between ISO 27001 Cert and ISO 27002 Compliance

Category: ISO 27kDISC @ 9:40 pm

It is one of an important decision for your organization when you have to decide between ISO 27001 certification and ISO 27002 compliance. When continuous compliance with the standards may save you money in short run but ISO 27001(ISMS) certification outweighs benefits in long run. ISO compliance is a commitment for an organization when it has to be audited (internal) on regular basis to show to your vendors and partners. At the same time ISO certification has to be audited by independent external auditors.

Things that may affect your decision:
a) What will be the cost of achieving ISO compliance? Pick a scope and perform a gap analysis based on ISO 27002 to see where the gaps are. Find out the cost of treating the gaps for your organization including the cost of consultant, cost of tool, and cost of project management. These processes may vary from organization to organization.

b) Does ISO certification will benefit the organization because its competitors already have done it? (How much business an organization may lose or perhaps prospective new customers.)

c) Achieving certification may save money, time and efforts in long run by aiding your organization in compliance effort (PCI, HIPAA, SOX, NIST, GLBA). (Hey auditor we are already certified in specific controls, How much of the spending can be safe on other audits.)

d) Do enough customers will demand/require the certification in order to do business with them? Not having ISO certification may be a business disabler and organization may lose important customers which will affect company’s bottom line.

Risks of being non-compliant:
• No assurance to customers regarding InfoSec controls
• May lose customers in the long run
• May affect future business

Benefits of certification:
• Business enabler
• Align with the business goals
• Everyone is responsible for InfoSec
• De-facto InfoSec standards
• ISO 9000, ISO 14000, ISO 20000 compatible
• Commonly accepted best practice
• Capable of external certification

Tags: iso 27001, iso 27002

Jul 21 2011

Information Security Breaches: Avoidance and Treatment based on ISO27001

Category: ISO 27k,Security BreachDISC @ 2:47 pm

Information Security Breaches: Avoidance and Treatment based on ISO27001
If you are running a business, you learn to expect the unexpected. Even if you have taken all the right precautions, your company might still find itself confronted with an information security breach. How would your business cope then?

There are lots of books that will tell you what to do to prevent an information security breach. This book is different. It tells you what you have to do if a security breach occurs.

Security breaches sometimes occur because computers containing sensitive information are not returned to their owners. NATO laptops have been spotted in flea markets, and US government computers were put up for sale on Ebay. Security breaches may also be the result of data theft. A bad apple in your company may be tempted to sell your confidential data to a rival firm.

If something happens, your company needs to be ready to take prompt and decisive action to resolve the issue. This book tells you the plans and procedures you need to put in place to tackle an information security breach should it occur. In particular, the book gives you clear guidance on how to treat an information security breach in accordance with ISO27001.

If a breach occurs, the evidence needs to be secured professionally. You need to know the rules on evidence gathering, and you need to be capable of isolating the suspect laptops right from the start. If you want your company to respond rapidly to an information security breach, you need to make sure that the responsibilities and roles in your company are clearly defined.

Benefits to business include:

Recover faster
An information security breach can have crippling consequences. However, with the right emergency measures in place, you will be able to recover quickly from the incident and resume normal operations.
Preserve customer confidence
An information security breach can result in loss of records and disruption to service. This can do serious damage to your relationship with your customers. It is vital for you to be prepared for an information security breach, so that if it ever happens you can preserve customer confidence.
Assist the investigation
Uncovering the root causes of an information security breach requires detective work. If an information security breach occurs, the investigators will need to be able to identify the problem. You can help them to do that by keeping proper records.
Catch the criminals
In the event of data theft, you will want to be in a position to act promptly and decisively. So you should set up an incident management system. This will mean that in the event of data theft, the police will have a greater chance of getting hold of the incriminating evidence they need to secure a conviction.

As Michael Krausz warns, “It is the prudence of management that decides on a company’s fate once a serious incident occurs, not only the size.”

What others are saying about this book …

‘…I recommend this pocket guide to anyone implementing ISO27001, and indeed to anyone who is concerned about the risks of security breaches, and who wants to know how best to prepare their organization for the unpleasant events that are bound to happen from time to time…’

Willi Kraml, Global Information Security Officer

‘…The author thankfully narrows down some important vocabulary to a practical usage in real life situations. The book gives what it advertises: a quick pocket guide to avoidance and treatment of security breaches with references to ISO27001…’

Sascha-A Beyer, Senior Manager

‘…Michael Krausz has created a valuable tool for both professional as well as less knowledgeable persons in respect to the ISO27001 Standard… Written in plain English, this handbook is easy to follow even by a novice in the Information Technology Field. Therefore “Information Secuirty Breaches” is a must within the ‘tool box’ of anyone who deals with IT issues on an every-day basis…’

Werner Preining, Interpool Security Ltd

‘Michael Krauz did a good job. His pocket guide is small enough to be read in only a few minutes, yet is packed full of valuable information presented in a structured way. The case studies especially help to understand the topic. As former CIO of a large company I can recommend it.’
Christian H Leeb, Holistic Business Development

About the author: Michael Krausz is an IT expert and experienced professional investigator. He has investigated over a hundred cases of information security breaches. Many of these cases have concerned forms of white-collar crime. Michael Krausz studied physics, computer science and law at the University of Technology in Vienna, and at Vienna and Webster universities. He has delivered over 5000 hours of professional and academic training and has provided services in eleven countries to date.

Don’t let your organisation fall victim to a security incident … download your copy today!
Information Security Breaches: Avoidance and Treatment based on ISO27001

Tags: information security brecahes, iso 27001, Michael Krausz, NATO laptops, Security Breach

Jul 13 2011

Do US companies do enough for their cyber security?

Category: cyber security,ISO 27kDISC @ 9:51 pm

IT Governance Ltd, the ISO27001 and information security experts have reported that they are making a number of free resources available for download from their US website to help US companies meet the challenges of increased cyber crime.

July 12, 2011 /24-7PressRelease/ — IT Governance Ltd, the ISO27001 and information security experts have reported that they are making a number of free resources available for download from their US website (www.itgovernanceusa.com) to help US companies meet the challenges of increased cyber crime. This week the company has published a white paper on cyber security which can be downloaded from here http://www.itgovernanceusa.com/cyber-security.aspx

Cyber security has become an issue for every nation in the world. In the US over the last 3 months there have been data breaches against high-profile organizations including Fox, Sony, Gmail, the IMF (International Monetary Fund) and major government departments. Two weeks ago, the Arizona State Police again became the victim of a cyber attack. The hack was announced on Twitter less than a week after a previous attack from Lulz Security.

US companies need to do their utmost in order to defend themselves form hackers and protect their information assets. At present, key changes in the US legislation are being discussed, and sooner or later, it is likely that strict data security measures will be imposed on organizations, which they will need to comply with. Organizations who do not act now may face serious fines in the future or even become the subject of a class action lawsuit, if the loss of customer’s data is established. Such was the case with Sony in April when a Canadian Play Station Network (PSN) user claimed damages in excess of $1 billion. This followed another lawsuit filed by an American PNS user. The consequences for companies compromising customers’ data can be severe, leading to both big financial implications and reputation damage.

IT Governance, which specializes in cyber security and compliance solutions, has published a white paper on their US website that provides information on some of the key developments US companies and their directors or IT managers need to be aware of in order to protect their business from cyber attacks. The white paper can be downloaded for free here: http://www.itgovernanceusa.com/cyber-security.aspx

Alan Calder, CEO of IT Governance, comments, “There are a few essential steps that organizations should be following if they are to implement an effective security strategy. Most organizations would only take certain measures if they are given the reasons why they should be doing this and know that their investment of time and money is worth. What is a more convincing reason than the data breaches we all witness? At IT Governance, we not only advise customers what should be done, but also provide guidance and solutions to their problems. We have the most comprehensive range of resources across a number of areas, from books and toolkits through to e-learning and software tools.”

US companies can be doing more than taking partial measures to fight cyber crime. Implementing best practice in information security management has become the most popular approach to tackling cyber security; demonstrating to both customers and business partners that an organization is working to the highest standard. Accredited certification to ISO27001 gives an organization internationally recognized and accepted proof that its system for managing information security – its ISMS or cyber security readiness – is of an acceptable, independently audited and verified standard. Everything US companies need to know about ISO27001 is explained on this website: http://www.27001.com

Tags: isms, iso 27001

Jan 13 2011

Meet Stringent California Information Security Legislation with Comprehensive Toolkit

Category: ISO 27kDISC @ 4:06 pm

Three years ago, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

This legislation deals with the security of personal information and is applicable to all organisations (state and government agencies, non-profit, companies of all sizes, regardless of geographic location) holding personal data on any person living in California. SB-1386 requires such information holders to disclose any unauthorised access of computerised data files containing personal information.

In response, IT Governance’s comprehensive ‘SB-1386 & ISO27002 Implementation Toolkit’ is specifically designed by experts in data compliance legislation to guide organisations on how to conform to SB-1386. The toolkit conforms to ISO27002 and, if desired, also helps organisations prepare for any external certification process (ISO 27001) that would demonstrate conformance with such a standard. The State of California has itself formally adopted ISO/IEC 27002 as its standard for information security and recommended that organisations use this standard as guidance in their efforts to comply with California law.


Which businesses are affected by SB 1386 law?
o If you have a business in California
o Outsourcing company who does business with a company in California or have customers in California
o Data centers outside of California which store information of California residents

sb1386

Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


The Comprehensive SB1386 Implementation toolkit comprises of:
1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
o automates and delivers an ISO/IEC 27001-compliant risk assessment
o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
o Comprehensive best-practice alignment
o Supports ISO 27001
o Supports ISO 27002 (ISO/IEC 17799)
o Conforms to ISO/IEC 27005
o Conforms to NIST SP 800-30
o The wizard-based approach simplifies and accelerates the risk assessment process;
o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification.

vsRisk and security risk assessment

ISO 27002 Framework for Today’s Security Challenges
httpv://www.youtube.com/watch?v=yRFMfiLbNj8

Tags: iso 27001, iso 27001 certification, iso 27002, iso 27005, ISO 27k, iso assessment, iso compliance, sb 1386

Feb 08 2010

Long Awaited ISO/IEC 27003:2010

Category: ISO 27kDISC @ 2:43 pm


The long awaited international standard to the implementation of an information security management system, ISO/IEC 27003:2010, is now available.

It’s a must have –

To Download a copy of ISO27003 – Implementation Guidance

Key Features and Benefits:

  • The first standard to offer comprehensive guidance on implementing an ISO/IEC 27001:2005 ISMS. Using this standard during an ISMS implementation will improve your organisation’s chances of becoming ISO/IEC 27001 certified.
  • Fully aligned with the rest of the ISO/IEC 27000 family of standards, meaning the strengths of all of the ISO/IEC 27000 standards together can be leveraged. Bringing about a higher level of information security, compliance, and cost savings, etc
  • Written in a generic, practical manner, making the advice and guidance within applicable no matter the size, type or location of your organisation.


Get your copy today >>

To Download a copy of ISO27003 – Implementation Guidance

Tags: iso 27000, iso 27001, iso 27003, ISO 27k, ISO/IEC 27003

Dec 10 2009

What is a risk assessment framework

Category: Information Security,Risk AssessmentDISC @ 5:46 pm

Computer security is an ongoing threat?!?
Image by Adam Melancon via Flickr

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.

A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.

The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.

There are several risk assessment frameworks that are accepted as industry standards including:

Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.

To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:

1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.

2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.

3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.

4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.

5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.

Related articles by Zemanta

Tags: Business, COBIT, Computer security, Data, Fire and Security, Information Technology, iso 27001, iso 27002, National Institute of Standards and Technology, NIST, OCTAVE, Risk management, Security, security controls, Technology

Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security ComplianceDISC @ 2:13 am

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.


  • From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

  • Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.



    • Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
    To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

    The Nevada PCI DSS Law:

    The PCI DSS requires you to:

  • apply a number of specific controls, or safeguards.

  • These include documented policies and procedures; as well as

  • a number of technical IT and network configurations.

  • You will also have to provide staff with appropriate training; and

  • You will have to have quarterly scans.



    • PCI DSS v1.2 Documentation Compliance Toolkit
    toolkit-book-pci-dss

    This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).


    201 CMR 17.00 – The Massachusetts Data Protection Law:

    201 CMR 17.00 & ISO 27001 Toolkit
    mass_dpa_law

    will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

    This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386

    Aug 10 2009

    Managing Risks and NIST 800-53

    Category: Security Risk AssessmentDISC @ 5:48 pm

    logo of en:National Institute of Standards and...
    Image via Wikipedia

    FISMA Certification & Accreditation Handbook

    The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

    Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

    Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

    The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.

    nist_rmf1

    Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: iso 27001, iso 27002, NIST 800-53, PDCA, Risk management

    May 06 2009

    Rise of cybercrime and management responsibility

    Category: Information Security,Information WarfareDISC @ 5:08 pm

    ITIL Security Management
    Image via Wikipedia
    According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazine’s annual “State of the Net” survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at www.consumerreports.org

    Uncertain economic time brings new threats and scams and most of the security experts agree that there’s a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.

    First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.

    Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.

    PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives don’t address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.

    [TABLE=2]

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: Information Security, International Organization for Standardization, isms, iso 27001, iso 27002, Operating system, Policy, Security

    Feb 12 2009

    SB1386 and ISO27002

    Category: ISO 27kDISC @ 7:08 pm

    In April 20007, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

    [Table = 13]

    Which businesses are affected by SB 1386 law?
    o If you have a business in California
    o Outsourcing company who does business with a company in California or have customers in California
    o Data centers outside of California which store information of California residents

    sb1386

    Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


    The Comprehensive SB1386 Implementation toolkit comprises of:
    1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
    2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
    3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
    o automates and delivers an ISO/IEC 27001-compliant risk assessment
    o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
    o Comprehensive best-practice alignment
    o Supports ISO 27001
    o Supports ISO 27002 (ISO/IEC 17799)
    o Conforms to ISO/IEC 27005
    o Conforms to NIST SP 800-30
    o The wizard-based approach simplifies and accelerates the risk assessment process;
    o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
    4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

    Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

    ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification audit or for that matter any compliance audit.

    ISO 27002 Framework for Today’s Security Challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Reblog this post [with Zemanta]

    Tags: Information Security, Information Security Management System, International Organization for Standardization, iso 27001, iso 27002, iso 27005, iso assessment, National Institute of Standards and Technology, sb 1386

    Jan 30 2009

    ISO 27k and CMMI

    Category: Information Security,ISO 27kDISC @ 2:00 am

    To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform ISO assessment and assess the organization security posture based on ISO 27002 code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. information The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements. The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. ISO 27002 is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in ISO 27002, maturity levels are defined using maturity definition found in CMMI. In the assessment report maturity level of each control of ISO 27002 standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.

    The scope of the ISO27k standards includes various aspects of IT. The introduction to ISO 27002 states clearly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”

    Benefits of ISO 27k framework:
    o Framework addresses the security issues for the whole organization and limit data breaches
    o Address compliance with various regulations like (SOX, HIPAA, and PCI) without creating silos.
    o Reduce total cost of security by decreasing total number of controls required
    o Perception of your business that you are serious about information security not just compliance
    o Enhance partners and vendors confidence to do business with your organization
    o Future deciding factor for national and especially international partners for more business
    o Internationally recognized standard which addresses security awareness for the whole organization

    isotocmmi

    Assessment will give an organization a high level view of their current security posture and provide a road map for security strategy in a sense what needs to be addressed first utilizing risk based approach. This is also a good start if your organization is interested in the Information Security Management System (ISMS) or ISO 27001 certification. ISO 27001 is the standard for the certification which includes the set of requirements for ISMS. Justifiable scoping is the key to a quick and successful certification; organization may adjust their scope in a re-certification attempt. Perhaps in the first attempt you may need to include just a web portal in your scope and the entire infrastructure behind supporting that portal. Once the ISMS project scope is determined, here are some steps you can follow to prepare for ISO 27001 auditors.

    1. Based on your scope, create an asset list
    2. Find out asset threats and vulnerabilities and classify the asset based on CIA scale
    3. Come up with risk matrix based on impact and likelihood of the risk
    4. Create priorities based on impact and likelihood of the risk
    5. Based on priorities, implement appropriate controls for risks which needs to be addressed
    6. Do the risk assessment again, PDCA improve ISMS

    “ISO27001 is a structured, technology-neutral, vendor-agnostic specification and code of practice for information security management in organizations of all sizes that should be adopted as part of an organization’s overall risk management strategy.”

    This should give you a jump start to certification. You have already started the process of certification because most of the documentations in the risk assessment will become part of certification process later and will lead you to 12 steps which are part of PDCA cycle. ISMS certification process utilized Plan-Do-Check-Act (PDCA) cycle methodology which continually improve information security management system and meet the contractual, legal, and regulatory requirements for information security.

    ISO assessment is utilized to analyze the current security posture of an organization where each control is defined and can be color coded using the base definition found in CMMI. Therefore ISO assessment is a great first step towards the final ISO 27001 certification audit or for that matter any compliance audit.

    [TABLE=2]

    ISO 27k framework for today’s security challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Three useful titles on ISO 27k by Alan Calder

    Related articles by Zemanta

    Tags: Capability Maturity Model Integration, CIA scale, Information Security, Information Security Management System, International Organization for Standardization, isms, iso 27001, iso 27002, ISO/IEC 27001, PCI, PDCA, Risk Assessment, Risk management, Security, SOX HIPAA, vsrisk

    Jan 14 2009

    Cyber warfare and possibility of cybergeddon

    Category: Information WarfareDISC @ 1:56 am

     

    Background and Risks Associated with Various SCADA Systems | Envista Forensics

    Cyber warfare poses a serious threat to critical infrastructure of a country. It has been a major challenge for DoD officials, cyber attackers have already stolen tera byte of data from their infrastructure.

     

    Most of the security expert and FBI agree that cyber attacks pose biggest threat to US vital infrastructure. “Cybergeddon” our daily economy which depend on inter connected vital network infrastructure is hacked by cyber attacker.

    SCADA (Supervisory Control and Data Acquisition – control power grids in all the utilities) “systems are used in industry to monitor and control plant status and provide logging facilities and are highly configurable“. SCADA system is a connection between control systems and the switches.

    Cyber attackers have already led to multicity power outage outside of US. Recent attacks show that cyber attackers are getting more knowledgeable about SCADA system. In the past SCADA use to be exclusive system but now slowly getting integrated with the rest of the infrastructure and utilizing IP addressing scheme. Both introduce new threats and raise the risk of cyber attack.

    Utilities are the most critical infrastructure in a sense because of other vital infrastructure dependency on power supply. Cyber attack on SCADA system has a potential of cybergeddon and should be protected as a very critical asset by both public and private sectors. Security through obscurity is not the answer for SCADA anymore.

     

    In SCADA system, reasonable security can be achieved by embracing ISO 27k standard as a policy and eventually acquiring ISO 27001 (ISMS) certification. Organizations may start the certification process with limited scope (of critical processes) in the beginning, and increment the scope in each recertification attempt based on the resources available and management risk appetite. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of SCADA. ISMS as a process in-place provides reasonable security safeguard to zero day attacks.

     

    How do I prepare for a power outage?

     


     

    “SCADA system has been poorly managed for decades”

    What is SCADA?

    Tags: Cyber-warfare, cybergeddon, Information Security Management System, Information Warfare, International Organization for Standardization, ira winkler, iso 27001, SCADA, Security

    Nov 04 2008

    Open Network and Security

    Category: Information Security,Open NetworkDISC @ 7:54 pm

    Made and uploaded by John Manuel - JMK{{#if: |...

    Open networks are heterogeneous environment where users like to use all the applications and systems at any given time. In a heterogeneous environment, each department run different hardware and software, but you can control the protocols which will work on this environment.

    Universities are famous for open network. Most Universities network is comprised of a Bank (To give loan to students), a restaurant, and a bookstore which have credit card processing ability. Students, alumni, researchers, employee and staff need access to utilize resources. Now how would you control access if same person assume all the roles mentioned above. Universities are basically transient communities, where users come back and plug-in their new devices and expect an immediate access to all the resources. Where the reputation of openness is challenge at every step of the way, now the question is how can they maintain reputation and yet control the environment based on security policies.

    Reasonable security can be accomplished by focusing on a process rather than adding yet another security control. The process is based on risk assessment program where you assess your critical assets based on threat and vulnerability pair and measure the likelihood and impact of a threat if a given vulnerability is exploited.

    The process start with knowing your assets – Network registration will detect when you plug-in your new equipment. Before you get an access, it detects a hardware address and username. You can also control common misconfigurations and noncompliance issues with network registration process. Some vulnerability management systems discover assets and perform vulnerability and security configuration assessment to proactively identify and prioritize risks. New vulnerabilities are accessed from trusted site on a regular basis and when vulnerabilities are identified, the management system needs to have an ability to remediate to comply with the information security policy.

    Most of the departments in an open network contains different systems and applications and basically have different security appetite. Distributed IT Governance can address this issue where you develop policies and procedures which fit their needs and hand it over to the department to comply.
    Open network requires pretty much open borders, Instead of securing the network/system emphasis should be on data protection.

    [TABLE=9]

    Recent news from AT&T to make its network open where customers can use any handset of their choice, perhaps a reaction to in response to recent moves from Verizon and Google to promote open network. Specifically Verizon announced that it would allow “any device” and “any application” to operate on its network. These open networks does provide flexibility for customers but at the same time burden lies on the shoulders of the corporations to provide right balance of security and privacy with availability of the network.

    In an open network, reasonable security can be achieved by embracing ISO 27k standard and eventually acquiring ISO 27001 (ISMS) certification. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of an open network. ISMS as a process in-place provides reasonable security safeguard to your information and certainly help to minimize the liability in the court of law.

    End-to-End Network Security: Defense-in-Depth by Omar Santos
    httpv://www.youtube.com/watch?v=zTJSMjYd9c4

    (Free Two-Day Shipping from Amazon Prime). Great books

    Reblog this post [with Zemanta]




    Tags: AT&T, Computers, Credit card, data protection, heterogeneous, impact, Information Security, Information Security Management System, isms, iso 27001, ISO 27k, ISO/IEC 27001, IT Governance, likelihood, Network registration, Omar Santos, Reasonable security, risk assessment program, security controls, threat, Universities network, Verizon, vulnerability, vulnerability management systems

    Oct 21 2008

    12 Phishing Threats and Identity Theft

    Category: Email Security,Identity TheftDISC @ 7:22 pm

    Have you ever thought of losing something and you cannot live without it? Yes, that something can be your identity. Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

    Amongst the financial crisis, phishing might be on the rise because for many organizations information protection might be the last thing on their mind. The FDIC has created a webpage to inform and warn consumers about “phishing.” These days phishers have targeted social network organizations LinkedIn and Facebook where their members have been duped into revealing their sensitive data.

    Mainly phishing attacks are targeted to steal the identity. Now the question is, how easy it is to steal somebody’s identity? Let’s say a phisher has your name and address, and then he/she can get your Social Security number with the search on AccurInt or other personal database website. A Social Security number is not the only bounty a fraudster can find on these websites, other personal/private information is available as well at minimal cost.

    In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.

    [Table=7]

    Organizations should take necessary steps to protect against identity fraud and apply whatever state and federal legislation applies to your business. Organizations which are serious about their information security should consider implementing the ISO 27001 (ISMS) standard as a best practice, which provides reasonable due diligence to protect and safeguard your information.

    US Bank phishing attack exposed
    httpv://www.youtube.com/watch?v=n2QKQkuSB4Q


    (Free Two-Day Shipping from Amazon Prime). Great books




    Tags: accurint, countermeasure, cyberspace, due diligence, equifax, experian, facebook, fdic, financial crisis, fraudster, identity fraud, information protection, isms, iso 27001, jurisdictional, legislation, linkedin, phishing, prosecute, safeguard, social security, threats, transunion, uber hacker

    Oct 07 2008

    vsRisk and security risk assessment

    Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

    Information Security Risk Management for ISO27001 / ISO27002

    The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

    To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

    vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesn’t.

    Major benefits of vsRisk tool:
    1. It is the definitive ISO27001 risk assessment tool, compliant
    with all the key information security standards – which means that
    you can be certain that a vsRisk risk assessment will help you
    achieve ISO27001 certification.
    2. It is designed to be usable – your lead risk assessor and any
    asset owners involved in your risk assessment are going to find
    their task made easier
    3. Unique features include the risk assessment wizard, which
    standardizes the risk assessment process and guides asset owners
    through the risk assessment process.
    4. vsRisk creates a baseline from which future risk assessments can
    easily be made.
    5. vsRisk integrates with ISMS documentation toolkit, for even
    greater usability.

    “vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.”

    The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

    Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

    Meet Stringent California Information Security Legislation with Comprehensive Toolkit

    ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
    EIN News (press release) – Netherlands
    vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …




    Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk

    Aug 25 2008

    Laptop security and vendor assessment

    Category: Laptop Security,Vendor AssessmentDISC @ 2:37 am

    Another report of a laptop stolen, this one containing reams of sensitive customer information. The laptop was later returned in the same office complex, to a room which was reportedly locked; however, the sensitive data on the laptop was not encrypted.

    According to a San Francisco Chronicle article by Deborah Gage (Aug 6, 2008, pg. C1): “A laptop containing personal information on 33,000 travelers enrolled in a fast pass program at San Francisco International Airport turned up Tuesday in the same airport office from which it had been reported missing more than a week ago.
    The machine belongs to Verified Identity Pass, which has a contract with the TSA to run Clear, a service that speeds registered travelers through airport security lines. Verified Identity operates the program at about 20 airports nationwide.
    The computer held names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information.
    Travelers in the Clear program pay to have the TSA verify their identities. In return, they receive a card that gives them access to special security lanes in airports so they can avoid standing in line to go through security.
    The TSA said in a statement that Verified Identity was out of compliance with the administration’s procedures because the information on the laptop was not properly encrypted. Now the company must undergo a third-party audit before Clear can resume, the TSA said.”

    When TSA states that the vendor (Verified Identity) was out of compliance, does that make the vendor liable for negligence? Not unless this was stated clearly in the contract that the vendor will be liable if customers’ private data is exposed unencrypted. Which means private data should be encrypted if it’s at the server, in transit or on the laptop.
    This brings the question if the 3rd party service provider (vendor) should be considered for the security risk assessment and how often. This question should be considered before signing a service contract with the vendor and what criteria or standard should be used to assess the vendor. Should this assessment include the security office 3rd party cleaning staff, perhaps yes, considering sometime cleaning staff does have an access to very sensitive areas in the organization? Many of the controls applied to contractors should be more or less the same as applied to regular employees but the contractor who has access to sensitive information potentially should have more controls then the regular employees, which should be clearly defined in the service contract.
    Before signing the service contract, due care requires the organization should always assess the vendor’s security posture based on their own information security policy and ISO 27002 standards. Depending on the risk assessment report, the organization can negotiate the controls necessary to protect the security and privacy of their data and customers with given vendors. At this point the organization needs to make a decision, if the vendor is up to par as far as information security is concerned and if negligent, give them some sort of deadline to improve controls to become a business affiliate. Depending on the level of data sensitivity, some vendors might be required to acquire ISO 27001 certification to become a business partner. This clause should be clearly included in the service contract.
    Assessing the vendor on a regular basis might be the key to know if they are complying with the required security clauses mentioned in the service contract and make them potentially liable for non-compliance. If the vendor fails the assessment the organization should follow up with the vendor to remediate those gaps within a reasonable time frame, otherwise this constitutes a breach of the contract.

    Laptop Security
    httpv://www.youtube.com/watch?v=dytZBBlDMJs


    (Free Two-Day Shipping from Amazon Prime).




    Tags: assessment, business affiliate, compliance, data sensitivity, iso 27001, iso 27002, laptop stolen, privacy, service contract, social security numbers, TSA, verified identity

    Aug 08 2008

    PCI DSS significance and contractual agreement

    Category: pci dss,Security ComplianceDISC @ 11:52 pm





    The PCI DSS (Payment Card Industry & Data Security Standard) was established by credit card companies to create a unified security standard for handling credit card information.  The retail service industry now understands the strategic significance of PCI DSS compliance, which was demonstrated when TJX announced that their system was compromised for more than 17 months, where well over 50 million customers’ credit and debit cards were breached. Retail business which fails to comply will be subject to penalties and fines, possibly lawsuits, and may lose their credit card processing capability. Non-compliance will not only expose businesses to fines and penalties but also make it vulnerable to many threats, which can exploit the vulnerabilities in the system and put your business to unnecessary risk. These risks could have been avoided with some due diligence. When business is non-compliant, any major breach will have a significant impact on business viability.


    To start a process of PCI compliance, a merchant should determine if PCI DSS applies to their organization.  PCI DSS is applicable if your customer PAN (Primary Account Numbers) is stored, processed or transmitted in your organization. After determining the applicability of the standard, the merchant needs to determine where their business falls in the categorization of businesses by their bank in terms of merchant level.


    Before commencing the risk assessment the assessor will perform the system profile to determine the applicability of the scope and set the boundaries of the system covered under PCI-DSS assessment. Planning is the key to success of a project; this is the phase where all the planning and project preparation will take place.   Now the key to the success of your on-going compliance is to simplify the scope of the project. The best way to achieve this to put all the PCI related assets in a precise segment to limit the merchant card holder environment.


    Comprehensive risk assessment will be performed on the identified scope where risk analysis will identify the gaps based on PCI DSS standards and risk rating will prioritize the gaps for risk management.  Thorough risk analysis will generate a quality technical and process gap analysis, where you decide the mitigation/compensating controls to comply with PCI DSS.  After completion of the risk assessment the task of the risk management begins, to eliminate the gaps in your environment and to comply with the standard. Depending on the numbers of gaps the risk management team should set realistic goals to complete the tasks in hand.  Best practices recommendations suggest that the organization should eliminate/mitigate the high risks (high impact & probability) gaps to the organization, but sometime organizations decide to go after the low hanging fruits to start with their risk management process.


    When the risk management process gets close to finishing and you are well on your way to comply with PCI DSS, you might think that perhaps your job is done. Well in a way, it’s just a beginning of a process where your organization is supposed to maintain the compliance with PCI DSS.  Based on expert opinion, PCI DSS is a process not a project. What you have done so far, is baseline your environment. Ongoing compliance is achieved by monitoring the relevant PCI DSS controls. Ongoing compliance will depend on the quality of the merchant’s information security management system (ISMS). A strong  ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time.  You can develop an automated PCI monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.


    In a sense, PCI is neither a regulation nor a standard but a contractual agreement between the merchant and their acquirer bank, when merchants start transmitting PAN data that makes them contractually obligated to comply with PCI DSS. To understand their obligations, the merchant should make a proactive effort to understand their acquirer’s particular interpretation of PCI DSS requirements to get compliant.  Ongoing compliance will require adequate resources and automated controls in place to routinely monitor, maintain, review and improve the required systems. Ultimately, ongoing PCI compliance will enhance business efficiency and reduce the potential impact of adverse publicity on your business image.


     












    Documentation Compliance Toolkit

    PCI Compliance

    Practical guide to implementation (Soft Cover)

    Practical guide to implementation (Download)



    PCI Compliance
    httpv://www.youtube.com/watch?v=0NUTs-aFtOA




    Tags: business efficiency, business image, compensating controls, comprehensive, contractual agreement, gap analysis, isms, iso 27001, merchant card holder, mitigate, pan, pci compliance, pci dss, risk analysis, Risk Assessment, risk management process, tjx

    « Previous Page