Feb 04 2022

What Is Information Risk Management? Definition & Explanation

Category: Information Security,Security Risk AssessmentDISC @ 12:54 am

Information risk management is the process of identifying the ways an organisation can be affected by a disruptive incident and how it can limit the damage.

It encompasses any scenario in which the confidentiality, integrity and availability of data is compromised.

As such, it’s not just cyber attacks that you should be worried about. Information risk management also includes threats within your organisation – such as negligent or malicious employees – as well as residual risks.

For example, the framework can help you address misconfigured databases, software vulnerabilities and poor security practices at third parties.

In this blog, we take a closer look at the way information risk management works and how organisations can use its guidance to bolster their security defences.

Why is information risk management important?

In the face of ever-growing cyber threats, it can be difficult for an organisation to protect its information assets.

Last year, the World Economic Forum listed cyber crime alongside COVID-19, climate change and the debt crisis as the biggest threats facing society in the next decade. It’s clear, then, that organisations need a plan for identifying and addressing security risks.

With an information risk management system, organisations gain a better understanding of where their information assets are, how to protect them and how to respond when a breach occurs.

One way it does this is by forcing organisations to not only identify but also assess their risks. This ensures that organisations prioritise scenarios that are most likely to occur or that will cause the most damage, enabling them to make informed decisions in line with their security budget.

How risk management works

To understand how risk management programmes work, we need to take a closer look at what ‘risk’ actually is.

In an information security context, risk can be defined as the combination of a vulnerability and a threat.

As we’ve previous discussed, a vulnerability is a known flaw that can be exploited to compromise sensitive information.

These are often related to software flaws and the ways that criminal hackers can exploit them to perform tasks that they weren’t intended for.

They can also include physical vulnerabilities, such as inherent human weaknesses, such as our susceptibility to phishing scams or the likelihood that we’ll misplace a sensitive file.

This is different from a threat, which is defined as the actions that result in information being compromised.

So, to use the examples above, threats include a criminal hacker exploiting a software flaw or duping an employee with a bogus email.

When a threat meets a vulnerability, you get a risk. In the case of the criminal hacker phishing an employee, the risk is that the attacker will gain access to the employee’s work account and steal sensitive information. This can result in financial losses, loss of privacy, reputational damage and regulatory action.

A risk management system helps organisations identify the ways in which vulnerabilities, threats and risks intertwine. More importantly, it gives organisations the ability to determine which risks must be prioritised and identify which controls are best equipped to mitigate the risk.

Start protecting your business

At the heart of risk management is the risk assessment. This is the process where threats and vulnerabilities are identified. Organisations can use the result of the assessment to plan their next moves.

This process can be labour-intensive, but you can simplify the task with our risk assessment tool vsRisk.

With vsRisk, you’ll receive simple tools that are specifically designed to tackle each part of the risk assessment.

This software package is:

  • Easy to use. The process is as simple as selecting some options and clicking a few buttons.
  • Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
  • Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
  • Streamlined and accurate. Drastically reduces the chance of human error.

Risk Management Training

Tags: information risk management, Risk Assessment, Risk management, risk management training

Feb 18 2014

Comprehensive Cyber Security Risk Management Toolkit

Category: cyber security,Security Risk AssessmentDISC @ 11:30 am

Cyber Security Toolkit


Govern and manage Cyber Security risk with this unique comprehensive toolkit suite


Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular

There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.

• PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
• ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
• The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
• Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
• ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.

Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.

This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.

Included in this comprehensive toolkit suite is:

Tags: Cloud Security Alliance, ISO/IEC 27001, National Institute of Standards and Technology, Risk management

Nov 26 2013

New IT-GRC Glossary designed to simplify industry terms

Category: IT GovernanceDISC @ 11:29 am


New IT-GRC Glossary from IT Governance designed to simplify industry terms

IT Governance Ltd, the single source provider of IT governance, risk management and compliance (IT-GRC), has just published a glossary on their website.

The IT-GRC glossary is designed to help IT professionals recognize the wide range of acronyms used within the industry to further their understanding and avoid confusion.

Currently there are 70 terms in the glossary and IT Governance is looking to grow this significantly. IT Governance is encouraging readers to contribute to the glossary with new terms or refined definitions so that the glossary continues to develop and become a resource for IT professionals to use worldwide.

The glossary contains a wide range of IT governance terms, including information security, business continuity, quality management, IT service management and IT governance topics. The glossary is arranged alphabetically and provides easy-to-use definitions that drop down when clicked. The definitions have been written and edited by industry experts and link to information pages for further guidance. View the glossary:

Founder and Executive Chairman of IT Governance Ltd, Alan Calder, explains the reasons behind developing the glossary: “The industry within which we operate in contains a huge number of shortened phrases and acronyms which can be somewhat confusing for those starting out in their career. With different associations, institutions, standards, frameworks and certificates to remember, we decided it was important to start documenting these terms so that beginners would have a useful source to refer to.”

This new resource further strengthens the IT Governance mission statement of “approaching IT from a non-technology background and talking to management in their own language”. The glossary reduces industry jargon and simplifies terms for IT professionals.

The glossary has been added to the growing number of resources offered from IT Governance, which includes a wide number of green papers, product demos and case studies – all which are freely available to download.

Tags: Dictionaries, Governance risk management and compliance, GRC, Risk management

Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool


It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>


Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards

Apr 23 2013

Cyber Security and Risk Assessment

Category: cyber security,Security Risk AssessmentDISC @ 9:19 am

Cyber security is the protection of systems, networks and data in cyber space.

If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.

To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.

Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.

Tools and techniques which work in mitigating cyber risks

The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management

Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.

The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks

Tags: Computer security, cyberwarfare, Information Security, Information Security Management System, Risk Assessment, Risk management

Mar 06 2013

Your Cyber Security Project

Category: cyber securityDISC @ 12:04 pm

by James Warren

Internet technologies have revolutionised the way that business is conducted but these innovations expose your business to various cyber security risks.

Inadequate security can lead to the theft of customer data and, in the event of technological failure or a cyberattack, your business could lose its ability to function altogether. An effective risk management strategy is, therefore, vital to your company’s survival.

Cyber Security Risks for Business Professionals: A Management Guide Cyber Risks for Business Professionals: A Management Guide 

A general guide to the origins of cyber security risks and to developing suitable strategies for their management. It provides a breakdown of the main risks involved and shows you how to manage them.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks. As the leading provider of cyber security products and services, ITG can help you with any aspect of your project:

Cyber Security Risks for Business Professionals: A Management Guide  >> ITG | eBay | Amazon

Tags: Computer security, cyber security, Information Security, ISO/IEC 27001, Risk management

Jan 29 2013

Impact of an Effective Risk Assessment to ISO 27001

Category: Security Risk AssessmentDISC @ 11:08 pm


First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.

The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.

To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:

1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance

Risk Assessment Basic Steps for ISO 27001:

o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods

Risk Assessment Titles from eBay | Risk Assessment Titles from DISC InfoSec Store


Related articles

Tags: Corporate governance of information technology, Information Security Management System, ISO/IEC 27001, Risk Assessment, Risk management

Nov 19 2012

PCI view of Risk Assessment

Category: pci dss,Security Risk AssessmentDISC @ 11:02 pm
Information Security Wordle: PCI DSS v1.2 (try #2)


Organizations that need to comply with PCI-DSS need to create their own risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).

PCI Risk Assessment Special Interest Group says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.

Key recommendations include:
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization

PCI view of things: 

The announcement

And the V1 document (also attached)

Below is my post on Risk management from prespective of ISO 27001 which has an Expert guidance on planning and implementing a risk assessment and protecting your business information

Information Security Risk Management for ISO 27001

Tags: International Organization for Standardization, ISO/IEC 27001, Methodology, Payment card industry, Payment Card Industry Data Security Standard, Risk Assessment, Risk management

Jul 05 2010

Risky business

Category: hipaaDISC @ 11:02 pm
Information Security Wordle: NIST HIPAA Securi...
Image by purpleslog via Flickr

By Mary Mosquera

Last year’s HITECH Act toughened the rules and enforcement penalties health information handlers must follow to protect patient privacy.

Under the new policy regime, providers will have to pay more attention to the confidentiality and safety of patient information as they move more of their operations toward electronic health record-keeping.

Without sound security policies and practices, privacy “will be just a principle,” said Sue McAndrew, deputy director for privacy in the Office of Civil Rights, the Health and Human Services Department office that was given responsibility for health privacy and security policy under the new law.


“We want it to be a reality for consumers,” she said at a recent privacy and security conference sponsored by OCR and the National Institute for Standards and Technology.

One of the most basic requirements is that providers must now perform a security assessment, a first step in understanding systems and electronic data over which they are temporary stewards.

OCR recently drafted guidance to help providers and payers figure out what is expected of them in doing a risk assessment. While it might sound onerous, a risk assessment might not be as difficult or costly as some providers might believe, even for small practices, privacy.

“When you say, ‘do a security risk assessment’, people’s eyes glaze over,” said Lisa Gallagher, security director of privacy and security for the Healthcare Information and Management Systems Society. “But really, it’s asking, ‘what are the risk areas?’, ‘how could someone get to it?’ and ‘what controls can you put in place to protect it.’”

In its guidance, OCR said organizations should identify and categorize their data collections, document threats to information that might lead to a disclosure of protected data and check to see if their current security measures are adequate.

“For a small organization, it sounds overwhelming and time-consuming, but in a lot of ways, it’s things that they already do,” said Pat Toth, a computer scientist in NIST’s computer security division.

“What small providers need to do is get an understanding of the framework and break down each step,” she said. “It is something that’s going to be living in their organization, so if they do their categorization and get that right, it will set the correct tone for the rest of the process.”

NIST has developed a quick-start guide, a “Cliff’s Notes” of its security publications detailing its risk management framework and risk assessment, in addition to frequently asked questions, to help providers, especially small practices.

For large organizations, risk management starts in the planning and architecture of systems across the enterprise and system life cycle, Toth said.

Besides a risk assessment, OCR is planning stricter reporting of disclosures of health information when electronic health records are used, even when the disclosure is for treatment and billing purposes. Providers will also have to give the reason for the disclosure. In May, OCR published a request for comments on its rulemaking.

The most effective method of accounting for disclosures is by using automated logging features in electronic health records and other computer systems, according to Mac McMillan, chief executive officer of Cynergistek Inc., an IT security consulting firm.

System logs are used to document and maintain a permanent record of all authorized and unauthorized access to and disclosure of confidential information so providers can recover evidence of that access.

“A lot of the difficulty to get accounting of disclosures in place is because of a lack of industry auditing capabilities,” he said at the OCR and NIST conference. “Most systems don’t have the functionality.” Moreover, IT security folks he works with have logging activated, “but they are still manually digesting them,” McMillan said, adding that manual audits are a time-consuming and imprecise process.

Even so, such practices must now be the order of the day under the new privacy and security framework. “The security rule says wherever you have electronic health information, you need to protect it,” said HIMSS’s Gallagher. “You may not even apply for meaningful use incentives. But if you’re keeping data in electronic form, you have to comply with the security rule.”

Related articles



Tags: arra and hitech, Civil and political rights, Computer security, Consultants, Electronic health record, General and Freelance, hipaa security, hitech, National Institute of Standards and Technology, Risk management, Security

Dec 10 2009

What is a risk assessment framework

Category: Information Security,Risk AssessmentDISC @ 5:46 pm

Computer security is an ongoing threat?!?
Image by Adam Melancon via Flickr

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.

A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.

The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.

There are several risk assessment frameworks that are accepted as industry standards including:

Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.

To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:

1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.

2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.

3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.

4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.

5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.

Tags: Business, COBIT, Computer security, Data, Fire and Security, Information Technology, iso 27001, iso 27002, National Institute of Standards and Technology, NIST, OCTAVE, Risk management, Security, security controls, Technology

Aug 18 2009

Control selection and cost savings

Category: Security Risk AssessmentDISC @ 3:53 pm


Information Security Risk Analysis

In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks

• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)

Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system

Reblog this post [with Zemanta]

Tags: common control, iso 27002, iso assessment, ISO audit, NIST 800-53, NIST audit, risk analysis, Risk Assessment, Risk management

Aug 10 2009

Managing Risks and NIST 800-53

Category: Security Risk AssessmentDISC @ 5:48 pm

logo of en:National Institute of Standards and...
Image via Wikipedia

FISMA Certification & Accreditation Handbook

The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.


Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

Reblog this post [with Zemanta]

Tags: iso 27001, iso 27002, NIST 800-53, PDCA, Risk management

Mar 17 2009

Congressional data mining and security

Category: Information SecurityDISC @ 12:42 am

Data mining
Image by moonhouse via Flickr
“By slipping a simple, three-sentence provision into the gargantuan spending bill passed by the House of Representatives last week, a congressman from Silicon Valley is trying to nudge Congress into the 21st Century. Rep. Mike Honda (D-Calif.) placed a measure in the bill directing Congress and its affiliated organs — including the Library of Congress and the Government Printing Office — to make its data available to the public in raw form. This will enable members of the public and watchdog groups to craft websites and databases showcasing government data that are more user-friendly than the government’s own.”

Would be great if this passes BUT, Government would have to have security provisions so hackers could not manipulate databases in this case raw data. Without proper controls, databases can be easily modified and stolen, so before making the raw data available to public, Congress might need a comprehensive legislation to protect the confidentiality, integrity and availability of the data.

Security principles and controls which should be considered in database legislation?
• Principles of least privilege
• Separation of duties
• Defense in depth at every level
• Strong auditing and monitoring controls
• Security risk assessment to assess risks based on ISO 27002 and NIST 800-53
• Comprehensive risk management program to manage risks

Congressional Data Mining: Coming Soon? (Mother Jones)


Reblog this post [with Zemanta]

Tags: Business, Data mining, database, defense in depth, iso 27002, Mike Honda, National Institute of Standards and Technology, Risk Assessment, Risk management, Security, separation of duities, Silicon Valley

Mar 04 2009

HIPAA accountability and security program

Category: hipaa,Security Risk AssessmentDISC @ 7:34 pm

Logo of the United States Department of Health...
Last year the department of Health and Human Services (HHS) started penalizing healthcare organizations for security breaches and lack of security program. Healthcare stimulus bill says that HHS will post a breach of healthcare organization on their website. In both cases the intent is clear that HHS want to hold healthcare organizations accountable for security lapses.

World Privacy Forum (WPF) states in recent report that medical identity theft is on the rise and it leaves false information in medical records that can torment victims’ medical lives for years. Medical identity theft mostly carried out by insiders with legitimate access to medical and insurance billing. Patient medical files, and addresses can be changed to reflect phony medical care, and insurance payments are forwarded to different address.

HHS has given ample warning and time to healthcare organization to get their house in order. Healthcare stimulus bill which require digitizing healthcare records will demand even more stringent security program from healthcare organizations. Time is of the essence for healthcare organizations to start their security strategy planing now to implement their security program before HHS come knocking at their door.

Risk Management Process:

Like other compliance initiatives, HIPAA also require organizations to build a security risk management program to manage their daily risks. The process of risk management consists of risk assessment (analyzing the risks), design/select control, implement control, test control, maintain/ monitor control. At high level, risk management is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls.


Risk assessment states the security posture of an organization at a given point in time. Therefore organization should conduct risk assessment of their assets on a regular basis. Risk assessment looks at the impact and likelihood of threat/ vulnerability pair to assess the risk. What is the likelihood of a threat to exploit a given vulnerability and what will be the impact of the threat if the given vulnerability is exploited. If either likelihood/impact is low, the overall risk is low.

Performing vulnerability assessment of critical assets on monthly basis is highly recommend to find out new vulnerabilities and making sure the hardened systems configuration have not changed. Also any changes introduced to a system will require checking the necessary system configurations are intact.

A Five-step Roadmap to HIPAA Security Compliance

Related videos by youtube

Reblog this post [with Zemanta]

Tags: Health care, Health Insurance Portability and Accountability Act, Identity Theft, Risk management, Security, Security Risk Assessment, United States Department of Health and Human Services

Feb 25 2009

Small business and assessment of IT risks

Category: Security Risk AssessmentDISC @ 5:02 pm

Network and Information Security Agency
According to a study released by European Union ENISA, Small-to-Medium-Sized (SME) enterprises require extra guidance in assessment of IT security risks of their assets.

Agency also established that in the first implementation it is improbable that SME can utilize a risk assessment & risk management approach without external assistance and simplified information security approach was extremely useful for security awareness on the part of business to improve their information security management approach. One of the main drivers that have pushed ENISA towards a simplified Risk Assessment and Management approach was the idea that SMEs need simple, flexible, efficient and cost-effective security solutions.

Regarding the entire process applied for the life-cycle of the simplified approach, ENISA has applied the Plan-Do-Check-Act model:
o PLAN: creation of a simplified Risk Assessment & Risk Management approach for SMEs
o DO: run pilots in different contexts inside EU
o CHECK: get feedback from pilots and aggregate and analyze it
o ACT: review and improve the simplified approach starting from the feedback
It is expected that through repetitions of the above life-cycle a proper maturity of the simplified ENISA method will be achieved.
Diagram: Overview of the phases of the ENISA simplified approach
ENISA simplified and standardized approach for risk assessment for SMEs is designed for untrained users and organization with small IT infrastructure. Security of SMEs is crucial for European economy, since they represent 99% of all enterprises in EU and around 65 million jobs, said ENISA said.

ENISA report and findings

As economic slowdown is looming ahead in US economy, it makes sense to adopt a lifecycle approach which is simplified, standardized in managing and securing the SMEs data. SME is the core engine of US economy as well; taking a standard based approach for data protection will not only serve to increase awareness and secure businesses but will also satisfy various compliance needs. Complexity is an enemy of security and SME most of the time don’t have inside expertise to tackle organizations information security needs. The main idea is to build a simple, flexible and cost efficient risk assessment and risk management program for non-expert users and management with relatively less complex IT infrastructure which fits the needs of all SME. This program will serve as an IT risk assessment tool; fulfill the needs of several regulations and serves as a great security awareness tool as well. As business needs change, risk assessment and risk management process can be improved utilizing Deming PDCA model. Start with a base model program and improve the process to tailor your business needs down the road.

Another methodology which is worth mentioning here for simplified risk assessment approach for SME is Facilitated Risk Analysis and Assessment Process (FRAAP) created by Tom Peltier which can be utilized to identify and quantify threats to IT infrastructure. Tom also teaches a class how to complete a risk assessment in 5 days or less utilizing FRAAP and his book on “Information security risk analysis” where he explains his FRAAP methodology.

Computer Security

Reblog this post [with Zemanta]

Tags: Business, Computer security, Consultants, European Network and Information Security Agency, European Union, information security risk analysis, Risk management, Security, Security Risk Assessment, Small and medium enterprises, SME

Feb 18 2009

Economic turmoil and BCP

Category: BCP,Information SecurityDISC @ 6:42 pm

Due to economic insecurity all the warning signs are pointing that this year is going to top the record for information security and privacy incidents. Organizations may not be in a position to take business limiting risk and bypass security fundamental like Business Continuity Planning (BCP). During this economic uncertainty organizations have to pay more attention to liability, regulatory penalties and negative PR which might cause an irrecoverable damage to business in today’s market.

“BCP is the creation and validation of a practiced logistical plan for how organization will recover and restore partially or completely interrupted critical functions within a predetermine time after a disaster or extended disruption”

The first step in business continuity process is to consider the potential impact of each disaster or disruption. Next step is to determine the likelihood of the disruption or how likely this disruption will occur within a year and how many times. Both impact and likelihood will determine the risk to the organization critical asset in a sense if impact of the disruption is high the risk is high or if likelihood of the incident is high the risk is high. High risk disruption will attract more attention during planning process.

Risk Analysis:
• Understand the function of probabilities and risk reduction
• Identify potential risks to the organization
• Identify outside expertise required
• Identify vulnerabilities / threats / exposures
• Identify risk reduction / mitigation alternatives
• Identify credible information sources
• Interface with management to determine acceptable risk levels
• Document and present findings

BCP Plan:
• Understand clear objectives, available alternatives, their advantages, disadvantages, and cost ranges, including mitigation as a recovery strategy
• Identify viable recovery strategies with business functional areas
• Consolidate strategies
• Identify off-site storage requirements and alternative facilities
• Develop business unit consensus
• Present strategies to management to obtain commitment

Assessing the Effectiveness of a BCP Plan for an Individual Business Unit:
Business unit contingency planning was never more important than now. The success of BCP planning depends upon the feasibility and appropriateness of the plan. However, only comprehensive TESTING of the contingency plans could validate that and everyone hates testing. It is important that the Contingency Plan clearly identify those responsible for declaring a disaster and executing the plan. BS 25999-2:2007 is the specification for implementing, establishing, and improving a business continuity management system (BCMS) within an organization.

The requirements in the standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature of business. The extent of application of these requirements depends on the organization’s operating environment and complexity. BS 25999-2 can be used by internal and external parties, including certification bodies, to assess an organization’s ability to meet its own business continuity needs, as well as any customer, legal or regulatory needs.

Purchase BS25999-2:2007 online today and prove business resilience to customers and partners.


BSI – What is Business Continuity Management?

Reblog this post [with Zemanta]

Tags: Business, Business continuity planning, Business Services, Contingency plan, Emergency Management, Fire and Security, Information Security, Risk management

Feb 13 2009

Global economic insecurity and rise of insider threats

Category: Insider ThreatDISC @ 6:04 pm


According to BBC news article by Maggie Shiels (Feb 11, 2009) the world’s biggest software maker has warned companies to expect an increase in “insider” security attacks by disgruntled, laid-off workers. Microsoft said so-called “malicious insider” breaches were on the rise and would worsen in the present downturn.

Below are the high points:
• With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks

• Insider threat is one of the most significant threats companies face. Said Microsoft Doug Leland

• The malicious insider is classed as the greatest security concern because they have access, and relatively easy access to corporate assets

• During economic insecurity people are motivated by revenge, fear or greed

• 88% of data breaches were caused by simple negligence on the part of staff

• Employees steal information to sell to a third party, to get back at a company for being laid off or demoted or to try and get a job at another company

• Even though Insiders attacks are lower in numbers but they could be more devastating because the employee knew where “the crown jewels” were kept – unlike a hacker who had to go on something of a “fishing expedition” to find a company’s valuable assets

• The outstanding, unsolved, unaddressed risk management problem that has existed for years is that everyone is focusing on the hacker

• Data loss prevention systems specialize in the detection of precisely these events

Here is the article: Malicious insider attacks to rise

To find the correct balance between data security and data availability, organizations are urged to buy a copy Data Breaches: Trends, costs and best practices.

Even in good time management focused on driving shareholder value by increasing revenue and profits. I think during this economic downturn information security will be the last thing on their mind which will not only compound the problem but gives an edge to a attacker and simply a bad business decisions considering the circumstances. It’s about time to start paying attention to regulatory compliance for sake of securing organization assets. Good place to start is to have some sort of baseline based on information security framework and come up with a strategy to improve that baseline. ISO assessment can be utilized to baseline the organization security posture and is a great first step towards ISO 27002 compliance or for that matter any compliance audit.

What do you think board rooms are appropriately prepared to tackle or perhaps slow down the wave of data breaches coming our way?

• Related article
Unstable Economy and Insider Threats
Economic Crisis Tops Security Threats to U.S

Detecting Insider Threats

Reblog this post [with Zemanta]

Tags: BBC, Consultants, Data loss prevention products, Information Security, International Organization for Standardization, iso 27002, Microsoft, Risk management, Security

Jan 30 2009

ISO 27k and CMMI

Category: Information Security,ISO 27kDISC @ 2:00 am

To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform ISO assessment and assess the organization security posture based on ISO 27002 code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. information The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements. The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. ISO 27002 is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in ISO 27002, maturity levels are defined using maturity definition found in CMMI. In the assessment report maturity level of each control of ISO 27002 standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.

The scope of the ISO27k standards includes various aspects of IT. The introduction to ISO 27002 states clearly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”

Benefits of ISO 27k framework:
o Framework addresses the security issues for the whole organization and limit data breaches
o Address compliance with various regulations like (SOX, HIPAA, and PCI) without creating silos.
o Reduce total cost of security by decreasing total number of controls required
o Perception of your business that you are serious about information security not just compliance
o Enhance partners and vendors confidence to do business with your organization
o Future deciding factor for national and especially international partners for more business
o Internationally recognized standard which addresses security awareness for the whole organization


Assessment will give an organization a high level view of their current security posture and provide a road map for security strategy in a sense what needs to be addressed first utilizing risk based approach. This is also a good start if your organization is interested in the Information Security Management System (ISMS) or ISO 27001 certification. ISO 27001 is the standard for the certification which includes the set of requirements for ISMS. Justifiable scoping is the key to a quick and successful certification; organization may adjust their scope in a re-certification attempt. Perhaps in the first attempt you may need to include just a web portal in your scope and the entire infrastructure behind supporting that portal. Once the ISMS project scope is determined, here are some steps you can follow to prepare for ISO 27001 auditors.

1. Based on your scope, create an asset list
2. Find out asset threats and vulnerabilities and classify the asset based on CIA scale
3. Come up with risk matrix based on impact and likelihood of the risk
4. Create priorities based on impact and likelihood of the risk
5. Based on priorities, implement appropriate controls for risks which needs to be addressed
6. Do the risk assessment again, PDCA improve ISMS

“ISO27001 is a structured, technology-neutral, vendor-agnostic specification and code of practice for information security management in organizations of all sizes that should be adopted as part of an organization’s overall risk management strategy.”

This should give you a jump start to certification. You have already started the process of certification because most of the documentations in the risk assessment will become part of certification process later and will lead you to 12 steps which are part of PDCA cycle. ISMS certification process utilized Plan-Do-Check-Act (PDCA) cycle methodology which continually improve information security management system and meet the contractual, legal, and regulatory requirements for information security.

ISO assessment is utilized to analyze the current security posture of an organization where each control is defined and can be color coded using the base definition found in CMMI. Therefore ISO assessment is a great first step towards the final ISO 27001 certification audit or for that matter any compliance audit.


ISO 27k framework for today’s security challenges

Three useful titles on ISO 27k by Alan Calder

Tags: Capability Maturity Model Integration, CIA scale, Information Security, Information Security Management System, International Organization for Standardization, isms, iso 27001, iso 27002, ISO/IEC 27001, PCI, PDCA, Risk Assessment, Risk management, Security, SOX HIPAA, vsrisk

Nov 26 2008

Cyber threats and overall security assessment

Category: Information Warfare,Risk AssessmentDISC @ 3:13 am

The main screen showing star names (color-code...
Image via Wikipedia

In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, it’s simply an enterprise management issue.

In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.


ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.

“The 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various team’s questions about the biggest threats to data confidentiality, integrity and availability,” to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.

Reblog this post [with Zemanta]

Tags: availability, Business, Chief financial officer, cyber threats, data confidentiality, exposure, Financial services, Human resources, Insurance, integrity, isms, ISO/IEC 27001, Management, overall assessment, risk analysis, Risk Assessment, Risk management, roi, Security