Monday, February 18th, 2008
David Watson was one of the earliest exponents of the standards, and is one of the most well known industry figures. In this series of articles for the ISO 27000 Newsletter he outlines some of the most common errors and mistakes he has encountered over recent years:
COMMUNICATIONS AND OPERATIONS MANAGEMENT (Section 10)
There are often no standards and little or no documentation of the Corporate Systems;
Rarely is there an effective and properly implemented change management process. There are sometimes no formal change management processes or records of change meetings available. Change management meetings often have the wrong level staff attending, have whole business areas that do not/will not get involved, and no minutes for meetings to show changes successfully and unsuccessfully implemented;
There is often no management software for the network, or any form of planning for the IT systems or capacity;
Rarely are Service Level Agreements in place and if they are they are rarely monitored and used effectively. Sometimes the business has unrealistic ideas of IT Service availability and the IT Department cannot meet the requirements without serious investment, which the business may not be willing to provide. This can lead to a breakdown in relationships between business units and IT;
Often the Information Security Manager is not advised of new projects or is so stretched that he cannot make the time to provide assistance;
I often find a backup process that does not provide full backup integrity or recovery capability.
SECURITY POLICY (Section 5)
This can be an enormous can of worms, as policies are:
- Often missing (Some companies do not even have a set of policies!);
- Frequently out of date;
- Often unknown by staff especially third parties and most especially IT Contractors and Consultants;
- Not enforced;
There are often no ecords to show who has received the policy with supporting training, and there is rarely evidence of policy review.
Posted in ISO 27001, Information Security | No Comments »
Tuesday, February 12th, 2008
New research from Wolcott Group (www.wolcottgroup.com), "The 2007 ISO 27001 Benchmark Study," shows that many organizations have significant gaps in how they manage information security. While most organizations have mature or developing controls for information security, many still have immature processes for key issues like security policy training, access control, asset management, business continuity, IT compliance auditing, and more.
"One of the most significant findings from the study is that nearly half of the respondents rated their organization’s approach to managing information security as ‘initial’ or ‘non-existent’," stated Gary Sheehan, CISSP, HISP, managing consultant for information security at Wolcott Group. "Essentially, this study demonstrates the need for organizations to adopt a more holistic approach to managing information security like ISO 27001/27002."
Highlights of Immature Controls and Processes:
• 57% have immature processes for classifying the value of their information assets
• 56% have immature employee training programs on information security policies and procedures
• 47% have an immature approach to managing information security
• 45% have immature business continuity processes
• 36% have immature IT compliance auditing processes
"The 2007 ISO 27001 Benchmark Study" was based on a 20-question self-assessment survey that explored the major aspects of how organizations govern information security as it is aligned with the ISO 27001 international standard and the ISO 27002 best practice framework. The study had 89 participants from a variety of industries, with 88% being in an IT management role, and 62% from organizations with over 1,000 employees.
Posted in ISO 27001, Information Security | No Comments »
Friday, February 8th, 2008
We peruse the Internet headlines so you don’t have to. Here are the recent headlines (and links) we felt newsworthy:
SEC Begins Small Business Costs and Benefits Study of SOX 404 - The Securities and Exchange Commission announced that its professional staff has commenced a cost-benefit study of an upcoming auditor attestation requirement for smaller companies under Section 404(b) of the Sarbanes-Oxley Act of 2002.
Audit watchdog to home in on "fair value" - Hard to value financial instruments such as mortgage-backed securities will be scrutinized for any auditing failures when the latest crop of annual reports are inspected, the chairman of the Public Company Accounting Oversight Board said on Thursday.
Postal Service readies for Sarbanes-Oxley Act - The Postal Service is the first federal agency mandated to comply with the act and thus faces unique challenges. With those challenges come exciting opportunities.
U.S. banks examine controls after SocGen - "Needless to say we’ve had questions with respect to firms that we regulate, that there is a re-looking at this and trying to determine if they have the right internal controls in place and systems to deal with this"
SEC calls for delay to Sarbanes-Oxley compliance - The Securities and Exchange Commission (SEC) has proposed a one-year extension for small companies to comply with the Sarbanes-Oxley act while SEC professional staff start a cost-benefit study of an upcoming auditor attestation requirement for smaller companies under Section 404(b) of the act.
Kerry, Snowe Praise Sarbanes-Oxley Extension for Small Businesses - "We can do more to ease the regulatory burden on small firms and help encourage more small businesses to become public companies - while still requiring them to comply with the law to ensure transparency and honest accounting."
How to Nab the Rogues: 10 Fraud Tips - Why the risk of wrongdoing has migrated from senior executives to middle management - and what to do about it.
WorldCom Whistle-blower Cynthia Cooper - What she was feeling and thinking as she took the steps that, as it turned out, would change Corporate America.
Posted in Compliance Management, General, Sarbanes Oxley | No Comments »
