Archive for the 'ISO 27001' Category

Global Security challenges

Friday, April 11th, 2008

Article by James Ritchie, former principal auditor, Integralis - April 02 2008

Global companies face a significant cultural and legal challenge when dealing with security across international borders. Just as the European Union privacy regulation conflicts with United States laws, other regulations conflict between countries. It was once said that business is like a car traveling on a road to the business goals. The board of directors or senior management is the driver of the car. Management sets the speed, distance, and timing of when they reach their goals. How does information technology fit within that metaphor? Information technology would be the tires on the car that allow the management to drive on the road to those goals. Information technology must keep good tread on those tires, maintain appropriate air pressure for the road conditions, and reduce potential tire failures from both internal and external conditions.

Regulatory compliance and data security is a very big issue when dealing with information technology, that local, national, and international companies face daily. This includes every type of business (public and private), non-profit, and governments. Security incidents can be initiated by internal or external forces from anywhere in the world, a global concern. Global issues face both national and international businesses. Global economy boundaries have been muted in the past few years with the advent of the internet. Each country has created laws or regulatory requirements for the different industries. Treaties have been established between countries, under international law, to provide an agreement on particular subjects. When a company is global, this is compounded by each country their presence is located. Prosecution of data theft in the digital age is becoming prevalent.

When looking at legal and regulatory requirements, they have common thread to address issues stemming from fraud, theft, and malfeasance, from both internal and external threat actors, of a particular data set of information. These threat actors could be located anywhere in the world. Increasing data-breach reports have shown the gaps and holes in the security posture of a company. Criminal organizations are using these security shortfalls to gain sensitive information for profit. Senior management is being held responsible for the security of the data that is within their organization.

Recently, social scientists have studied the problem of compliance in international regulatory issues and international law. The empirical research¹ has showed some key findings:

Compliance is generally adhered to.
The high level of compliance has been achieved with little attention to enforcement.
For those compliance problems that do exist are best addressed as management rather than enforcement problems.
Management rather than enforcement approach holds the key to the evolution of future regulatory cooperation in the international system.

To maintain a competitive edge, business has turned to information technologies to help management achieve their business goals. Computer systems are so entwined with the business process, the business could fail if the systems are compromised. This heavy reliance on information systems has forced companies to re-think about the little boxes that provide so much information to the company. READ MORE!

Posted in ISO 27001, Information Security | No Comments »

Information Security News

Tuesday, February 19th, 2008

1) Lottery Scams Are Latest Spam Fad
According to Microsoft (http://www.microsoft.com), 50% of spam emails are currently lottery scams (usually inviting the victim to claim their "winnings" or similar). Surprisingly, their poll also revealed that 16% of recipients actually opened them, indicating an almost complete lack of security awareness.

2) University Fined For Security Breach
The University of California has agreed to pay the U.S. DoE a $2.8 million fine as a result of a security breach at its Los Alamos National Laboratory. The fine stems from an incident in which a subcontractor’s employee stole classified documents and stored others on a USB drive in 2006.

3) Anti-botnet Charges
The FBI has announced that it has charged eight men with using internet ‘botnets’ to perform fraud and to launch other malicious attacks. The men are alleged to have profited by lifting sensitive credentials off their victims’ computers, releasing DDoS attacks and leasing ‘zombie computers’ to other parties.

4) Vista Security Fixes
Microsoft has released a detailed list of more than 300 security patches within the upcoming initial service pack (SP1) for its Windows Vista operating system. The complete list of SP1 service pack items is posted on Microsoft’s website

5) Security Gap
Gap, the clothing retail outlet, have admitted that the unencrypted Social Security numbers of 800,000 job applicants was stolen from a third-party vendor. The vendor contacted law enforcement authorities about the breach.

6) Software Piracy Settlement
6 US based companies have recently settle claims with the Business Software Alliance (http://www.bsa.org) over use of unlicensed software following self audits. The total settlement was for almost $700k.

Posted in ISO 27001, Information Security | No Comments »

ISO 27001 / ISO 27002: Common Mistakes Part 1

Monday, February 18th, 2008

David Watson was one of the earliest exponents of the standards, and is one of the most well known industry figures. In this series of articles for the ISO 27000 Newsletter he outlines some of the most common errors and mistakes he has encountered over recent years:

COMMUNICATIONS AND OPERATIONS MANAGEMENT (Section 10)
There are often no standards and little or no documentation of the Corporate Systems;

Rarely is there an effective and properly implemented change management process. There are sometimes no formal change management processes or records of change meetings available. Change management meetings often have the wrong level staff attending, have whole business areas that do not/will not get involved, and no minutes for meetings to show changes successfully and unsuccessfully implemented;

There is often no management software for the network, or any form of planning for the IT systems or capacity;

Rarely are Service Level Agreements in place and if they are they are rarely monitored and used effectively. Sometimes the business has unrealistic ideas of IT Service availability and the IT Department cannot meet the requirements without serious investment, which the business may not be willing to provide. This can lead to a breakdown in relationships between business units and IT;

Often the Information Security Manager is not advised of new projects or is so stretched that he cannot make the time to provide assistance;

I often find a backup process that does not provide full backup integrity or recovery capability.

SECURITY POLICY (Section 5)
This can be an enormous can of worms, as policies are:
- Often missing (Some companies do not even have a set of policies!);
- Frequently out of date;
- Often unknown by staff especially third parties and most especially IT Contractors and Consultants;
- Not enforced;

There are often no ecords to show who has received the policy with supporting training, and there is rarely evidence of policy review.

Posted in ISO 27001, Information Security | No Comments »

« Previous Entries

July 2008
M	T	W	T	F	S	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31	EC

Upcoming Events

No events.

Just as with the Y2K crisis of seven years ago, IT workers are being called upon to don superhero suits and save the enterprise from impending technology trouble. But this time, IT will be sifting through the complexities of the federal Sarbanes-Oxley Act of 2002

Public Companies over 75 million already need to comply by 12/15/2007...

Will your SMB be Ready?

Radian Compliance Management Services

Archive for the 'ISO 27001' Category

Global Security challenges

Article by James Ritchie, former principal auditor, Integralis - April 02 2008

Information Security News

ISO 27001 / ISO 27002: Common Mistakes Part 1

Upcoming Events

Monthly Archives