Real ISMS Official Blog - ISO 27001, SaaS & Software

ISO 27001 - The auditor’s perspective

2009-01-12T06:02:00.000-05:00

Hello readers,

Wish you all a very happy and prosperous 2009.

During the 2nd last week of 2009, I had a meeting with a prospective client who was interested in implementing an ISO 27001 compliant ISMS and getting it certified. One question which they asked was, “Can I see an ISO 27001 system?”. When I requested them to be specific, they said “You know..all the documents, policies, guidelines etc.”. What I could infer from the discussion was that they clearly thought it was a system which was documented.

Tangibles and intangibles in an ISO 27001 ISMS

I spend some time to explain to them that the ISO 27001 system consisted of tangibles and intangibles. There are things that you can see, touch and feel, but there are a lot of components that you cannot see, touch or feel. This prompted me to go back to some of my earlier experiences with ISO 27001 customers. In most cases, during the initial discussions, most customers were asking the question, “Can I see the ISO 27001 policies that you have created?” During ISO 27001 training sessions, they would invariably ask the question, “Can you give us some sample policies and sample templates using which we can create the policies?” And, when asked, why they were always asking for the policies upfront, the answer invariably would be, “Well, that is what we need to pass the audits and get certified right?” This prompted me to think more about this from the customers’ perspective and ask the question, “Are ISO 27001 audits (especially from a certification process) being misinterpreted for their purpose?”

The smart ISO 27001 auditor looks for..

No doubt, documentation is a very important component from a certification process, but from my perspective, an ISO 27001 auditor, will look for two things,

1 - The existence of the ISMS
2 - The functioning of the ISMS

Let us examine, “Point 1 - The existence of the ISMS”. This essentially means whether the P-D-C-A (Plan-Do-Check-Act) model is in place and all the required components of the P-D-C-A model exists. This would start from the Scope, the security forum, the asset classification list, risk analysis approach, the actual risk analysis reports, acceptance of risk, risk treatment and actual proof of risk treatment, audits, reviews etc. Some of these components are tangibles and some of them are intangibles. The smart auditor will spend his time first verifying this.

Let us examine, “Point 2 - The functioning of the ISMS”. The functioning of the ISMS is verified through the review and improvement processes, which comes in the CHECK and ACT phase. The smart auditor will check the internal audit reports, and often ask the question “Have you done a root cause analysis?” This is a very important question because the auditor is probing whether the organization has not just identified the problem, but has gone deep inside to check the root cause of the problem and then solve it. This proves that the ISMS is not just existing, but also functioning.

The broad picture or the Top-level view

So, anyone who is getting ready for an ISO 27001 Implementation and Certification process, please keep the broad picture in mind. This will help you not to get off-track and will help you when you are in a dilemma at certain junctions of the ISO 27001 implementation cycle.

You will have a great ISO 27001 implementation, maintenance and certification experience if you focus on proving two factors.

1) I have an ISMS in my organization
2) My ISMS is functioning well

& if you care to come and check, I shall prove both the above points to you. With this attitude you have a winner ISMS in your hands.

Warm regards,

Anup Narayanan
www.isqworld.com (Learning ISO 27001 through storytelling)

Key Strategies for Implementing ISO 27001

2009-01-12T05:57:00.002-05:00

In 1995, the British Standard Institute (BSI) published British Standard (BS) 7799, a widely adopted set of best practices that help organizations implement effective information security management systems (ISMSs) and establish security controls for specific business areas. In October 2005, the standard was adopted by the International Organization for Standardization (ISO). As a result, implementing BS 7799 — now ISO 27001: 2005 — has become a major focus of attention for European-based companies and those working in the region.

Depending on the organization's size, the nature of its business, and the maturity of its processes, implementing ISO 27001 can involve a substantial investment of resources that requires the commitment of senior management. In addition, because of its emphasis on data security, many internal auditors perceive the standard to be focused solely on technology and often recommend that IT departments comply with the standard's requirements without understanding the amount of time and resources required for compliance. To ensure across-the-board acceptance and success, initial analyses and planning are vital. Because internal auditors are in the perfect position to add value to an organization's IT processes, they can help IT departments prepare the groundwork for an effective and efficient ISO 27001 implementation strategy during the initial planning phase. This will help companies ensure their IT processes are better aligned with the standard's requirements and ensure long-term compliance.

RECOMMENDATIONS FOR EFFECTIVE ISO 27001 COMPLIANCE

Implementing ISO 27001 can take time and consume unforeseen resources, especially if companies don't have an implementation plan early in the compliance process. To enhance compliance efforts, internal auditors can help companies identify their primary business objectives and implementation scope. Auditors should work with IT departments to determine current compliance maturity levels and analyze the compliance process' return on investment. These steps can be conducted by a team of staff members or external consultants who have prior experience implementing the standard. External consultants should work in collaboration with an internal team of representatives from the company's major business units. Below is a description of each recommendation.

Identify Business Objectives

Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves listing the primary business objectives and ensuring a consensus is reached with key stakeholders. Business objectives can be derived from the company's mission, strategic plan, and existing IT goals and may include:

Ensuring effective risk management, such as identifying information assets and conducting accurate risk assessments.
Maintaining the company's competitive advantage, if the industry as a whole deals with sensitive information.
Preserving the organization's reputation and standing among industry leaders.
Providing assurance to customers and partners about the organization’s commitment to protecting data.
Increasing the company's revenue, profitability, and savings in areas where protective controls operate well.

The standard also emphasizes compliance with contractual obligations, which might be considered another key business objective. For instance, for an online banking division, implementing the standard would provide customers and partners greater assurance that risks stemming from the use of information systems are managed properly.

Select the Proper Scope of Implementation

Identifying the scope of implementation can save the organization thousands of dollars and time. In many instances, it is not necessary for an organization to adopt companywide implementation of a standard. The scope of compliance can be restricted to a specific division, business unit, type of service, or physical location. In addition, once successful compliance has been achieved for a limited, but relevant scope, it can be expanded to other divisions or locations.

Choosing the right scope is one of the most important factors throughout the compliance cycle, because it affects the feasibility and cost of the standard's implementation and the organization's return on investment. As a result, it is important for the selected scope to help achieve the identified business objectives. To do this, the organization may evaluate different scope options and rank them based on how well they fit with each objective.

Organizations also may want to sign memorandums of understanding (MOU) or service level agreements (SLAs) with vendors and partners to implement a form of indirect compliance to the standard. For example, a garment manufacturing company may have a contract with a software provider for application maintenance and upgrades. Therefore, the manufacturing company will not be responsible for the application’s system development life cycle compliance with the standard, as long as it has a relevant MOU or SLA signed with the software vendor.

Finally, the organization's overall scale of operations is an integral parameter needed to determine the compliance process' complexity level. To find out the appropriate scale of operations, organizations need to consider their number of employees, business processes, work locations, and products or services offered.

Determine ISO 27001 Maturity Levels

When assessing the organization’s compliance maturity level, auditors should determine whether or not the implementation team is able to answer the following questions:

Does a document exist that specifies the scope of compliance?
According to ISO 27001, a scope document is required when planning the standard's implementation. The document must list all the business processes, facilities, and technologies available within the organization, along with the types of information within the ISMS. When identifying the scope of compliance, companies must clearly define the dependencies and interfaces between the organization and external entities.

Are business processes and information flows clearly defined and documented?
Answering this question helps to determine the information assets within the scope of compliance and their importance, as well as to design a proper set of controls to protect information as it is stored, processed, and transmitted across various departments and business units.

Does a list of information assets exist? Is it current?
All assets that may affect the organization's security should be included in an information asset list. Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. A structured list must be maintained that includes individual assets or asset groups available within the company, their location, use, and owner. The list should be updated regularly to ensure accurate information is reviewed during the compliance certification process.

How are information assets classified?
Information assets must be classified based on their importance to the organization and level of impact, and whether their confidentiality, availability, and integrity could be compromised.

Is a high-level security policy in place?
Critical to implementing an information security standard is a detailed security policy. The policy must clearly convey management's commitment to protecting information and establish the business' overall security framework and sense of direction. It should also identify all security risks, how they will be managed, and the criteria needed to evaluate risks.

Has the organization implemented a risk assessment process?
A thorough risk assessment exercise must be conducted that takes into account the value and vulnerabilities of corporate IT assets, the internal processes and external threats that could exploit these vulnerabilities, and the probability of each threat. If a risk assessment methodology is in place, the standard recommends that organizations continue using this methodology.

Is a controls' list available?
Necessary controls should be identified based on risk assessment information and the organization's overall approach for mitigating risk. Selected controls should then be mapped to Annex A of the standard — which identifies 133 controls divided in 11 domains — to complete a statement of applicability (SOA) form. A full review of Annex A acts as a monitoring mechanism to identify whether any control areas have been missed in the compliance planning process.

Are security procedures documented and implemented?
Steps must be taken to maintain a structured set of documents detailing all IT security procedures, which must be documented and monitored to ensure they are implemented according to established security policies.

Is there a business continuity (BC) management process in place?
A management process must be in place that defines the company's overall BC framework. A detailed business impact analysis based on the BC plan should be drafted and tested and updated periodically.

Has the company implemented a security awareness program?
Planning and documentation efforts should be accompanied by a proper IT security awareness program so that all employees receive training on information security requirements.

Was an internal audit conducted?
An internal audit must be conducted to ensure compliance with the standard and adherence to the organization’s security policies and procedures.

Was a gap analysis conducted?
Another important parameter to determine is the organization's level of compliance with the 133 controls in the standard. A gap analysis helps organizations link appropriate controls with the relevant business unit and can take place during any stage of the compliance process. Many organizations conduct the gap analysis at the beginning of the compliance process to determine the company's maturity level.

Were corrective and preventive actions identified and implemented?
The standard adheres to the Plan-Do-Check-Act" (PDCA) cycle (PDF, 62KB) to help the organization know how far and how well it has progressed along this cycle. This directly influences the time and cost estimates to achieve compliance. To complete the PDCA cycle, the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company's compliance based on the gap analysis.

Are there mechanisms in place to measure control effectiveness?
Measuring control effectiveness is one of the latest changes to the standard. According to ISO 27001, organizations must institute metrics to measure the effectiveness of the controls and produce comparable and reproducible results.

Is there a management review of the risk assessment and risk treatment plans?
Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of the organization's ISMS management review.

Analyze Return on Investment
Based on the groundwork done so far, companies should be able to arrive at approximate time and cost estimates to implement the standard for each of the scope options. Organizations need to keep in mind that the longer it takes to get certified, the greater the consulting costs or internal staff effort. For example, implementation costs become even more critical when implementation is driven by market or customer requirements. Therefore, the longer compliance takes, the longer the organization will have to wait to reach the market with a successful certification.

MOVING FORWARD

Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organization to adapt to change and adhere to internal processes.

To learn more about the standard, BSI has prepared a guidance document available on its Web site, http://asia.bsi-global.com/InformationSecurity/ISO27001+Guidance/download.xalter. In addition, the Standards Direct Web site, www.standardsdirect.org/iso27001.htm, covers the latest version of the standard.

K. K. Mookhey is the founder and principal consultant of Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, security auditing, BS 7799, and business continuity management services. Mookhey has worked on research projects for ISACA and has published several articles and white papers. He also has led teams on numerous security audit and implementation assignments and has trained people from the Big Four accounting firms and Fortune 500 companies on IT security issues.
Khushbu Jithra has been part of all information security documentation projects for NII and helps to conduct security research for the organization. In addition, she drafts and reviews commercial proposals and security consulting reports, especially those dealing with penetration testing, vulnerability assessment, ISO 27001, and security audits.

Nhava Sheva becomes India's first security certified terminal

2009-01-12T05:53:00.000-05:00

DUBAI: Global marine terminal operator DP World's Nhava Sheva International Container Terminal(NSICT) in India,has become the country's first to
achieve ISO 28000:2007 certification in supply chain security management systems.

With the certification announced yesterday, the terminal also known as DP World Nhava Sheva has become the 15th among the giant operator's network of 48 terminals worldwide, to get the distinction.

The Certification, undertaken by independent Rotterdam-based Dutch auditing firm and Maritime Classification Society of excellence Det Norske Veritas(DNV), validates the NSICT's mechanisms and processes to address security vulnerabilities at strategic and operational levels, as well as its preparedness for preventive action plans.

The Nava Sheva terminal, which boast of state-of-the art infrastructure and world class services, is already certified for ISO 9001, ISO 14001, OHSAS 18001 and ISO 27001 management systems.

The terminal, was granted the certification after a thorough security audit of the facility, focused principally on container security, physical access controls, personnel security, procedural security, security training and threat awareness, business partner requirements and IT Security.

"Having an internationally recognised and certified security management system will greatly benefit DP World's customers and other terminal users and stakeholders who can now be assured that robust systems are in place to provide for the safety of their cargo and people using the terminal facilities in DP World Nhava Sheva," DP World Nhava Sheva's CEO, Capt Rustom Dastoor, said.

Its investment in the ISO security management system has been recognised by the US Customs Border Protection agency, which invited DP World to join its Customs Trade Partnership Against Terrorism (C-TPAT) programme.

Source: http://economictimes.indiatimes.com/

VanceInfo Achieves ISO 27001 Security Certification

2009-01-04T05:55:00.000-05:00

BEIJING, Dec. 15 /PRNewswire-Asia/ -- VanceInfo Technologies Inc. ("VanceInfo" or the "Company"), an IT service provider and one of the leading offshore software development companies in China, today announced that it has achieved the International Organization for Standardization ("ISO") 27001 certification for Shanghai VanceInfo Technologies Limited ("Shanghai VanceInfo"), one of the Company's major subsidiaries.

ISO creates standards that specify worldwide requirements for products, services, processes, materials and systems. ISO 27001 is the international standard developed specifically for Information Security Management Systems ("ISMS"), requiring that a company uses a systematic approach to managing sensitive corporate information and ensuring data security. VanceInfo's recent certification recognizes the Company's adoption of an effective information security system that complies with one of the highest established international standards.

"The protection of customers' information, particularly intellectual property and trade secrets, is a top priority for VanceInfo. We strive to safeguard the integrity, availability and confidentiality of the data of our clients and business partners," said David Chen, President of VanceInfo, "As one of the leading providers of offshore software development, VanceInfo has a longstanding commitment to applying best practices and technologies to software development for our clients. Achieving the ISO 27001 certification today and the CMMI Level 5 certification a quarter ago serves as confirmation that VanceInfo has made continuous efforts to meet the industry's most stringent standards."

The ISO 27001 certification was awarded after detailed assessment of information security management in Shanghai VanceInfo's processes of software architect, development and testing. This accreditation marks another major step of VanceInfo toward achieving operational excellence and maximizing customer trust and confidence in the Company's IT infrastructure and security capabilities. The ISO 27001 certification will position VanceInfo with enhanced strengths in foreign markets where ISO standards provide uniformity across national and regional boundaries.

About VanceInfo

VanceInfo Technologies Inc. is an IT service provider and one of the leading offshore software development companies in China. VanceInfo was the first China software development outsourcer listed on the New York Stock Exchange.

The Company ranked number one among Chinese offshore software development service providers for the North American and European markets as measured by 2007 revenues, according to International Data Corporation, or IDC, a leading independent market research firm.

VanceInfo's comprehensive range of IT services includes research & development services, enterprise solutions, application development & maintenance, quality assurance & testing, and globalization & localization. VanceInfo provides these services primarily to corporations headquartered in the United States, Europe, Japan, and China, targeting high growth industries such as technology, telecommunications, financial services, manufacturing, retail and distribution.

Safe Harbor

This press release includes statements that may constitute forward-looking statements made pursuant to the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements can be identified by terminology such as will, should, expects, anticipates, future, intends, plans, believes, estimates, and similar statements. Such statements are subject to risks and uncertainties that could cause actual results to differ materially from those projected. Further information regarding these and other risks is included in VanceInfo's filings with the U.S. Securities and Exchange Commission, including its registration statement on Form F-1. All information provided in this press release and in the attachments is as of December 15, 2008, and VanceInfo does not undertake any obligation to update any forward-looking statement as a result of new information, future events or otherwise, except as required under applicable law.

Source: http://findarticles.com/

What It Means To Be ISO 27001 Certified - Benefits and Potential Payoffs

2008-12-23T08:52:00.003-05:00

Mark Bernard is the Security & Privacy Officer at Credit Union Central of British Columbia. Today, Mark's credit union is the first financial institution to achieve ISO 27001 certification. Mark discusses ISO 27001 certification and its benefits with BankInfoSecurity.com.

Background: ISO 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO). The certification ensures that effective security controls and policies are in place. The certification process is a measurement of the performance of best security practices and identification of opportunities to improve those practices. It basically involves testing the existence and effectiveness of the information security controls at any given institution.

Benefits/ Payoffs of ISO 27001 Certification

The Credit Union Central of British Columbia has changed remarkably in its level of security awareness, and the credit union system has gone up substantially. People now recognize the value of, or they are realizing the value of having an information security credential such as this, and it is helping the institution to identify information security issues and address them more effectively.

As an institution in general, the culture has benefited as well. It's more focused on information security now and the identification of assets and how the credit union treats assets, threats, risk, and the vulnerability associated to those assets have been very positive.

Such involvement also boosts the team culture that remains, and this team effort can be effectively channelized into other business areas.

The ISO framework provides many of opportunities for improvement and to draw new sets of controls and to manage those more effectively likely than they have been in the past. Also, because the ISO framework already exists the credit union is looking at other standards such as the BS 25999, which is Business Continuity Standard, and integrating those controls within the ISMS.

Becoming ISO certified also made a big difference to the institution economically by reducing the number of external consulting engagements that were necessary, costing hundreds of thousands of dollars. And now the credit union has a bonafide external audit group that comes by twice a year to monitor their activity and provide a list of opportunities for improvement.

Promoting accountability through ISO/IEC 27001 & 27002

2008-12-18T14:04:00.000-05:00

As organisations go, there are those that welcome internationally recognised standards with open arms, and those that shy away citing cost or even applicability.

However, there is a need for standards within all organisations, regardless of size or market. It is in defining the Statements of Applicability (SoA) that the project becomes both relevant and cost-effective.

There is "information" within every organisation that is relied upon, so a system is required to manage its security. At the least, we need to ensure that the information is viable for its purpose.

Combined, these provide best practice guidance and a framework for an information security management system (ISMS) - ISO/IEC 27001 - and the management thereof - ISO/IEC 27002 - for the protection, confidentiality, integrity and availability of the information assets upon which an organisation depends.

Code of practice

ISO/IEC 27002 is merely a code of practice, so organisations are free to implement controls as they see fit, and the ISO/IEC 27001 standard incorporates only a simple summary of such controls and does not mandate any.

An important element is the definition of the SoA, among other scoping documents.

Through the SoA you are free to broaden or narrow the scope of certification, as you see fit, limiting the focus of any analysis. Understanding the SoA is crucial to attaching meaning to the certificate.

If you only define "the HR department", the associated certificate says nothing about the state of information security in "procurement", "manufacturing", "the IT department" or even the organisation as a whole. You set the scope.

Similarly, if the SoA asserts that some technical controls are not necessary for specified reasons, the assessing body will check that assertion but will not otherwise certify or fail those controls or the lack of them. In fact, no technical controls may be assessed at all as part of the assessment as ISO/IEC 27001 is primarily a management standard and compliance requires only that the organisation has a suite of management controls in place. If you feel a control is not necessary, giving a valid reason should suffice.

Start small

Look towards the information assets you currently manage or those you feel you can easily manage within the reduced scope, define a narrow SoA focused on what is already known and document your process to define, design, implement and manage these controls, including those "few" controls that may be missing.

Beyond certification or having marketing potential the process of assessment should confirm or improve accountability internally for information asset interfaces with wider business functions and third parties, confirming the scope for use of information assets with those partners.

Certification is optional, but is increasingly being mandated from suppliers and business partners concerned about their information security and the security of shared or common information.

Bodies such as the British Standards Institution, the National Institute of Science and Technology and various national bodies are issuing approximately 1,000 certificates per year - and the trend is growing.

By concentrating on the known information assets of a small business function, defining your ISMS to manage these will get you on the ladder and act as a springboard to widen your certification later.

ISO/IEC 27001

ISO/IEC 27001 is a formal standard towards which your organisation can attain independent certification of its frameworks to systematically and consistently design, implement, manage, maintain and enforce information security processes and controls - an information security management system (ISMS).

It covers any organisation (commercial business, government body or non-profit organisation), specifying the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a well-documented ISMS, within the context of the organisation's overall risk management processes.

It defines the requirements for custom security controls that meet the specific needs of the organisation or, importantly, any specified part or department thereof.

Source: http://www.computerweekly.com

David Gregg is an infrastructure and security consultant at The Logic Group

The growing accreditation of IT security tools and processes

2008-12-18T14:00:00.001-05:00

Vincent Villers, Partner at PwC Luxembourg and Marc Sel, Director at PwC Belgium
Business review, December 2008

For a long time, Information Security has had many technical standards but has been lacking a minimal consensus in the area of management and responsibilities. The BSI (British Standards Institute) put forward their 7799 standards, which were well accepted and evolved into the ISO (International Standards Organisation) world. Fundamental to the ISMS (Information Security Management System) standard is the typical management organisation model ‘Plan-Do-Check-Act’:

ISO 27001 is commonly used as a term to refer to a family of interrelated standards:

• 27000 ISMS fundamentals and vocabulary
• 27001 ISMS requirements (absorbing parts of ISO 13335)
• 27002 Code of practice (based on the BSI 7799)
• 27003 ISMS implementation guidelines
• 27004 Information security management measurements
• 27005 ISMS risk management (absorbing parts of ISO 13335)

Structure of ISO 27001

The main standard document ISO 27001 addresses requirements for the Information Security Management System, as well as how to establish, manage and monitor the ISMS. It continues by addressing ISMS responsibilities, as well as audit and management review aspects.

The ISO 27001 certification process

In many countries, certification bodies have been established under the umbrella of accreditation bodies. For example, one of the authors, Marc Sel, is accredited Lead Auditor for PwC’s Certification Body ‘PwCC B.V.’ which is on a peer level with the BSI, TÜV and KEMA1 . PwCC B.V. is in turn accredited by the Dutch Accreditation Body (‘Raad voor Accreditatie’).

The International Register of ISMS accredited certificates lists those certificates that have been awarded to organisations that have gone through an accredited certification process in line with the ISMS standard BS 7799 Part 2:2002 and ISO/IEC 27001:2005 (i.e. the revised version of BS 7799 Part 2:2002).

This register has been produced in cooperation with the international network of certification bodies and is managed and maintained by the ISMS International User Group (IUG). It is updated on a regular basis in co-operation with the certification bodies. The entries in this register have been supplied by those certification bodies that have carried out the ISMS certification.

The increasing interest in ISO 27001 certification

In November 2008, almost 5.000 ISMS certificates have been issued (4.987 to be precise2) . The top five countries with the highest number of certificates today are Japan, India, the UK, Taiwan and China. They are followed by Germany and the USA.

The best advice to follow is to centralise core IT services in larger data centres. For example, the data centres of PwC Yemen, UK, Hong Kong, China, and USA have been secured by ourselves and accredited by the BSI against ISO 27001:2005. This gives us a strong background when helping customers prepare for such certification or improve their security posture.

In Luxembourg, only one company is registered as being accredited against the standard so far. However, considering the current trend of financial institutions to focus on their core business by considering outsourcing of several functions, coupled with the increasing need to embed trust in business relationship, all conditions are fulfilled to lead to a growing interest for this certification. Indeed, unlike current perception of other standards, the ISO 27001:2005 relies upon clear requirements and implementation guidelines that provides sufficient transparency to bring the required level comfort that an accredited company meets adequate level of security to build trust with its stakeholders. The implementation of an ISO 27001 ISMS is clearly becoming an optimal approach to help organisations tackle the current regulatory requirements with regards to Information Technology controls.

Finally, rather than individually answering each request for compliance, it is advised to look at the requirements holistically, and build a framework that allows demonstrating compliance against a broad set of regulations, re-using the same set of well-defined controls. The implementation of such a control framework makes demonstrating compliance significantly less expensive.

1 BSI British Standards is the National Standards Body of the UK, TÜV Rheinland Group is a leading provider of technical services worldwide, KEMA is a commercial enterprise, specializing in high-grade business and technical consultancy, inspections and measurement, testing and certification.
2 The status of the official ISO 27001 certificates is available at www.iso27001certificates.com

Source: PwC

VanceInfo Technologies gets ISO 27001 certification for Shanghai VanceInfo Technologies

2008-12-15T14:08:00.000-05:00

VanceInfo Technologies Inc. (VIT: News ) Monday said it achieved the International Organization for Standardization 27001 certification for its subsidiary Shanghai VanceInfo Technologies Limited. VanceInfo's recent certification recognizes the company's adoption of an effective information security system that complies with one of the highest established international standards.

VanceInfo Technologies Inc. is an IT service provider and an offshore software development company in China.

Gary Hinson on ISO/IEC 27000

2008-12-09T06:59:00.000-05:00

Few doubt that a major consequence of the current economic meltdown will be more regulations for the private sector to follow. New regulations almost always mean more spending on security and privacy controls. For a glimpse of what to expect, CSO turned to Gary Hinson, a New Zealand-based IT governance specialist and CEO of IsecT Ltd.

Hinson says to expect changes in the coming year, but they won't necessarily be tied to new regulations born of the financial crisis. Instead, his focus is on changes for the ISO/IEC 27000 family of standards. His efforts to help security pros understand the standards include a regularly-updated website: ISO27001security.com. Hinson spoke with CSOonline.com Senior Editor Bill Brenner about the nature and timing of updates to these important standards.

Where do you see the most significant regulatory changes in 2009?
There are a number of planned changes to the ISO/IEC 27000 family of Information Security Management System (ISMS) standards (collectively "ISO27k") over the next year or so, with several additional standards currently under development, several standards about to be released and earlier releases undergoing planned revision.

Let's start with the planned revisions.
Work is under way within JTC1/SC27, the ISO/IEC committee responsible for ISO27k, to review and where necessary adapt ISO/IEC 27001 and 27002. Both standards are being actively used around the world of course, making it likely that changes will be relatively limited in order to avoid disrupting the existing implementations and particularly the certification processes. I believe that in Japan, for instance, ISO/IEC 27002 is specifically recommended if not required to satisfy the Japanese privacy/data protection laws, with organizations being compliance-assessed against the code of practice although it was not originally intended by ISO/IEC to be used in that manner. No one really knows how many organizations have adopted ISO/IEC 27002 globally but I would guess it must be in the hundreds of thousands by now.

In revising ISO/IEC 27002, what are you pressing the committee to focus on?

1. Address and resolve the confusion around "information security policy" versus "ISMS policy" -- the latter being closer to strategy, as far as I can see.
2. Expand on the concept of personal accountability versus responsibility and clarify what is meant by "information asset."
3. Expand on typical computer room controls, for example environmental monitoring with local and remote alarms for fire, water, intrusion, power problems etc.
4. Update section 10.8 "Exchange of information" to improve coverage of mobile code, Web 2.0/Software As A Service etc. Technical advances are a tricky area for ISO27k since publication of the standards is such a long, slow process They try as far as possible to keep the standards technology-neutral but this can result in them lacking guidance in some areas].
5. Expand section 11.2 on "User access management" to include more on identification and especially authentication of remote users.
6. Provide pragmatic guidance on security testing of new/changed application systems in section 12.
7. Expand section 14 on "Business continuity management" to cover resilience as well as disaster recovery. This section would also benefit from more explanation of "contingency."
8. Update section 15 to reflect legal and regulatory changes such as the rise of e-discovery, document/e-mail retention and increasing use of computer data as evidence in court.
9. Emphasize the value of IT auditing processes in section 15.3.

Source: CSO Online

Emloyee education key to successful enterprise security

2008-11-13T11:33:00.000-05:00

Money can buy you many things, it seems, but not perfect security. Organisations have been investing in IT security over the past few years, but laptops and disks full of sensitive data are still going missing and corporate networks are still being hacked.

In all these breaches, the common link has become increasingly obvious: employees. Whether they are failing to abide by corporate policies, simply don't know about them, or work in a company that has no security policies in place, staff are mailing out millions of user accounts without proper encryption, giving out passwords over the phone and double-clicking on attachments that promise naughty pictures of Angelina Jolie.

A recent survey of 1,000 IT managers by mobile data security specialist SafeBoot showed that 54 per cent of respondents felt that the majority of their employees ignore company security policies, mainly due to a lack of understanding and "not taking it seriously".

The answer then should be clear: educate employees about the risks and what they should be doing to reduce them. And indeed, some companies are already doing that. But SafeBoot's research shows that 98 per cent of IT managers rely on memos and emails to communicate security. As Tom de Jongh, product manager at SafeBoot, points out: "You can't trust employees to read memos."

So what is the best way to teach employees about security - and get them to follow the advice? The first step is to realise that not everything is going to happen overnight. "You need to change the culture of the organisation over several years," says Martin Smith, chairman and founder of The Security Company. Smith, who started his career in military counter-intelligence and counter-espionage, has been trying to convince businesses of the importance of security awareness for 20 years.

"It's heartbreaking," he laments. "Infosec is focusing frantically on technology, but it doesn't matter what you spend on security unless you bring people with you. If staff could just know some basic stuff, it would all go away."

Generating this culture of security is an important component of overall security awareness. "There's an awful lot that users need to know - too much," Smith adds. "They're overloaded with information they're not really interested in - it's boring." Rather than trying to teach people using courses, he advises to have constant reinforcements of messages about the importance of security in conjunction with a place for employees to find out information.

Bad awareness education can be even worse than no training at all, Smith suggests. "Employees will always ask: 'What's in it for me?'. If all people see of security is a boring course once a year that effectively pushes the problem on to them so that the security team's arse isn't on the line, that's not a huge sell." Measures such as providing somewhere for employees to find out security information, letting them know that breaches in security could cost the company severely, creating a culture of security and not forcing them to do anything, are far more likely to make employees security aware.

Assuming the constant reinforcement of the message is getting through, employees who are about to perform an action that might be potentially dangerous will pause to think and consult the knowledge zone for the correct procedure. "Then you'll have employees thinking: 'Send out 25 million bits of information? That doesn't sound right. I'll just check the knowledge zone,'" Smith says.

Obviously, creating an intranet knowledge zone or having a security support team to answer queries takes resources. Cliff May, consulting manager at Integralis, often has to teach employees of client organisations about security as part of ISO27001 audits. He uses seminars and e-learning packages to educate users, but prefers seminars. "E-learning is not as effective. If you run tests, sometimes people get the answers off someone else - it's a paper exercise they just want to get over with."

Nevertheless, they can work well if you're prepared to invest in them properly. Paul King is a member of Cisco's security programmes organisation, which runs training around the world. As well as an initial induction programme that uses face-to-face training, Cisco uses e-learning systems featuring specially shot videos put together by professional video makers. "We keep them quite short, simple and interesting. There are also questions interspersed throughout, although they're not as hard as an exam."

Cisco has an internal home page with links to take people through to the e-training videos. Using web analytics, the company monitors which employees have been watching videos. "Everyone in the organisation understands that the need for security awareness comes down from John Chambers (Cisco's CEO)." But if employees aren't watching the videos they're supposed to be watching, their line managers will be asked why.

King says the company can also tell how effective training has been through other means. A recent video on "shoulder surfing" emphasised the importance of using privacy screens when working on laptops in public places. A link next to the video took the user to a place where they could buy a screen through their department's budget. "Take-up was huge. Lots of people now have screens on their laptops. That's our measure."

Cisco only produces a few of these videos. For the most part, it provides a constant background of security information to create a secure culture. It uses poster campaigns and newspapers among other things. A recent effort suggested employees should think of themselves as "security champions", trying to keep the company safe.

However, Robin Adams, head of the security division at the Logic Group, cautions against relying on posters. "The feedback I get is that posters work for about a month." Similarly, signs to remind users of good behaviour tend to fade into the background within days.

Although seminars can be expensive and not as effective in the long-term as other methods, they can work well in small companies. Firebrand offers low-level training courses that clear away jargon and acronyms - something that can creep in if security staff put on their own seminars without input from marketing, training or HR departments.

David Cole, academy team leader and senior consultant at risk consultancy DNV, suggests that role-playing works well in workshops and seminars. "There's a danger in infosec training that you end up showing slide after slide," he warns. "But you need to make it fun. You can have training exercises and create a scenario that builds slowly over the day."

May at Integralis uses anecdotes from his forensics career to enliven his sessions. "You get senior people turning up because they hear it's interesting. If you can add a bit of humour, they can enjoy proceedings." He also advocates the use of role-playing: "They have to think for themselves. It's a good way of making it sink in." Nevertheless, although he is in favour of induction courses, he considers a presentation by itself "virtually worthless".

It could be you

Getting employees to pay attention to all these messages usually involves sticks and carrots. Annual exams can test how much has actually sunk in. Strong punishments for people who have knowingly broken security policies can set an example and demonstrate the company is serious about security. But the Logic Group's Adams says that, in his experience, painting a worst-case scenario of what could happen works "amazingly well" when it comes to convincing staff to abide by the policies anyway. "If you explain that credit-card companies might take away their ability to process cards for orders, together with the effect that would have on jobs, people really listen." Explaining what information might be worth to criminals also helps, he adds.

Ultimately, no matter how good security technology becomes, people will always be a weak link. Ignoring this fact is, as Smith suggests, like focusing on brain surgery when the patient is dying of the common cold.

TOP TEN TIPS FOR YOUR STAFF

1. Make sure that all redundant equipment, documents and waste are removed as appropriate. It's no use protecting data on your PC if it's on your desk for everyone to see.

2. Lock your workstations when left unattended and log off at the end of your working day.

3. Don't share computer passwords except under the most exceptional emergency circumstances.

4. Don't make your password easy to guess. It should be at least eight characters, different for each account and not based on personal things such as dates or pet names.

5. Organised crime is at work and the average criminal is more motivated to steal from you than you are to defend yourself.

6. If you have a laptop, don't leave it on display in your car. Get a laptop cable lock. Many thefts are crimes of opportunity.

7. Avoid working in a public place, you never know who's watching. If you must, get a privacy protector.

8. Do not connect devices such as iPods, USB drives or even CDs to your PC without checking with IT - these can all carry malicious software.

9. Don't reveal details of your work security with anyone. If someone is trying to break in, they'll try to get as much information as possible.

10. If you think something is suspicious, report it. Many crimes are successful because earlier, unsuccessful break-in attempts weren't spotted by the right people.

CASE STUDY: RICOH

Japanese digital office-solutions company Ricoh has nearly 82,000 employees and offices in more than 150 countries. Three years ago, the company decided to go for a single global certification for ISO27001.

Kevin McLean, information security manager at Ricoh Europe, has been in charge of the EMEA aspects of the certification. "In order to achieve the certification, we created a project team. The team worked with the IT, HR and facilities management departments to establish the information security management system (ISMS) with a focus on access control, from IT systems to buildings. Recruitment policies were reviewed to cover the management of contractors and permanent personnel."

However, McLean knew that employee awareness would also be a vital part of both certification and the company's security policy. "While we strive to be as strong as can be with physical security, it can all be undone by people," he says.

So he and his team created a security awareness programme. They began with pilots in a number of offices, including the company's European HQ in London. They also set up ISMS business representatives groups, bridging units at each pilot area between their own division and the rest of the company, which met to decide activities and projects designed to improve employee awareness. "We tried a number of things to see how they were received." Since the pilot project at the HQ was in a relatively small area, it was possible to take advantage of "water cooler" chat to discover how much of the message was getting through. Managers told them that more staff were wearing ID badges, clearing their desks at the end of the day and performing other actions they had been advised to perform.

To get the message across, the unit devised initiatives including informal launches, articles on the intranet, a staff handbook and mandatory awareness training. Staff were also given free gifts, including a personal alarm and SIM card replicator, to reinforce the security message. A set of "11 commandments" based around the "DOIT" slogans ('protecting documents, office and IT') further added to the message.

"HR and marketing helped come up with the slogans," recalls McLean. "And HR were able to tap training and similar resources." Seminars and workshops involving role-playing allowed staff to explore security issues related to their working day. "Employees weren't interested in big picture stuff. It was all about 'How does this affect me?'"

Although Ricoh now has the certification, McLean says the programme will continue. "We're always going to be improving it."

WORKING WITH OTHER DEPARTMENTS

If security is seen as an IT issue, it will be left to the IT department to sort it out. Apart from the crippling amounts of extra work, that will mean security being someone else's problem rather than an issue for the whole company. So it's important to get other departments to work in conjunction with IT to ensure that the security message gets through and is seen as everyone's concern.

This usually involves board-level support as well as a "bridging unit" or a business relationship manager, depending on the size of the company, to liaise between IT and other departments. If you can get funding from those departments, they will be far more committed to the issue than if they are merely asked to give up their time.

The HR and legal departments can be useful, as they can ensure that employee contracts include suitable rules about security and IT use, together with appropriate actions in case employees break them. This means that if someone does cause a security breach, the contract, together with the training given to them, significantly reduces the chance of a lawsuit for unfair dismissal being filed against the company. Liaising with HR means security training can be part of the induction programme, avoiding the problem of security being seen as something "other".

Marketing, training and other corporate communications departments have those vital people skills that some IT specialists lack. When creating awareness campaigns, marketing can help to devise the most effective methods of getting the message across. And while IT can certainly provide the information about security that needs to be given to employees, a training or HR department is far more likely to be able to deliver seminars and courses in a way that non-technical people will appreciate.

Source: http://www.securecomputing.net.au/

Security survey finds increase in security standards adoption

2008-11-11T11:44:00.000-05:00

News Analysis

Ernst & Young's 2008 Global Information Security Survey begs the eternal question, depending on how you look at the numbers: Is the glass half full or half empty?

For example, the survey clearly shows that many companies may be slow to address growing security concerns, such as reliance on third parties -- partners, vendors and contractors. Only 45% of respondents include specific security requirements in all third-party contracts, but an optimist might say this reflects a trend in the right direction. One wonders if the other 55% write language into their more sensitive contracts that involve sharing confidential data or access to key systems.

The 11th annual survey by Ernst & Young (E&Y) polled nearly 1,400 organizations in more than 50 countries with annual revenues ranging from less than $100 million to more than $25 billion, as well as non-profits. Nearly a third of the organizations polled were in the financial services sector and 13% were in manufacturing, the second highest group.

The report comes on the heels of PricewaterhouseCoopers' annual Global State of Information Security Survey.

On a positive note, adoption of international information security standards is clearly trending up. Use of ISO/IEC 27001:2005 was up 15% over 2007 and ISO/IEC 27002:2005 rose 9% over 2007. The E&Y report stated that management standards, such as ISO 9000, have been adopted in certain industries where information security standards are becoming a necessity for doing business.

The survey also found that organizations are overwhelmingly planning to increase or maintain information security spending as a percentage of their total expenditures. The survey was conducted from June 6 to August 1, before the international economic crisis was in full bloom, so the question going forward is: What was the impact on total expenditures? It would be interesting to see the results if the survey was conducted now.

Interestingly, 50% of the respondents said organizational awareness was the most significant challenge to information security initiatives, edging out availability of resources, budget and addressing new threats and vulnerabilities. While the survey didn't specifically address training or awareness programs, only 19% of the respondents said they ran social engineering tests, while Internet and infrastructure testing is also common practice at 85% and 73% respectively.

While E&Y says regulatory compliance has been the leading driver for information security since 2005, it reports that protecting reputation and brand has become a significant driver as well. However, the question asked was not what drives information security initiatives and spending, but rather, what are the perceived consequences of security incidents? What is the "level of significance if information is lost, compromised or unavailable" Eighty-five percent of respondents said damage to reputation and brand was "significant" or "very significant," followed closely by loss of stakeholder confidence, loss of revenue, regulatory action and legal action.

Though the report cites compliance as a driver for raising security awareness and improvements, there's room for healthy skepticism about how much companies would do if they weren't compelled. Every car should have seatbelts, but how many had them before they were mandated?

Other key findings:

# Business continuity is an IT responsibility in 41% of the organizations, compared to 20% in risk management and 11% in information security. It would be interesting to see if this is trending toward or away from IT.

# Most organizations are unwilling to outsource key information security activities. This is somewhat interpretive. While two-thirds to three-quarters of the respondents are keeping things like vulnerability and patch management, incident response, DR/BC, security awareness training and e-discovery and forensics in-house, the majority are either outsourcing or planning to outsource security assessments, audits and pen testing.

# Few companies hedge information security risks with cyber insurance. Generally, around 10% of the organizations have some sort of insurance in one or more of eight information security-related areas, such as the cost of incident response or litigation, and few of the others have plans in the next 12 months. About one-third said they don't know, which leaves some potential for growth in the future.

Source: http://searchsecurity.techtarget.com/

Broadridge receives ISO 27001 certification for ProxyPlus

2008-11-05T11:41:00.000-05:00

This international certification specifically covers Broadridge's Information Security Management Systems (ISMS) for these flagship products, validating that the associated security policies for these applications have undergone in-depth testing and external audits. The new certification provides better protection and privacy for Broadridge's clients' data by ensuring that there is enhanced tracking and reporting on the company's security initiatives. Broadridge is distinguished among its competitors for its superior information security model and is one of only 77 companies in the United States that are currently ISO 27001 certified; of these companies, less than 10% are in the financial services industry.

Broadridge recognizes that the data processed by Broadridge on behalf of its clients is among its clients' most vital assets as it is confidential information related to their retail and institutional brokerage and investor communications activities. The certification adds yet another layer of security for Broadridge clients as they conduct their integral operations and transactions using key Broadridge applications to process this data. ProxyPlus is Broadridge's enterprise application that supports the core processing functions of Broadridge's proxy services, the company's largest business. Broadridge's BPS platform is one of the most robust securities processing engines in the industry for equities, mutual funds, and options providing real-time interfaces, as well as links to all major United States exchanges. Broadridge's impact solution is an integrated, online fixed-income securities transaction processing system, offering leading global financial institutions the ability to process fixed-income trades from order entry through to customized post-trade reporting. The certification of ProxyPlus, BPS, and impact offers the global banks and broker-dealers as well as corporate issuers and mutual funds whose data is processed using these three applicatiications, the assurance that Broadridge has created and implemented information security practices that are comprehensive and stringent enough to meet ISO standards.

The ISO 27001 Certification is designed to assist corporations with the development of a consistent methodology for implementing information security at the program level, as well as defining key control objectives designed to protect information assets. ISO 27001 is the only auditable international standard which defines the requirements to ensure that sufficient security controls are instituted within the certified organization. Additionally, maintaining the ISO 27001 Certification requires an annual review and three year re-certification. The continual scrutiny of Broadridge's ISMS in this manner provides confidence to clients that their data is protected on an ongoing basis.

"We are proud to have earned this certification and believe it reflects the dedication of our Information Security team to ensure that we have the highest level of controls in place when handling our clients' confidential information," said Mark Schlesinger, Chief Information Officer, Broadridge. "Data security is essential to the survival and stability of any organization and Broadridge's ISO Certification offers our clients a higher level of safeguard and protection for their information assets," Mr. Schlesinger added. To ensure that management is closely tied to ISO 27001 compliance, Broadridge has created a governance program that includes a management committee and has appointed information security champions in departments and divisions throughout the company whose job it is to support ongoing and timely security enhancements. This certification is just the beginning of what is envisioned as a multi-year plan to enhance and expand Broadridge's internal controls and security strategy.

Source: http://www.finextra.com

UK – Paternoster plans to achieve data protection compliance

2008-11-01T11:30:00.000-04:00

Paternoster has said it plans to be the first insurer to be certified for the data protection standard ISO 27001 following its Indian operations being passed as ISO 27001-complaint in June this year.

The certification process ensures the company adheres to the tight data security standards demanded by the global standard.

Source: http://globalpensions.com/

BTA Bank pioneered information Security Management System in Kazakhstan

2008-10-21T11:24:00.000-04:00

The FINANCIAL -- BTA Bank JSC is a sole bank in Kazakhstan to successfully introduce the Information Security Management System (ISMS) in compliance with ISO 27001 of the British Standards Institute (BSI).

ISMS covers BTA-Online system that provides entities with online banking services. Within this certification international experts have named BTA-Online the product with a highest level of protection.

ISO/IEC 27001:2005 certificate will enhance confidence of both investment companies and borrowers in BTA Bank to as regards its ability to protect information entrusted to it since the ISMS eliminates a risk of threat to information security.

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System. Only this standard can be used in a certification by an international standard that specifies requirements to the ISMS.

Development and introduction of the ISMS in compliance with ISO 27001 is a vital part of the IT strategy of Bank’s development and in general BTA strategy of turning into an international financial institution and raning among the major world’s banks.

Russia-based InformZaschita has designed the ISMS for BTA Bank JSC and introduced it.

Source: http://finchannel.com

"The Renaissance the Credit" has passed ISO 27001 certification

2008-10-20T19:39:00.001-04:00

«The Renaissance the Credit» has confirmed conformity of a control system with information safety to requests of international standard ISO/IEC 27001:2005. ISO/IEC 27001:2005 establishes requests concerning definition, introductions, managements, monitoring, an estimation, support and constant perfection of a documentary control system by information safety (further – SUIB). This standard is the only thing suitable for certification by the international standard defining requests to SUIB.

«The qualitative system of information safety is one of necessary and priority conditions of successful business dealing of the credit organisations, therefore we always watch closely conformity of our internal procedures to the international and Russian standards, – the Chairman of board of KB« has commented on the Renaissance the Capital »Alexey Levchenko. – In our bank one of the most advanced IT Infrastructures is created, and we should be assured of reliable protection of confidential data».

Procedure of certification of a control system by information safety has been executed by the British institute of standards (British Standards Institution, further BSI) - the most authoritative service provider of certification of Control systems in the international market. It is remarkable, that «the Renaissance the Credit» became the first bank certificated BSI in Russia and the second Russian bank, received the certificate of conformity ISO 27001.

It is necessary to notice, that «the Renaissance the Credit» has conducted preparation for certification independently, without attraction of foreign advisers that confirms high qualification of the experts supplying information safety of bank, and also active sharing of a management in safety issues. The bank is not intended to remain in current borders of certification and plans its further expansion for all basic business processes.

Source: http://fin-forex.com

NCR Facility Attains ISO/IEC 27001 Certification

2008-10-20T19:35:00.001-04:00

NCR Corp. announced its eCommerce Managed Hosting Services facility has achieved ISO/IEC 27001 certification recognizing the data center for meeting the International Standards Organization's exacting specifications for information security management. According to company officials, NCR's eCommerce Managed Hosting Services provides maximum secure protection of customer data for businesses running applications over the Internet."The ISO/IEC 27001 certification helps facilitate NCR's international expansion strategy to provide businesses in Europe and Asia Pacific with hosting solutions that deliver value for existing customer applications and help drive future capabilities including self-service and mobile transactions," said Chris Shea, NCR vice president, WCS Global Services Operations. "This certification explicitly underscores our ability to securely manage a customer's confidential data, provide highly compliant hosting services and address additional industry specific certifications and requirements."

The eight-month ISO/IEC 27001 certification process involved process documentation and numerous site audits by ISO inspection teams and BSI Management Systems, a management systems certification body.

"BSI was enthusiastic about the commitment and resources NCR implemented to ensure compliance with the rigorous ISO/IEC 27001 certification requirements," said Todd VanderVen, president of BSI Management Systems America. "With high standards of security, availability and risk management practices in place, NCR is well-positioned to provide customers with information security management processes and has established a structured framework to promote continuous improvement in meeting the specific needs of its diverse customers."

Source: http://www.tradingmarkets.com/

M I G awarded ISO 27001

2008-10-14T19:47:00.000-04:00

ISO Certifications awarded to M I G Investments for meeting quality and security standards
M I G Investments has been awarded the ISO 9001:2000 certification in recognition of its standardized Quality Management best-practices, and the ISO 27001:2005 certification for standardized Information Security techniques. The move comes as M I G Investments leverages its international expertise as a major Swiss, online FX broker by bringing customers quality services, innovation, technology and high security standards.

Source: http://www.forex-blogs.net/

Affinion Group Receives ISO Certification

2008-10-11T19:15:00.000-04:00

The Affinion Group, a global leader in affinity marketing, has been awarded the esteemed ISO 27001 certification, the highest international standard for information security management in the world.

The group was lauded for their high information security practices and policies. Due to the global affinity marketing firm’s dedication to shield its clients from identity theft and scammers, the Affinion Group is the only company in the industry and one of the 50 companies in the United States that was given the prestigious ISO 27001 Certification. Only 4,100 companies all over the world hold the same recognition.

Apart from the Affinion Group, other U.S. organizations that share the same commendation are Sun Microsystems, Bechtel Corp., Reuters America, The World Bank, Citigroup Technology, and Xerox Corp. among others.

The ISO Certification establishes Affinion’s longstanding commitment in seeking innovations that would further improve information security and reduce the incidences of identity theft and scams in their industry. Robert G. Rooney, Vice-President of the Affinion Group, stated the company strives to “raise the bar for the practices in our industry.”

An ISO certification indicates that a company has put into practice an information security management system that surpasses even the strictest security standards on a global scale.

The following are several factors that contributed to Affinion’s ISO Certification:

Implementation of best practice across all information security domains;
Putting up of a strong security outline that entails operation, monitoring, review, maintenance and development;
Systematic management of incidents with clear and timely escalation paths.

With its ISO certification, the Affinion Group has a strong foundation from where they could base their information security framework for 2008.

Operating for 35 years, the Affinion Group continues to enhance the value of its partners’ customer relationships by strengthening and marketing valuable loyalty, membership, checking account, insurance and other compelling products and services.

View the source press release from the Affinion Group.

EOL earns its fourth ISO accolade

2008-10-10T19:12:00.000-04:00

VAR EOL IT has bagged an International Standards Organisation (ISO) certification in security management and plans to use it to push into the public sector.

The firm has completed certification for the ISO 27001 for information security management systems, which less than one per cent of all UK firms have so far completed.

This brings the firm’s number of ISO qualifications to four; the others being ISO 18001 for occupational health and safety management, ISO 9001 for quality administration systems and ISO 14001 for environmental management systems.

Richard Parker, managing director of EOL IT, said: “This latest ISO is all about data security. A number of our competitors have this, but the immediate benefit for us is when tendering to clients.”

Parker added that the firm intends to go for larger public sector contracts now that it has four ISO standards. “There is only one other firm that I know in our sector with all four ISO certifications. It is all about putting in best practice to the business.”

Source: http://www.channelweb.co.uk/crn/news/2227374/eol-earns-fourth-iso-accolade-4253635

ISO-27001 Quick Reference

2008-10-09T19:44:00.000-04:00

I waffle on about this thing a lot - because I like it.

The fundamental triangle of all ISO business standards now rests upon ISO9001, ISO14001 and ISO27001. The documentation is meant to be structured in such a way that the “01″ document is the standard and the “02″ document is the guide. So ISO27001 is the standard and ISO27002 is the guide to that standard (neat).

Here’s a handy spider diagram that gives you all the headings from ISO27002. I use it as a quick tick list to guide people towards making a “scope of applicability” for their business security needs.

Note that the headings go from (4) to (15)…there is no (1) to (3)…this is one of the great unfathomable mysteries of ISO. We are unworthy of controls (1) to (3), perhaps in an afterlife these ultimate truths will be revealed to us…or maybe they just forget to include them, I dunno…

Anyway, I hope some folk find this useful

Source: http://ipvideo.ie/

ISO 27000 Serie Update!

2008-10-03T15:40:00.002-04:00

The ISO/IEC 27000-series numbering (“ISO27k”) has been reserved for a family of information security management standards, similar to the very successful ISO 9000 family of quality assurance standards and derived from a British Standard called BS 7799.

The following standards are either already published (shown in red) or works in progress:
ISO/IEC 27000 - will provide an overview/introduction to the ISO27k standards as a whole plus the specialist vocabulary used in ISO27k. Once approved by the members of ISO/IEC JTC1/SC27, it should be published later this year.
ISO/IEC 27001:2005 is the Information Security Management System requirements standard (specification) against which over 4,700 organizations have been certified compliant.
ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
ISO/IEC 27003 will provide implementation guidance for ISO/IEC 27001.
ISO/IEC 27004 will be an information security management measurement standard to help improve the effectiveness of your ISMS.
ISO/IEC 27005:2008 is a new information security risk management standard released in June 2008.
ISO/IEC 27006:2007 is a guide to the certification or registration process for accredited ISMS certification or registration bodies.
ISO/IEC 27007 will be a guideline for auditing Information Security Management Systems.
ISO/IEC TR 27008 will provide guidance on auditing information security controls.
ISO/IEC 27010 will provide guidance on sector-to-sector interworking and communications for industry and government, supporting a series of sector-specific ISMS implementation guidelines starting with ISO/IEC 27011.
ISO/IEC 27011 will be information security management guidelines for telecommunications (also known as X.1051) and will be released soon.
ISO/IEC 27031 will be an ICT-focused standard on business continuity.
ISO/IEC 27032 will be guidelines for cybersecurity.
ISO/IEC 27033 will replace the multi-part ISO/IEC 18028 standard on IT network security.
ISO/IEC 27034 will provide guidelines for application security.
ISO 27799, although not strictly part of ISO27k, provides health sector specific ISMS implementation guidance.
Other ISO27k is a holding page with preliminary information on more ISO27k standards including sector/industry-specific ISMS implementation guidelines whose scopes and ISO27k numbers have not yet been determined.

The names and content of as-yet unpublished standards may well change prior to their publication, especially the early drafts.

Source: http://www.iso27001security.com

1st ISO 27001 certification in France for security audits of IT systems

2008-09-24T08:16:00.000-04:00

Solucom, leading player in IT security, has just received certification to ISO/IEC 27001:2005 for its auditing services of the security of IT systems.

This internationally recognized certification guarantees the implementation of a management system and both organizational and technical security measures. It involves a regular reassessment of risks and facilitates continuous improvement. Solucom’s auditing service was audited and certified by LSTI[1], which is accredited by COFRAC[2].

Laurent Bellefin, Director of Security Operations at Solucom states that, “This is the first 27001 certification in France for security audits of IT systems[3]. We carry out more than a hundred audits annually, which involves handling sensitive client data. The certification and the regular, independent follow-up inspections are our clients’ guarantee that we are outstanding in the protection of the data they provide us.”

Obtaining the certification also enhances what Solucom has to offer in risk management consulting. Gérôme Billois, Security Manager, adds, “This certification demonstrates our commitment to ISO 27001 and our skill in implementing it. It is yet a further proof of our ability to support our major account clients in their own plans for certification or implementation of the standard.”

In France ISO 27001 is eliciting major interest among big companies. “Implementing the standard lets you formalize your security initiatives and ensure you are on top of the risks and constantly improving, which are essential points in today’s governance,” adds Gérôme Billois.

eHosting DataFort Achieves ISO 27001

2008-09-23T15:55:00.000-04:00

Region's Leading Service Provider Enhances Customer Confidence by Implementing International Security Standard Across Business Units

Dubai: 23 September, 2008 - eHosting DataFort (EHDF), the region's leading IT outsourcing service and consulting services provider and a member of TECOM Investments, today announced its internal business units have successfully implemented the ISO 27001 Information Security Management System (ISMS), an international standard for addressing information security concerns.

The decision to implement the management system across all departments including its Data Centres and security operations confirms eHosting Datafort's continual commitment towards its customers by improving the security of business information, making it the first ever service provider in the region and among a select few worldwide to implement such a system throughout the organization.

Implementing ISO 27001 comes as part of eHosting DataFort's certification process in establishing a Corporate Governance and Management System (CGMS) program which includes a host of international standard certifications including the ISO 20000, ISO 9000 and BS 25999. These certifications will be effective across business units at eHosting DataFort shortly.

Mohamed Fouz, CEO of eHosting DataFort, said: "Information security is a critical component of our business. Protecting business information through a robust security management system using effective security controls is a key management responsibility."

eHosting DataFort's initiative comes as a proactive response to providing customers a more agile and secure infrastructure through establishing the Corporate Governance and Management System program, considering the recent security breaches that have affected businesses across the region.

"Implementing ISO 27001 and complying with international standards will enhance the customers overall confidence in eHosting DataFort," added Fouz.

Ahmed Baig, Manager, Security Consulting at eHosting DataFort, said: "Many organizations believe that securing their IT systems will guarantee the security of critical information. But as many organizations have realized, security breaches are the result of absence of governance including processes and controls. eHosting DataFort is not only committed to raising the level of security standards in the region, but also firmly believes in living up to its commitment of providing reliable and secure services to its customers."

eHosting DataFort's consulting team has also successfully implemented ISO 27001 at Dubai Aluminum Company (DUBAL), Kuwait National Petroleum Company (KNPC), and more recently, at the Emirates Identity Authority (EIDA).

Committed to promoting information security within the region, the team at eHosting DataFort manages a 24/7 Security Operation Centre for monitoring and managing the security of leading organizations across the MENA region.

In fact their Corporate Social Responsibility (CSR) objective focuses on spreading awareness of information security and technology amongst the community focusing on Schools, Universities and Government/Public sectors through the Marifaty (My Knowledge) and Muthabara (Persistence) programmes.

eHosting DataFort offers consulting and advisory services in Information security, IT service management, business continuity and quality management systems.

Health information security standard issued

2008-09-23T15:39:00.000-04:00

In an effort to help protect personal health care information, the International Organization for Standardization (ISO) has published a new standard that specifies controls for managing health information security and utilizing best practices.

According to an ISO statement, the new standard - ISO 27799:2008 - applies to all health information in “whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it.”

This new standard, announced in late August, addresses the use of internet and wireless technologies to share personal medical information, and the need to better protect confidentiality and keep data private.

“An important consideration was the adaptability of the guidelines, bearing in mind that many health professionals work as solo health providers or in small clinics that lack dedicated IT resources to manage information security,” the statement said.

Richard Rushing, CSO at wireless security firm AirDefense, told SCMagazineUS.com on Wednesday that the standard shows that many organizations have the same issues and that similar guidelines should be followed.

“If followed, it would make information more secure,” Rushing said, “but there is usually nothing that specifically states that it is to be followed, except for maybe an audit that may have occurred sometime in the past.”

The ISO standard will do things that Health Insurance Portability and Accountability Act (HIPAA)-related laws cannot do, said Rani Osnat, vice president for marketing with Sentrigo, a database security company.

“HIPAA protects privacy, but it is not an IT standard,” Osnat told SCMagazineUS.com. “It doesn't do anything to protect data from an IT standpoint. This ISO [standard] will provide a much-needed benchmark for health organizations to follow to encourage better IT security.”

Source: http://www.scmagazineus.com

Press Release - New Brand

2008-09-22T21:09:00.000-04:00

New York, September 22th – Axur and Realiso Corp. announce that from this date, Axur ISMS solution has a new brand and is called Real ISMS, property of Realiso Corp.

Please update your bookmark. Get access to Real ISMS site at www.realiso.com/realisms

For more information please contact us at contact@realiso.com

Realiso Corp.

626, Glenn Curtiss Blvd - Uniondale

New York, USA