Tuesday, December 23, 2008

What It Means To Be ISO 27001 Certified - Benefits and Potential Payoffs

Mark Bernard is the Security & Privacy Officer at Credit Union Central of British Columbia. Today, Mark's credit union is the first financial institution to achieve ISO 27001 certification. Mark discusses ISO 27001 certification and its benefits with BankInfoSecurity.com.

Background: ISO 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO). The certification ensures that effective security controls and policies are in place. The certification process is a measurement of the performance of best security practices and identification of opportunities to improve those practices. It basically involves testing the existence and effectiveness of the information security controls at any given institution.

Benefits/ Payoffs of ISO 27001 Certification

The Credit Union Central of British Columbia has changed remarkably in its level of security awareness, and the credit union system has gone up substantially. People now recognize the value of, or they are realizing the value of having an information security credential such as this, and it is helping the institution to identify information security issues and address them more effectively.

As an institution in general, the culture has benefited as well. It's more focused on information security now and the identification of assets and how the credit union treats assets, threats, risk, and the vulnerability associated to those assets have been very positive.

Such involvement also boosts the team culture that remains, and this team effort can be effectively channelized into other business areas.

The ISO framework provides many of opportunities for improvement and to draw new sets of controls and to manage those more effectively likely than they have been in the past. Also, because the ISO framework already exists the credit union is looking at other standards such as the BS 25999, which is Business Continuity Standard, and integrating those controls within the ISMS.

Becoming ISO certified also made a big difference to the institution economically by reducing the number of external consulting engagements that were necessary, costing hundreds of thousands of dollars. And now the credit union has a bonafide external audit group that comes by twice a year to monitor their activity and provide a list of opportunities for improvement.

Thursday, December 18, 2008

Promoting accountability through ISO/IEC 27001 & 27002

As organisations go, there are those that welcome internationally recognised standards with open arms, and those that shy away citing cost or even applicability.

However, there is a need for standards within all organisations, regardless of size or market. It is in defining the Statements of Applicability (SoA) that the project becomes both relevant and cost-effective.

There is "information" within every organisation that is relied upon, so a system is required to manage its security. At the least, we need to ensure that the information is viable for its purpose.

Combined, these provide best practice guidance and a framework for an information security management system (ISMS) - ISO/IEC 27001 - and the management thereof - ISO/IEC 27002 - for the protection, confidentiality, integrity and availability of the information assets upon which an organisation depends.

Code of practice

ISO/IEC 27002 is merely a code of practice, so organisations are free to implement controls as they see fit, and the ISO/IEC 27001 standard incorporates only a simple summary of such controls and does not mandate any.

An important element is the definition of the SoA, among other scoping documents.

Through the SoA you are free to broaden or narrow the scope of certification, as you see fit, limiting the focus of any analysis. Understanding the SoA is crucial to attaching meaning to the certificate.

If you only define "the HR department", the associated certificate says nothing about the state of information security in "procurement", "manufacturing", "the IT department" or even the organisation as a whole. You set the scope.

Similarly, if the SoA asserts that some technical controls are not necessary for specified reasons, the assessing body will check that assertion but will not otherwise certify or fail those controls or the lack of them. In fact, no technical controls may be assessed at all as part of the assessment as ISO/IEC 27001 is primarily a management standard and compliance requires only that the organisation has a suite of management controls in place. If you feel a control is not necessary, giving a valid reason should suffice.

Start small

Look towards the information assets you currently manage or those you feel you can easily manage within the reduced scope, define a narrow SoA focused on what is already known and document your process to define, design, implement and manage these controls, including those "few" controls that may be missing.

Beyond certification or having marketing potential the process of assessment should confirm or improve accountability internally for information asset interfaces with wider business functions and third parties, confirming the scope for use of information assets with those partners.

Certification is optional, but is increasingly being mandated from suppliers and business partners concerned about their information security and the security of shared or common information.

Bodies such as the British Standards Institution, the National Institute of Science and Technology and various national bodies are issuing approximately 1,000 certificates per year - and the trend is growing.

By concentrating on the known information assets of a small business function, defining your ISMS to manage these will get you on the ladder and act as a springboard to widen your certification later.

ISO/IEC 27001


ISO/IEC 27001 is a formal standard towards which your organisation can attain independent certification of its frameworks to systematically and consistently design, implement, manage, maintain and enforce information security processes and controls - an information security management system (ISMS).

It covers any organisation (commercial business, government body or non-profit organisation), specifying the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a well-documented ISMS, within the context of the organisation's overall risk management processes.

It defines the requirements for custom security controls that meet the specific needs of the organisation or, importantly, any specified part or department thereof.

Source: http://www.computerweekly.com

David Gregg is an infrastructure and security consultant at The Logic Group

The growing accreditation of IT security tools and processes

Vincent Villers, Partner at PwC Luxembourg and Marc Sel, Director at PwC Belgium
Business review, December 2008

For a long time, Information Security has had many technical standards but has been lacking a minimal consensus in the area of management and responsibilities. The BSI (British Standards Institute) put forward their 7799 standards, which were well accepted and evolved into the ISO (International Standards Organisation) world. Fundamental to the ISMS (Information Security Management System) standard is the typical management organisation model ‘Plan-Do-Check-Act’:



ISO 27001 is commonly used as a term to refer to a family of interrelated standards:

• 27000 ISMS fundamentals and vocabulary
• 27001 ISMS requirements (absorbing parts of ISO 13335)
• 27002 Code of practice (based on the BSI 7799)
• 27003 ISMS implementation guidelines
• 27004 Information security management measurements
• 27005 ISMS risk management (absorbing parts of ISO 13335)


Structure of ISO 27001

The main standard document ISO 27001 addresses requirements for the Information Security Management System, as well as how to establish, manage and monitor the ISMS. It continues by addressing ISMS responsibilities, as well as audit and management review aspects.

The ISO 27001 certification process

In many countries, certification bodies have been established under the umbrella of accreditation bodies. For example, one of the authors, Marc Sel, is accredited Lead Auditor for PwC’s Certification Body ‘PwCC B.V.’ which is on a peer level with the BSI, TÜV and KEMA1 . PwCC B.V. is in turn accredited by the Dutch Accreditation Body (‘Raad voor Accreditatie’).

The International Register of ISMS accredited certificates lists those certificates that have been awarded to organisations that have gone through an accredited certification process in line with the ISMS standard BS 7799 Part 2:2002 and ISO/IEC 27001:2005 (i.e. the revised version of BS 7799 Part 2:2002).

This register has been produced in cooperation with the international network of certification bodies and is managed and maintained by the ISMS International User Group (IUG). It is updated on a regular basis in co-operation with the certification bodies. The entries in this register have been supplied by those certification bodies that have carried out the ISMS certification.

The increasing interest in ISO 27001 certification

In November 2008, almost 5.000 ISMS certificates have been issued (4.987 to be precise2) . The top five countries with the highest number of certificates today are Japan, India, the UK, Taiwan and China. They are followed by Germany and the USA.

The best advice to follow is to centralise core IT services in larger data centres. For example, the data centres of PwC Yemen, UK, Hong Kong, China, and USA have been secured by ourselves and accredited by the BSI against ISO 27001:2005. This gives us a strong background when helping customers prepare for such certification or improve their security posture.

In Luxembourg, only one company is registered as being accredited against the standard so far. However, considering the current trend of financial institutions to focus on their core business by considering outsourcing of several functions, coupled with the increasing need to embed trust in business relationship, all conditions are fulfilled to lead to a growing interest for this certification. Indeed, unlike current perception of other standards, the ISO 27001:2005 relies upon clear requirements and implementation guidelines that provides sufficient transparency to bring the required level comfort that an accredited company meets adequate level of security to build trust with its stakeholders. The implementation of an ISO 27001 ISMS is clearly becoming an optimal approach to help organisations tackle the current regulatory requirements with regards to Information Technology controls.

Finally, rather than individually answering each request for compliance, it is advised to look at the requirements holistically, and build a framework that allows demonstrating compliance against a broad set of regulations, re-using the same set of well-defined controls. The implementation of such a control framework makes demonstrating compliance significantly less expensive.

1 BSI British Standards is the National Standards Body of the UK, TÜV Rheinland Group is a leading provider of technical services worldwide, KEMA is a commercial enterprise, specializing in high-grade business and technical consultancy, inspections and measurement, testing and certification.
2 The status of the official ISO 27001 certificates is available at www.iso27001certificates.com

Source: PwC

Monday, December 15, 2008

VanceInfo Technologies gets ISO 27001 certification for Shanghai VanceInfo Technologies

VanceInfo Technologies Inc. (VIT: News ) Monday said it achieved the International Organization for Standardization 27001 certification for its subsidiary Shanghai VanceInfo Technologies Limited. VanceInfo's recent certification recognizes the company's adoption of an effective information security system that complies with one of the highest established international standards.

VanceInfo Technologies Inc. is an IT service provider and an offshore software development company in China.

Tuesday, December 9, 2008

Gary Hinson on ISO/IEC 27000

Few doubt that a major consequence of the current economic meltdown will be more regulations for the private sector to follow. New regulations almost always mean more spending on security and privacy controls. For a glimpse of what to expect, CSO turned to Gary Hinson, a New Zealand-based IT governance specialist and CEO of IsecT Ltd.

Hinson says to expect changes in the coming year, but they won't necessarily be tied to new regulations born of the financial crisis. Instead, his focus is on changes for the ISO/IEC 27000 family of standards. His efforts to help security pros understand the standards include a regularly-updated website: ISO27001security.com. Hinson spoke with CSOonline.com Senior Editor Bill Brenner about the nature and timing of updates to these important standards.

Where do you see the most significant regulatory changes in 2009?
There are a number of planned changes to the ISO/IEC 27000 family of Information Security Management System (ISMS) standards (collectively "ISO27k") over the next year or so, with several additional standards currently under development, several standards about to be released and earlier releases undergoing planned revision.

Let's start with the planned revisions.
Work is under way within JTC1/SC27, the ISO/IEC committee responsible for ISO27k, to review and where necessary adapt ISO/IEC 27001 and 27002. Both standards are being actively used around the world of course, making it likely that changes will be relatively limited in order to avoid disrupting the existing implementations and particularly the certification processes. I believe that in Japan, for instance, ISO/IEC 27002 is specifically recommended if not required to satisfy the Japanese privacy/data protection laws, with organizations being compliance-assessed against the code of practice although it was not originally intended by ISO/IEC to be used in that manner. No one really knows how many organizations have adopted ISO/IEC 27002 globally but I would guess it must be in the hundreds of thousands by now.

In revising ISO/IEC 27002, what are you pressing the committee to focus on?

1. Address and resolve the confusion around "information security policy" versus "ISMS policy" -- the latter being closer to strategy, as far as I can see.
2. Expand on the concept of personal accountability versus responsibility and clarify what is meant by "information asset."
3. Expand on typical computer room controls, for example environmental monitoring with local and remote alarms for fire, water, intrusion, power problems etc.
4. Update section 10.8 "Exchange of information" to improve coverage of mobile code, Web 2.0/Software As A Service etc. Technical advances are a tricky area for ISO27k since publication of the standards is such a long, slow process They try as far as possible to keep the standards technology-neutral but this can result in them lacking guidance in some areas].
5. Expand section 11.2 on "User access management" to include more on identification and especially authentication of remote users.
6. Provide pragmatic guidance on security testing of new/changed application systems in section 12.
7. Expand section 14 on "Business continuity management" to cover resilience as well as disaster recovery. This section would also benefit from more explanation of "contingency."
8. Update section 15 to reflect legal and regulatory changes such as the rise of e-discovery, document/e-mail retention and increasing use of computer data as evidence in court.
9. Emphasize the value of IT auditing processes in section 15.3.

Source: CSO Online

Thursday, November 13, 2008

Emloyee education key to successful enterprise security

Money can buy you many things, it seems, but not perfect security. Organisations have been investing in IT security over the past few years, but laptops and disks full of sensitive data are still going missing and corporate networks are still being hacked.

In all these breaches, the common link has become increasingly obvious: employees. Whether they are failing to abide by corporate policies, simply don't know about them, or work in a company that has no security policies in place, staff are mailing out millions of user accounts without proper encryption, giving out passwords over the phone and double-clicking on attachments that promise naughty pictures of Angelina Jolie.

A recent survey of 1,000 IT managers by mobile data security specialist SafeBoot showed that 54 per cent of respondents felt that the majority of their employees ignore company security policies, mainly due to a lack of understanding and "not taking it seriously".

The answer then should be clear: educate employees about the risks and what they should be doing to reduce them. And indeed, some companies are already doing that. But SafeBoot's research shows that 98 per cent of IT managers rely on memos and emails to communicate security. As Tom de Jongh, product manager at SafeBoot, points out: "You can't trust employees to read memos."

So what is the best way to teach employees about security - and get them to follow the advice? The first step is to realise that not everything is going to happen overnight. "You need to change the culture of the organisation over several years," says Martin Smith, chairman and founder of The Security Company. Smith, who started his career in military counter-intelligence and counter-espionage, has been trying to convince businesses of the importance of security awareness for 20 years.

"It's heartbreaking," he laments. "Infosec is focusing frantically on technology, but it doesn't matter what you spend on security unless you bring people with you. If staff could just know some basic stuff, it would all go away."

Generating this culture of security is an important component of overall security awareness. "There's an awful lot that users need to know - too much," Smith adds. "They're overloaded with information they're not really interested in - it's boring." Rather than trying to teach people using courses, he advises to have constant reinforcements of messages about the importance of security in conjunction with a place for employees to find out information.

Bad awareness education can be even worse than no training at all, Smith suggests. "Employees will always ask: 'What's in it for me?'. If all people see of security is a boring course once a year that effectively pushes the problem on to them so that the security team's arse isn't on the line, that's not a huge sell." Measures such as providing somewhere for employees to find out security information, letting them know that breaches in security could cost the company severely, creating a culture of security and not forcing them to do anything, are far more likely to make employees security aware.

Assuming the constant reinforcement of the message is getting through, employees who are about to perform an action that might be potentially dangerous will pause to think and consult the knowledge zone for the correct procedure. "Then you'll have employees thinking: 'Send out 25 million bits of information? That doesn't sound right. I'll just check the knowledge zone,'" Smith says.

Obviously, creating an intranet knowledge zone or having a security support team to answer queries takes resources. Cliff May, consulting manager at Integralis, often has to teach employees of client organisations about security as part of ISO27001 audits. He uses seminars and e-learning packages to educate users, but prefers seminars. "E-learning is not as effective. If you run tests, sometimes people get the answers off someone else - it's a paper exercise they just want to get over with."

Nevertheless, they can work well if you're prepared to invest in them properly. Paul King is a member of Cisco's security programmes organisation, which runs training around the world. As well as an initial induction programme that uses face-to-face training, Cisco uses e-learning systems featuring specially shot videos put together by professional video makers. "We keep them quite short, simple and interesting. There are also questions interspersed throughout, although they're not as hard as an exam."

Cisco has an internal home page with links to take people through to the e-training videos. Using web analytics, the company monitors which employees have been watching videos. "Everyone in the organisation understands that the need for security awareness comes down from John Chambers (Cisco's CEO)." But if employees aren't watching the videos they're supposed to be watching, their line managers will be asked why.

King says the company can also tell how effective training has been through other means. A recent video on "shoulder surfing" emphasised the importance of using privacy screens when working on laptops in public places. A link next to the video took the user to a place where they could buy a screen through their department's budget. "Take-up was huge. Lots of people now have screens on their laptops. That's our measure."

Cisco only produces a few of these videos. For the most part, it provides a constant background of security information to create a secure culture. It uses poster campaigns and newspapers among other things. A recent effort suggested employees should think of themselves as "security champions", trying to keep the company safe.

However, Robin Adams, head of the security division at the Logic Group, cautions against relying on posters. "The feedback I get is that posters work for about a month." Similarly, signs to remind users of good behaviour tend to fade into the background within days.

Although seminars can be expensive and not as effective in the long-term as other methods, they can work well in small companies. Firebrand offers low-level training courses that clear away jargon and acronyms - something that can creep in if security staff put on their own seminars without input from marketing, training or HR departments.

David Cole, academy team leader and senior consultant at risk consultancy DNV, suggests that role-playing works well in workshops and seminars. "There's a danger in infosec training that you end up showing slide after slide," he warns. "But you need to make it fun. You can have training exercises and create a scenario that builds slowly over the day."

May at Integralis uses anecdotes from his forensics career to enliven his sessions. "You get senior people turning up because they hear it's interesting. If you can add a bit of humour, they can enjoy proceedings." He also advocates the use of role-playing: "They have to think for themselves. It's a good way of making it sink in." Nevertheless, although he is in favour of induction courses, he considers a presentation by itself "virtually worthless".

It could be you

Getting employees to pay attention to all these messages usually involves sticks and carrots. Annual exams can test how much has actually sunk in. Strong punishments for people who have knowingly broken security policies can set an example and demonstrate the company is serious about security. But the Logic Group's Adams says that, in his experience, painting a worst-case scenario of what could happen works "amazingly well" when it comes to convincing staff to abide by the policies anyway. "If you explain that credit-card companies might take away their ability to process cards for orders, together with the effect that would have on jobs, people really listen." Explaining what information might be worth to criminals also helps, he adds.

Ultimately, no matter how good security technology becomes, people will always be a weak link. Ignoring this fact is, as Smith suggests, like focusing on brain surgery when the patient is dying of the common cold.

TOP TEN TIPS FOR YOUR STAFF

1. Make sure that all redundant equipment, documents and waste are removed as appropriate. It's no use protecting data on your PC if it's on your desk for everyone to see.

2. Lock your workstations when left unattended and log off at the end of your working day.

3. Don't share computer passwords except under the most exceptional emergency circumstances.

4. Don't make your password easy to guess. It should be at least eight characters, different for each account and not based on personal things such as dates or pet names.

5. Organised crime is at work and the average criminal is more motivated to steal from you than you are to defend yourself.

6. If you have a laptop, don't leave it on display in your car. Get a laptop cable lock. Many thefts are crimes of opportunity.

7. Avoid working in a public place, you never know who's watching. If you must, get a privacy protector.

8. Do not connect devices such as iPods, USB drives or even CDs to your PC without checking with IT - these can all carry malicious software.

9. Don't reveal details of your work security with anyone. If someone is trying to break in, they'll try to get as much information as possible.

10. If you think something is suspicious, report it. Many crimes are successful because earlier, unsuccessful break-in attempts weren't spotted by the right people.

CASE STUDY: RICOH

Japanese digital office-solutions company Ricoh has nearly 82,000 employees and offices in more than 150 countries. Three years ago, the company decided to go for a single global certification for ISO27001.

Kevin McLean, information security manager at Ricoh Europe, has been in charge of the EMEA aspects of the certification. "In order to achieve the certification, we created a project team. The team worked with the IT, HR and facilities management departments to establish the information security management system (ISMS) with a focus on access control, from IT systems to buildings. Recruitment policies were reviewed to cover the management of contractors and permanent personnel."

However, McLean knew that employee awareness would also be a vital part of both certification and the company's security policy. "While we strive to be as strong as can be with physical security, it can all be undone by people," he says.

So he and his team created a security awareness programme. They began with pilots in a number of offices, including the company's European HQ in London. They also set up ISMS business representatives groups, bridging units at each pilot area between their own division and the rest of the company, which met to decide activities and projects designed to improve employee awareness. "We tried a number of things to see how they were received." Since the pilot project at the HQ was in a relatively small area, it was possible to take advantage of "water cooler" chat to discover how much of the message was getting through. Managers told them that more staff were wearing ID badges, clearing their desks at the end of the day and performing other actions they had been advised to perform.

To get the message across, the unit devised initiatives including informal launches, articles on the intranet, a staff handbook and mandatory awareness training. Staff were also given free gifts, including a personal alarm and SIM card replicator, to reinforce the security message. A set of "11 commandments" based around the "DOIT" slogans ('protecting documents, office and IT') further added to the message.

"HR and marketing helped come up with the slogans," recalls McLean. "And HR were able to tap training and similar resources." Seminars and workshops involving role-playing allowed staff to explore security issues related to their working day. "Employees weren't interested in big picture stuff. It was all about 'How does this affect me?'"

Although Ricoh now has the certification, McLean says the programme will continue. "We're always going to be improving it."

WORKING WITH OTHER DEPARTMENTS

If security is seen as an IT issue, it will be left to the IT department to sort it out. Apart from the crippling amounts of extra work, that will mean security being someone else's problem rather than an issue for the whole company. So it's important to get other departments to work in conjunction with IT to ensure that the security message gets through and is seen as everyone's concern.

This usually involves board-level support as well as a "bridging unit" or a business relationship manager, depending on the size of the company, to liaise between IT and other departments. If you can get funding from those departments, they will be far more committed to the issue than if they are merely asked to give up their time.

The HR and legal departments can be useful, as they can ensure that employee contracts include suitable rules about security and IT use, together with appropriate actions in case employees break them. This means that if someone does cause a security breach, the contract, together with the training given to them, significantly reduces the chance of a lawsuit for unfair dismissal being filed against the company. Liaising with HR means security training can be part of the induction programme, avoiding the problem of security being seen as something "other".

Marketing, training and other corporate communications departments have those vital people skills that some IT specialists lack. When creating awareness campaigns, marketing can help to devise the most effective methods of getting the message across. And while IT can certainly provide the information about security that needs to be given to employees, a training or HR department is far more likely to be able to deliver seminars and courses in a way that non-technical people will appreciate.

Source: http://www.securecomputing.net.au/

Tuesday, November 11, 2008

Security survey finds increase in security standards adoption

News Analysis

Ernst & Young's 2008 Global Information Security Survey begs the eternal question, depending on how you look at the numbers: Is the glass half full or half empty?

For example, the survey clearly shows that many companies may be slow to address growing security concerns, such as reliance on third parties -- partners, vendors and contractors. Only 45% of respondents include specific security requirements in all third-party contracts, but an optimist might say this reflects a trend in the right direction. One wonders if the other 55% write language into their more sensitive contracts that involve sharing confidential data or access to key systems.

The 11th annual survey by Ernst & Young (E&Y) polled nearly 1,400 organizations in more than 50 countries with annual revenues ranging from less than $100 million to more than $25 billion, as well as non-profits. Nearly a third of the organizations polled were in the financial services sector and 13% were in manufacturing, the second highest group.

The report comes on the heels of PricewaterhouseCoopers' annual Global State of Information Security Survey.

On a positive note, adoption of international information security standards is clearly trending up. Use of ISO/IEC 27001:2005 was up 15% over 2007 and ISO/IEC 27002:2005 rose 9% over 2007. The E&Y report stated that management standards, such as ISO 9000, have been adopted in certain industries where information security standards are becoming a necessity for doing business.

The survey also found that organizations are overwhelmingly planning to increase or maintain information security spending as a percentage of their total expenditures. The survey was conducted from June 6 to August 1, before the international economic crisis was in full bloom, so the question going forward is: What was the impact on total expenditures? It would be interesting to see the results if the survey was conducted now.

Interestingly, 50% of the respondents said organizational awareness was the most significant challenge to information security initiatives, edging out availability of resources, budget and addressing new threats and vulnerabilities. While the survey didn't specifically address training or awareness programs, only 19% of the respondents said they ran social engineering tests, while Internet and infrastructure testing is also common practice at 85% and 73% respectively.

While E&Y says regulatory compliance has been the leading driver for information security since 2005, it reports that protecting reputation and brand has become a significant driver as well. However, the question asked was not what drives information security initiatives and spending, but rather, what are the perceived consequences of security incidents? What is the "level of significance if information is lost, compromised or unavailable" Eighty-five percent of respondents said damage to reputation and brand was "significant" or "very significant," followed closely by loss of stakeholder confidence, loss of revenue, regulatory action and legal action.

Though the report cites compliance as a driver for raising security awareness and improvements, there's room for healthy skepticism about how much companies would do if they weren't compelled. Every car should have seatbelts, but how many had them before they were mandated?

Other key findings:

# Business continuity is an IT responsibility in 41% of the organizations, compared to 20% in risk management and 11% in information security. It would be interesting to see if this is trending toward or away from IT.

# Most organizations are unwilling to outsource key information security activities. This is somewhat interpretive. While two-thirds to three-quarters of the respondents are keeping things like vulnerability and patch management, incident response, DR/BC, security awareness training and e-discovery and forensics in-house, the majority are either outsourcing or planning to outsource security assessments, audits and pen testing.

# Few companies hedge information security risks with cyber insurance. Generally, around 10% of the organizations have some sort of insurance in one or more of eight information security-related areas, such as the cost of incident response or litigation, and few of the others have plans in the next 12 months. About one-third said they don't know, which leaves some potential for growth in the future.

Source: http://searchsecurity.techtarget.com/

Wednesday, November 5, 2008

Broadridge receives ISO 27001 certification for ProxyPlus

This international certification specifically covers Broadridge's Information Security Management Systems (ISMS) for these flagship products, validating that the associated security policies for these applications have undergone in-depth testing and external audits. The new certification provides better protection and privacy for Broadridge's clients' data by ensuring that there is enhanced tracking and reporting on the company's security initiatives. Broadridge is distinguished among its competitors for its superior information security model and is one of only 77 companies in the United States that are currently ISO 27001 certified; of these companies, less than 10% are in the financial services industry.

Broadridge recognizes that the data processed by Broadridge on behalf of its clients is among its clients' most vital assets as it is confidential information related to their retail and institutional brokerage and investor communications activities. The certification adds yet another layer of security for Broadridge clients as they conduct their integral operations and transactions using key Broadridge applications to process this data. ProxyPlus is Broadridge's enterprise application that supports the core processing functions of Broadridge's proxy services, the company's largest business. Broadridge's BPS platform is one of the most robust securities processing engines in the industry for equities, mutual funds, and options providing real-time interfaces, as well as links to all major United States exchanges. Broadridge's impact solution is an integrated, online fixed-income securities transaction processing system, offering leading global financial institutions the ability to process fixed-income trades from order entry through to customized post-trade reporting. The certification of ProxyPlus, BPS, and impact offers the global banks and broker-dealers as well as corporate issuers and mutual funds whose data is processed using these three applicatiications, the assurance that Broadridge has created and implemented information security practices that are comprehensive and stringent enough to meet ISO standards.

The ISO 27001 Certification is designed to assist corporations with the development of a consistent methodology for implementing information security at the program level, as well as defining key control objectives designed to protect information assets. ISO 27001 is the only auditable international standard which defines the requirements to ensure that sufficient security controls are instituted within the certified organization. Additionally, maintaining the ISO 27001 Certification requires an annual review and three year re-certification. The continual scrutiny of Broadridge's ISMS in this manner provides confidence to clients that their data is protected on an ongoing basis.

"We are proud to have earned this certification and believe it reflects the dedication of our Information Security team to ensure that we have the highest level of controls in place when handling our clients' confidential information," said Mark Schlesinger, Chief Information Officer, Broadridge. "Data security is essential to the survival and stability of any organization and Broadridge's ISO Certification offers our clients a higher level of safeguard and protection for their information assets," Mr. Schlesinger added. To ensure that management is closely tied to ISO 27001 compliance, Broadridge has created a governance program that includes a management committee and has appointed information security champions in departments and divisions throughout the company whose job it is to support ongoing and timely security enhancements. This certification is just the beginning of what is envisioned as a multi-year plan to enhance and expand Broadridge's internal controls and security strategy.

Source: http://www.finextra.com

Saturday, November 1, 2008

UK – Paternoster plans to achieve data protection compliance

Paternoster has said it plans to be the first insurer to be certified for the data protection standard ISO 27001 following its Indian operations being passed as ISO 27001-complaint in June this year.

The certification process ensures the company adheres to the tight data security standards demanded by the global standard.

Source: http://globalpensions.com/

Tuesday, October 21, 2008

BTA Bank pioneered information Security Management System in Kazakhstan

The FINANCIAL -- BTA Bank JSC is a sole bank in Kazakhstan to successfully introduce the Information Security Management System (ISMS) in compliance with ISO 27001 of the British Standards Institute (BSI).

ISMS covers BTA-Online system that provides entities with online banking services. Within this certification international experts have named BTA-Online the product with a highest level of protection.

ISO/IEC 27001:2005 certificate will enhance confidence of both investment companies and borrowers in BTA Bank to as regards its ability to protect information entrusted to it since the ISMS eliminates a risk of threat to information security.

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System. Only this standard can be used in a certification by an international standard that specifies requirements to the ISMS.

Development and introduction of the ISMS in compliance with ISO 27001 is a vital part of the IT strategy of Bank’s development and in general BTA strategy of turning into an international financial institution and raning among the major world’s banks.

Russia-based InformZaschita has designed the ISMS for BTA Bank JSC and introduced it.

Source: http://finchannel.com

Monday, October 20, 2008

"The Renaissance the Credit" has passed ISO 27001 certification

«The Renaissance the Credit» has confirmed conformity of a control system with information safety to requests of international standard ISO/IEC 27001:2005. ISO/IEC 27001:2005 establishes requests concerning definition, introductions, managements, monitoring, an estimation, support and constant perfection of a documentary control system by information safety (further – SUIB). This standard is the only thing suitable for certification by the international standard defining requests to SUIB.

«The qualitative system of information safety is one of necessary and priority conditions of successful business dealing of the credit organisations, therefore we always watch closely conformity of our internal procedures to the international and Russian standards, – the Chairman of board of KB« has commented on the Renaissance the Capital »Alexey Levchenko. – In our bank one of the most advanced IT Infrastructures is created, and we should be assured of reliable protection of confidential data».

Procedure of certification of a control system by information safety has been executed by the British institute of standards (British Standards Institution, further BSI) - the most authoritative service provider of certification of Control systems in the international market. It is remarkable, that «the Renaissance the Credit» became the first bank certificated BSI in Russia and the second Russian bank, received the certificate of conformity ISO 27001.

It is necessary to notice, that «the Renaissance the Credit» has conducted preparation for certification independently, without attraction of foreign advisers that confirms high qualification of the experts supplying information safety of bank, and also active sharing of a management in safety issues. The bank is not intended to remain in current borders of certification and plans its further expansion for all basic business processes.

Source: http://fin-forex.com

NCR Facility Attains ISO/IEC 27001 Certification

NCR Corp. announced its eCommerce Managed Hosting Services facility has achieved ISO/IEC 27001 certification recognizing the data center for meeting the International Standards Organization's exacting specifications for information security management. According to company officials, NCR's eCommerce Managed Hosting Services provides maximum secure protection of customer data for businesses running applications over the Internet."The ISO/IEC 27001 certification helps facilitate NCR's international expansion strategy to provide businesses in Europe and Asia Pacific with hosting solutions that deliver value for existing customer applications and help drive future capabilities including self-service and mobile transactions," said Chris Shea, NCR vice president, WCS Global Services Operations. "This certification explicitly underscores our ability to securely manage a customer's confidential data, provide highly compliant hosting services and address additional industry specific certifications and requirements."

The eight-month ISO/IEC 27001 certification process involved process documentation and numerous site audits by ISO inspection teams and BSI Management Systems, a management systems certification body.

"BSI was enthusiastic about the commitment and resources NCR implemented to ensure compliance with the rigorous ISO/IEC 27001 certification requirements," said Todd VanderVen, president of BSI Management Systems America. "With high standards of security, availability and risk management practices in place, NCR is well-positioned to provide customers with information security management processes and has established a structured framework to promote continuous improvement in meeting the specific needs of its diverse customers."

Source: http://www.tradingmarkets.com/






Tuesday, October 14, 2008

M I G awarded ISO 27001

ISO Certifications awarded to M I G Investments for meeting quality and security standards
M I G Investments has been awarded the ISO 9001:2000 certification in recognition of its standardized Quality Management best-practices, and the ISO 27001:2005 certification for standardized Information Security techniques. The move comes as M I G Investments leverages its international expertise as a major Swiss, online FX broker by bringing customers quality services, innovation, technology and high security standards.

Source: http://www.forex-blogs.net/

Saturday, October 11, 2008

Affinion Group Receives ISO Certification

The Affinion Group, a global leader in affinity marketing, has been awarded the esteemed ISO 27001 certification, the highest international standard for information security management in the world.

The group was lauded for their high information security practices and policies. Due to the global affinity marketing firm’s dedication to shield its clients from identity theft and scammers, the Affinion Group is the only company in the industry and one of the 50 companies in the United States that was given the prestigious ISO 27001 Certification. Only 4,100 companies all over the world hold the same recognition.

Apart from the Affinion Group, other U.S. organizations that share the same commendation are Sun Microsystems, Bechtel Corp., Reuters America, The World Bank, Citigroup Technology, and Xerox Corp. among others.

The ISO Certification establishes Affinion’s longstanding commitment in seeking innovations that would further improve information security and reduce the incidences of identity theft and scams in their industry. Robert G. Rooney, Vice-President of the Affinion Group, stated the company strives to “raise the bar for the practices in our industry.”

An ISO certification indicates that a company has put into practice an information security management system that surpasses even the strictest security standards on a global scale.

The following are several factors that contributed to Affinion’s ISO Certification:

  • Implementation of best practice across all information security domains;
  • Putting up of a strong security outline that entails operation, monitoring, review, maintenance and development;
  • Systematic management of incidents with clear and timely escalation paths.

With its ISO certification, the Affinion Group has a strong foundation from where they could base their information security framework for 2008.

Operating for 35 years, the Affinion Group continues to enhance the value of its partners’ customer relationships by strengthening and marketing valuable loyalty, membership, checking account, insurance and other compelling products and services.

View the source press release from the Affinion Group.

Friday, October 10, 2008

EOL earns its fourth ISO accolade

VAR EOL IT has bagged an International Standards Organisation (ISO) certification in security management and plans to use it to push into the public sector.

The firm has completed certification for the ISO 27001 for information security management systems, which less than one per cent of all UK firms have so far completed.

This brings the firm’s number of ISO qualifications to four; the others being ISO 18001 for occupational health and safety management, ISO 9001 for quality administration systems and ISO 14001 for environmental management systems.

Richard Parker, managing director of EOL IT, said: “This latest ISO is all about data security. A number of our competitors have this, but the immediate benefit for us is when tendering to clients.”

Parker added that the firm intends to go for larger public sector contracts now that it has four ISO standards. “There is only one other firm that I know in our sector with all four ISO certifications. It is all about putting in best practice to the business.”

Source: http://www.channelweb.co.uk/crn/news/2227374/eol-earns-fourth-iso-accolade-4253635


Thursday, October 9, 2008

ISO-27001 Quick Reference

I waffle on about this thing a lot - because I like it.

The fundamental triangle of all ISO business standards now rests upon ISO9001, ISO14001 and ISO27001. The documentation is meant to be structured in such a way that the “01″ document is the standard and the “02″ document is the guide. So ISO27001 is the standard and ISO27002 is the guide to that standard (neat).

Here’s a handy spider diagram that gives you all the headings from ISO27002. I use it as a quick tick list to guide people towards making a “scope of applicability” for their business security needs.

Note that the headings go from (4) to (15)…there is no (1) to (3)…this is one of the great unfathomable mysteries of ISO. We are unworthy of controls (1) to (3), perhaps in an afterlife these ultimate truths will be revealed to us…or maybe they just forget to include them, I dunno…

Anyway, I hope some folk find this useful

Source: http://ipvideo.ie/


Friday, October 3, 2008

ISO 27000 Serie Update!

The ISO/IEC 27000-series numbering (“ISO27k”) has been reserved for a family of information security management standards, similar to the very successful ISO 9000 family of quality assurance standards and derived from a British Standard called BS 7799.
  • The following standards are either already published (shown in red) or works in progress:
    ISO/IEC 27000 - will provide an overview/introduction to the ISO27k standards as a whole plus the specialist vocabulary used in ISO27k. Once approved by the members of ISO/IEC JTC1/SC27, it should be published later this year.
  • ISO/IEC 27001:2005 is the Information Security Management System requirements standard (specification) against which over 4,700 organizations have been certified compliant.
  • ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
  • ISO/IEC 27003 will provide implementation guidance for ISO/IEC 27001.
  • ISO/IEC 27004 will be an information security management measurement standard to help improve the effectiveness of your ISMS.
  • ISO/IEC 27005:2008 is a new information security risk management standard released in June 2008.
  • ISO/IEC 27006:2007 is a guide to the certification or registration process for accredited ISMS certification or registration bodies.
  • ISO/IEC 27007 will be a guideline for auditing Information Security Management Systems.
  • ISO/IEC TR 27008 will provide guidance on auditing information security controls.
  • ISO/IEC 27010 will provide guidance on sector-to-sector interworking and communications for industry and government, supporting a series of sector-specific ISMS implementation guidelines starting with ISO/IEC 27011.
  • ISO/IEC 27011 will be information security management guidelines for telecommunications (also known as X.1051) and will be released soon.
  • ISO/IEC 27031 will be an ICT-focused standard on business continuity.
  • ISO/IEC 27032 will be guidelines for cybersecurity.
  • ISO/IEC 27033 will replace the multi-part ISO/IEC 18028 standard on IT network security.
  • ISO/IEC 27034 will provide guidelines for application security.
  • ISO 27799, although not strictly part of ISO27k, provides health sector specific ISMS implementation guidance.
  • Other ISO27k is a holding page with preliminary information on more ISO27k standards including sector/industry-specific ISMS implementation guidelines whose scopes and ISO27k numbers have not yet been determined.

The names and content of as-yet unpublished standards may well change prior to their publication, especially the early drafts.

Source: http://www.iso27001security.com

Wednesday, September 24, 2008

1st ISO 27001 certification in France for security audits of IT systems

Solucom, leading player in IT security, has just received certification to ISO/IEC 27001:2005 for its auditing services of the security of IT systems.

This internationally recognized certification guarantees the implementation of a management system and both organizational and technical security measures. It involves a regular reassessment of risks and facilitates continuous improvement. Solucom’s auditing service was audited and certified by LSTI[1], which is accredited by COFRAC[2].

Laurent Bellefin, Director of Security Operations at Solucom states that, “This is the first 27001 certification in France for security audits of IT systems[3]. We carry out more than a hundred audits annually, which involves handling sensitive client data. The certification and the regular, independent follow-up inspections are our clients’ guarantee that we are outstanding in the protection of the data they provide us.”

Obtaining the certification also enhances what Solucom has to offer in risk management consulting. Gérôme Billois, Security Manager, adds, “This certification demonstrates our commitment to ISO 27001 and our skill in implementing it. It is yet a further proof of our ability to support our major account clients in their own plans for certification or implementation of the standard.”

In France ISO 27001 is eliciting major interest among big companies. “Implementing the standard lets you formalize your security initiatives and ensure you are on top of the risks and constantly improving, which are essential points in today’s governance,” adds Gérôme Billois.

Tuesday, September 23, 2008

eHosting DataFort Achieves ISO 27001

Region's Leading Service Provider Enhances Customer Confidence by Implementing International Security Standard Across Business Units

Dubai: 23 September, 2008 - eHosting DataFort (EHDF), the region's leading IT outsourcing service and consulting services provider and a member of TECOM Investments, today announced its internal business units have successfully implemented the ISO 27001 Information Security Management System (ISMS), an international standard for addressing information security concerns.
The decision to implement the management system across all departments including its Data Centres and security operations confirms eHosting Datafort's continual commitment towards its customers by improving the security of business information, making it the first ever service provider in the region and among a select few worldwide to implement such a system throughout the organization.

Implementing ISO 27001 comes as part of eHosting DataFort's certification process in establishing a Corporate Governance and Management System (CGMS) program which includes a host of international standard certifications including the ISO 20000, ISO 9000 and BS 25999. These certifications will be effective across business units at eHosting DataFort shortly.

Mohamed Fouz, CEO of eHosting DataFort, said: "Information security is a critical component of our business. Protecting business information through a robust security management system using effective security controls is a key management responsibility."

eHosting DataFort's initiative comes as a proactive response to providing customers a more agile and secure infrastructure through establishing the Corporate Governance and Management System program, considering the recent security breaches that have affected businesses across the region.

"Implementing ISO 27001 and complying with international standards will enhance the customers overall confidence in eHosting DataFort," added Fouz.

Ahmed Baig, Manager, Security Consulting at eHosting DataFort, said: "Many organizations believe that securing their IT systems will guarantee the security of critical information. But as many organizations have realized, security breaches are the result of absence of governance including processes and controls. eHosting DataFort is not only committed to raising the level of security standards in the region, but also firmly believes in living up to its commitment of providing reliable and secure services to its customers."

eHosting DataFort's consulting team has also successfully implemented ISO 27001 at Dubai Aluminum Company (DUBAL), Kuwait National Petroleum Company (KNPC), and more recently, at the Emirates Identity Authority (EIDA).

Committed to promoting information security within the region, the team at eHosting DataFort manages a 24/7 Security Operation Centre for monitoring and managing the security of leading organizations across the MENA region.

In fact their Corporate Social Responsibility (CSR) objective focuses on spreading awareness of information security and technology amongst the community focusing on Schools, Universities and Government/Public sectors through the Marifaty (My Knowledge) and Muthabara (Persistence) programmes.

eHosting DataFort offers consulting and advisory services in Information security, IT service management, business continuity and quality management systems.

Health information security standard issued

In an effort to help protect personal health care information, the International Organization for Standardization (ISO) has published a new standard that specifies controls for managing health information security and utilizing best practices.

According to an ISO statement, the new standard - ISO 27799:2008 - applies to all health information in “whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it.”

This new standard, announced in late August, addresses the use of internet and wireless technologies to share personal medical information, and the need to better protect confidentiality and keep data private.

 “An important consideration was the adaptability of the guidelines, bearing in mind that many health professionals work as solo health providers or in small clinics that lack dedicated IT resources to manage information security,” the statement said.

Richard Rushing, CSO at wireless security firm AirDefense, told SCMagazineUS.com on Wednesday that the standard shows that many organizations have the same issues and that similar guidelines should be followed.

“If followed, it would make information more secure,” Rushing said, “but there is usually nothing that specifically states that it is to be followed, except for maybe an audit that may have occurred sometime in the past.”

The ISO standard will do things that Health Insurance Portability and Accountability Act (HIPAA)-related laws cannot do, said Rani Osnat, vice president for marketing with Sentrigo, a database security company.

“HIPAA protects privacy, but it is not an IT standard,” Osnat told SCMagazineUS.com. “It doesn't do anything to protect data from an IT standpoint. This ISO [standard] will provide a much-needed benchmark for health organizations to follow to encourage better IT security.”

Source: http://www.scmagazineus.com

Monday, September 22, 2008

Press Release - New Brand

New York, September 22th – Axur and Realiso Corp. announce that from this date, Axur ISMS solution has a new brand and is called Real ISMS, property of Realiso Corp.

Please update your bookmark. Get access to Real ISMS site at www.realiso.com/realisms   

For more information please contact us at contact@realiso.com


Realiso Corp.

626, Glenn Curtiss Blvd - Uniondale

New York, USA

Monday, September 15, 2008

Innominds software Receives ISO 27001 Certification

United States of America (Press Release) September 15, 2008 -- Innominds Software, a leading provider of Software Product Engineering Services has received the ISO 27001:2005 Certification for its information security management system from Certification International UK, accredited by United Kingdom Accreditation Service (UKAS). These certificates validate that the services and security management of Innominds adheres to the highest standards in the world. With this, Innominds is among the few companies globally to be awarded the ISO 27001:2005 accreditation.

ISO 27001 is a management system that identifies, manages and minimizes a range of threats to business information. It provides guidelines for implementing a constructive risk management process, setting up policies, and ensuring a secure infrastructure is in place. This standard shows that a business has taken preventative measures to protect clients' data, and demonstrates to customers and prospects that the business is observing a duty of care.

Commenting on the accreditation Mr. Divakar Tantravahi, MD, Innominds said, “Receiving ISO 27001:2005 certification is an important milestone for our global business. As a Product Engineering service company, its imperative we have robust process in place to protect the Intellectual Property (IP) of our customers and this process helps us to ensure the confidentiality, integrity and availability of information and information processing infrastructure to protect the interests of all the stakeholders and also the physical, environmental, data and network security for our premises”

“This certification is important as it generates client confidence in the solution provider. As Innominds gears to deliver more services from its offshore locations in India, it is important that it generates confidence in handling data securely.” he adds.

About Innominds:
Ranked among Global Software 500 (source: Software Magazine 2005), Innominds Software is a specialized Software Product Engineering Services provider based out of San Jose, CA with offshore development center in Hyderabad. Innominds is ISO 9001: 2000 certified and its development methodology directly addresses the toughest challenges faced by the product engineering management who are aspiring to fuel innovation and mitigate business, financial and technology risks. For more information, visit the company's website www.innominds.com

Is information security important to your enterprise?

Arun Gupta, Customer Care Associate & CTO of Shoppers Stop Limited asks does the responsibility for protection of information remains relegated to the IT organization or the CIO at best

BANGALORE, INDIA: The question "Is information security important to your enterprise?" asked of any CEO, CFO or even a board member will evince open mouth responses akin to challenging their basic foundational beliefs, the way George Orwell classic raises a fundamental 2+2=4! Off course, it is. But ergo their inability to demonstrate their actions to support the response belies the response. In real life, the responsibility for protection of information remains relegated to the IT organization or the CIO at best. 

Through the ages, information has been equated with knowledge and power it bestows on the holder. In the current information age, it has become increasingly a challenge to protect it. The combination of distributed, fragmented storage and replication on multiple computing devices like the desktops/laptops, mobile devices and sharing by multitude of applications creates many points of potential breach. It's not always for gain that information leakage or destruction happens, but many times wilful destruction is attempted by disgruntled elements. Many a time, it is a demonstration of the power of knowledge that "You are insecure and at my mercy". In the last few years, this has been used for corporate blackmail too. 

Enterprises value information and many are paranoid about it. This is evident in the access control mechanisms implemented by almost every IT organization. Volumes have been written about information security and many companies have created business models around providing tools, technology and best practices that can be implemented to protect the valuable information assets. Their efficacy remains a topic of heated discussion depending on the frame of reference. 

Thus the challenge of information security has become a much debated topic in the IT fraternity and by virtue of that spawned service providers who use different tactics including the most elemental of all emotions "fear" to vend their products and services. Standards exist and are adopted to protect information (BS 7799, ISO 27001, etc); certification is expected to portray a secure organization. Formalized information asset classification and layers of protection offer some degree of comfort and protection. 

CIOs thus continue to face the challenge to create and enforce policies that are unpopular with the rest of the organization as they impose restrictions on information access. Complex set of rules enumerating do's and don'ts impede users of information, internal as well as external. Many technologies are deployed at the fringes to lock down all possible avenues of access to the external world. This is despite the fact that most breaches occur not always in electronic form and due to negligence, internal process failure or by people working within, as demonstrated by many surveys conducted by umpteen agencies. 

Industries that are governed by regulation around information security like Banking & Insurance, Pharmaceutical and Medical, undertake systemic programs spanning the enterprise to protect their information assets. A few FMCG and other consumer goods companies too have created framework to protect their formulae or designs that are their IP or that gives them a short to mid-term competitive advantage. 

There are many avenues through which information moves out of the company. Over the lifetime of an employee, she comes into contact with all types of information in physical and electronic form, which is used for conducting business activities and taking decisions. The information gets printed, stored, absorbed, replicated, and transmitted internally as well as externally. With no control on the instances of the information, it is virtually impossible to protect it in all its variants. With attrition, employees walk away with knowledge locked inside their minds with no feasible way to monitor or control the flow. 

At the same time, it is relatively easy to monitor and supervise access control. Many security vendors have however demonstrated that social engineering can overcome such policies and gain access at free will. Printed information lends itself to pilferage especially with organizations' inability to control the proliferation of printing devices. Every meeting that distributes printed sensitive information multiplies the risk. 

In its physical form, information ownership rested with the creators and users, the individual functions like Marketing, Finance, Executive offices and Human Resources. Each distinct part of the company worked towards keeping information secure, not the Administration function which provided the paper in which it was created or the photocopying machines using which it was replicated for distribution. So who should be the custodian of information? Technology facilitates storage in electronic form akin to what paper did in the past before IT became ubiquitous in every organization. Most Risk Committees discuss information security with a bias that it's an IT issue thereby missing the point completely. 

Thus, the question that haunts is, is the mantel of information protection rightly placed on the head of the CIO? Is the IT organization the only protector of the wealth created by information? Is electronic data the only way that information is created and stored in the enterprise? If information is a strategic asset, does the onus of protection make the CIO a strategic CXO or a convenient scapegoat under the guise that no one else understands the complexity of the technology required to protect the family jewels? 

If information is indeed one of the key assets of a company, why does information security remain unaddressed systemically by the Management? Why are not other CXOs responsible for the information they create and consume? IT can set the process, educate the employees, deploy the tools, but cannot enforce compliance, like the proverbial horse and the well story. Thus security budgets remain challenged and ROI remains elusive for most of the implementations because there is no ROI. You take insurance but no one wants to die! 

The perceived role of the CIO and the IT function here demands scrutiny. The security organization has evolved within IT and worked towards addressing the securing of information. The CISO role grew to cover hardware, networks, applications and operational data that manifested itself across the enterprise. Policies and processes addressed these issues, but business demanded exceptions to address market dynamics. Limitations thus placed on the CISO working under the CIO straightjacket the smooth functioning and implementation in the spirit with which the security was defined. This is similar to the pains faced by Internal Audit teams working under the aegis of Finance. 

It is time now to unshackle and for the CIO to involve the CEO, CFO and the CPO (Chief People Officer) to collectively create a movement towards a secure organization by addressing the people, process and technology, the three cornerstones of any successful initiative. The group needs to drive home the point that they individually and collectively, are responsible for the implicit and explicit security of the IP contained within the information. It should be on the agenda and KPIs of the management team and reviewed frequently. 

Information Security is too important a function and has implications that people talk about when it happens to others, while not believing that it could happen to them too. The ostrich approach will not will away the issue. Let the CISO be accountable to the Management team and they to him. This will also make the CIO focus on what matters and not operational issues relating to the basic security hygiene which everyone expects. 

SAVVIS UK is awarded ISO 27001 security standard

LONDON, Sep 15, 2008 (BUSINESS WIRE) -- SAVVIS UK Ltd, a leader in IT infrastructure services for business and government applications, has achieved the ISO 27001 security certification standard across its EMEA operations and data centres. The accreditation reinforces its commitment to IT security, business continuity management and ISO compliance.
The certification was extended to include SAVVIS' new Slough data centre, which will open in early October 2008. Based on the outskirts of central London, the facility boasts 24x7 advanced robust physical and logical measures including weight-sensitive entrance floor panels, 'man traps' and biometric scanning.

ISO 27001 is an internationally recognised standard for information security management that uses a continual improvement approach. The requirements of the certification focus on the security policy, physical and environmental security, access monitoring, adherence to legal requirements and internal processes of companies, as well as business continuity management.
With several recent high profile data loses reported in the UK, IT security is increasingly at the forefront of IT strategy for many enterprises, including SAVVIS' blue chip and government client base, which spans the government and legal, financial, retail, media sectors, amongst others. SAVVIS' data centres are built with multi-layer access levels and numerous parameters, as well as business continuity measures, providing a highly secure environment in which to host vital business applications and data.

"To achieve the ISO 27001 accreditation for the second consecutive year demonstrates SAVVIS' ongoing commitment to providing the highest level of security to its clients," said Richard Warley, International Managing Director for SAVVIS. "The protection of our clients' information is of utmost importance to us. The accreditation reassures our clients that we are a leading provider of IT security as well as managed hosting and network services."

Source: http://www.marketwatch.com

Saturday, September 13, 2008

Systems, Visionet receive ISO/IEC certification for outsourcing centres

LAHORE: Systems Limited and its US subsidiary Visionet Systems Inc’s Business Process Outsourcing Centres in Lahore and Karachi recently underwent an audit of their Information Security Management Systems (ISMS). The audit was conducted by Moody’s International (Pvt) Limited and as a result, Systems Limited and Visionet Systems have received ISO/IEC 27001:2005 certification for their outsourcing centres.

According to a statement, the company appreciated the efforts of its process implementation team and the 350-member outsourcing team, for the hard work and dedication that led to the achievement of this milestone. It also acknowledged the support of the Pakistan Software Export Board in this regard.

Systems Limited management pledged that it would continue its efforts for further improving its ISMS programme, in order to ensure that its information processing centers and the information assets with which they are entrusted by its clients from Pakistan, Canada, USA and Europe, would continue to be protected and kept secure and confidential.

The company expressed belief that this achievement would further strengthen its business ties with national and international clients and help Systems Limited to make significant contributions to the growth of Pakistan’s information technology exports.

Source: http://www.thenews.com.pk

Monday, September 8, 2008

Netmagic attains ISO 27001 certification

MUMBAI, INDIA: Netmagic Solutions announced that three of its premier data centers in India have received the ISO 27001 certificate from BSI India, the subsidiary of the British Standards Institute. 

Sharad Sanghi, CEO and Founder, Netmagic Solutions said, "Netmagic is expanding aggressively in the country and has recently announced the opening of the company's largest data center till date in Vikhroli, Mumbai. We have always provided services and solutions of highest standards to our customers. We have received this certification for three of our data centers in total in Mumbai and Bangalore.This has reinforced our commitment to provide quality services to enterprises globally."

In response to the growing demand for managed hosting services and datacenter services, Netmagic has been expanding rapidly in the country after the recent funding of Rs 80 crore raised from Fidelity International and Nexus India Capital. Netmagic Solutions currently specializes in Internet data centers, managed hosting, remote infrastructure monitoring and management, and mail and messaging services.

ISO/IEC 27001 is a part of a growing family of ISO/IEC standards. The 'ISO/IEC 27000 series' is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The ISO/IEC 27001 certification deals with establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system (ISMS). Since a data center hosts critical data, a sophisticated and rigorous ISMS is absolutely essential. Certification by an independent third party gives the confidence to the customers of Netmagic that their data is safe and secure within the company.

Source: http://www.ciol.com/Channel-

Tuesday, September 2, 2008

New ISO Standard Focuses on Health Information Security Management

A newly published standard from the International Organization for Standardization (ISO) helps to safeguard the confidentiality of personal health information by providing guidelines for the management of health information security. ISO 27799:2008, Health informatics - Information security management in health using ISO/IEC 27002, is applicable to many different types of records and ways of storing and transmitting information, offering a set of detailed controls for healthcare organizations of all sizes. 

This new standard builds upon the principles set forth in ISO/IEC 27002:2005, Information technology - Security techniques - Code of practice for information security management. Developed jointly by ISO and the International Electrotechnical Commission (IEC), ISO/IEC 27002:2005 provides guidelines for organizations from any industry sector to initiate, implement, maintain, and improve information security management practices.

The development of ISO 27799:2008 was guided by healthcare professionals who contributed their expertise on the specific application of ISO/IEC 27002:2005 guidelines to health information management.

ISO Technical Committee (TC) 215, Health informatics, led the development of ISO 27799:2008. Since the committee's formation in 1998, TC 215 has published 48 International Standards that help to achieve compatibility and interoperability between independent information and communication technology (ICT) systems. The U.S. has held the secretariat of this committee since its inception, and the Healthcare Information and Management Systems Society (HIMSS) has performed the secretariat duties since 2003. In addition, HIMSS serves as the Administrator of the American National Standards Institute (ANSI)-accredited U.S. Technical Advisory Group (TAG) to TC 215.

For more information on ISO 27799:2008, see the ISO news release. The Healthcare Information Technology Standards Panel (HITSP) is currently running a series of free educational webinars that aim to build awareness of the work that is currently underway to support the exchange of healthcare information in the United States.

Three more webinars remain in the series. The next session, Electronic Health Record (EHR) and Emergency Response, will take place on Thursday, September 4, from 2:00 p.m. to 3:30 p.m. For more information, visit www.hitsp.org/webinars.aspx.

About HITSP
Operating under contract to the U.S. Department of Health and Human Services (HHS), HITSP is administered by ANSI in cooperation with strategic partners including HIMSS, the Advanced Technology Institute (ATI) and Booz Allen Hamilton.

Source: http://news.thomasnet.com

Wednesday, August 13, 2008

ANALYSTS SAY STATE MUST INVEST IN ONLINE SECURITY

CAIRO: While the boundaries of Gaza and Kashmir garner far more headlines, a less tangible set of borders are proving to be almost equally vital to state security: those that govern the sprawling fields of data on the internet.  

Under a set of global security standards known as ISO 27001, nearly 90 percent of Egyptian state information systems are not secure, said Hassan El Meligy, director of assistance and automation as Megacom, an 11-year-old information technology consulting firm. In most cases, nearly half of the standards on the list are unmet, he said.

Megacom works with a range of banks, manufacturers, small businesses and state agencies here, and often insists on using international standards to figure out how protected their clients are. “Because we are connected globally, anyone can steal information,” El Meligy said.

The sort of online nastiness that can befall a state already has a number of precedents. In August this year, hackers paralyzed Georgian state websites just as Russian tanks pushed across the country’s physical borders. And shortly after Estonian officials talked of removing an old Soviet monument from the capital Tallinn in 2007, state websites were smashed by a wave of “denial of service” attacks.

The physical route of a country’s internet contact is important. Georgia’s websites were particularly vulnerable because much of their connection is wired through Russia. An article published in The New York Times yesterday pointed out that the shift of internet paths to other countries has American intelligence worried over their ability to monitor global flow of information.

A country’s economic and political interests are often intertwined, and it is still businesses, such as banks, that make up the bulk of hackers’ targets.

The interaction between public and private is often complex. In many cases, companies are reluctant to let local competitors catch a glimpse of sensitive information, so they reroute their networks through service providers in other countries, as with Egypt’s internet through Europe. The risks of this became obvious when a submarine snapped cable in the Mediterranean last January, dragging connection speed to a crawl for several days.

While both local and global companies are sprouting up in Egypt to deal with these issues, the state should also do more to make firms abide by standards, El Meligy said. In his opinion, this is not much different from forcing companies to follow fire codes.

“You don’t have a fire every day, but you could face a hacker every day,” he said. “The government should apply security standards.”

Online crime has grown organically with the internet. While many early web lawbreakers acted mostly to see what they could get away with, the image of the lone, basement-dwelling hacker has since morphed into something closer to a mafia don: Complex online groups with multilayered bureaucratic — and non-technical — structures now function essentially like other organized criminals, as with one Russian group busted in 2004 after unleashing a series of “denial of service” attacks.

Now many use tools like botnets, or collections of automatically-run software, to plunder online accounts, alter public records, glimpse sensitive information and then blackmail its users, or disrupt the day-to-day work of businesses and governments.

Some examples of large attacks include “Code Red” in 2001 and the “SQL Slammer” in 2003 — both based on worms, or self-replicating programs used to jam the bandwidths of targets. 

Many companies and state bodies are also becoming worried about insiders. The threat that disaffected employees could ransack company data or that a sensitive spreadsheet could be intercepted from an unsecured wireless network is becoming graver as more people work outside the office, according to many in the industry. 

As the stock exchange expands here, and firms as diverse as automotives and tourism reach outside of Egypt, businesses and the state will continue to march steadily online. The profits are potentially huge, but so are the risks.

There is plenty of ground to cover. At a conference on internet security held by the International Data Corporation last week, one speaker asked how many in the crowd had heard of the SQL Slammer. Only two raised their hands.

El Meligy pointed to local culture. While Egyptians are becoming more aware of the threats posed online, many are used to leaving the doors of the offices and homes open to visitors, and are thus reluctant to shut themselves off, he said. “Everything is open [in Egypt],” he said. “People consider computers in the same way.”

Wednesday, July 30, 2008

Dubai Bank gets ISO award


DUBAI - Dubai Bank, a Dubai Group company, has announced its Information Security Management System (ISMS) has been accredited at the highest possible level, receiving ISO 27001:2005 certification. This is an all-encompassing international standard, designed to protect and improve the security of financial information and transactions for the bank and its customers. The accreditation endorses Dubai Bank as being ultimately modern and reliable to its customers in terms of protection of information, meeting top international level requirements. 
Accredited ISO auditors TUV Rheinland ME FZE assessed Dubai Bank’s compliance with the various requirements for certification and after conducting the audit, the team recommended the issue of a certificate of compliance, which was received by Dubai Bank on June 25, 2008.

Dubai Bank’s CEO Salaam Al-Shaksy said: “This is yet another accomplishment in line with Dubai Bank’s quest for continual improvement and customer satisfaction. Being ISO-certified is an important achievement for any business in this day and age. Dubai Bank has received the highest accreditation available today for information security, a vital step forward in line with the demands associated with modern technology and the risks attached thereto.”

Chief Risk Officer of Dubai Bank, Pravin Kandhari said “today’s customers are better educated, and they understand the risks of living in a constantly connected world, so they have higher expectations of service quality and security. Dubai Bank’s ISMS was developed to address the needs of control standards and system compliance.”

Source: http://www.saudigazette.com.sa 

Monday, July 28, 2008

Tata Communications Attains ISO 20000 and 27001 Certifications for Managed Services and Data Centers


Tata Communications (NYSE:TCL), a leading provider of the new world of communications, announced today that it has successfully attained the International Organization for Standardization (ISO) 20000-1:2005 and 27001:2005 certifications for its Global Managed Services Operations in the areas of Managed Hosting, Managed Storage Services and Hosted Messaging Services. The company's data centers in India have attained the ISO 27001 and renewed the ISO 14001 certifications. These certifications represent another milestone in Tata Communications' path to securing a leadership position in the hosting and managed services space.
 
ISO is the entity responsible for developing and publishing standards across a variety of business, government and societal subjects. The ISO 20000 and 27001 certifications validate that basic operational best practices are followed in the areas of customer service and security, respectively. ISO certifications serve as a trusted and authoritative element of the standards-based foundation from which Tata Communications delivers managed services.
 
"The managed services offered by Tata Communications are characterized by complexity and high levels of information security," said L. Shekar, Vice President, Global Managed Services, Tata Communications. "ISO certifications will help us to significantly scale up our Global Command Center operations and will lead to a consistent and improved customer experience, positioning our company as a true global player in the managed services domain."
 
Tata Communications owns and operates data centers located across three continents, all centrally managed by the Managed Services Operations Center (MSOC) in India. The ISO certification can externally substantiate the fact that all operational processes at the Tata Communications MSOC are built for compliance with the IT Infrastructure Library (ITIL), the prescribed manual for managing IT infrastructure, development, and operations.
 
"Tata Communications continues to pursue a leadership position among global managed hosting and storage service providers," said Abid Qadiri, Vice President, Data Center and Application Services, Tata Communications. "Our continued data center expansion in the US, UK, Asia and India, in addition to our portfolio expansion in the areas of virtualization, IBM AIX support, application management and server clustering are some of the key milestones planned to achieve this leadership. Attaining industry-leading certifications and participating in compliance reviews such as ISO and SAS-70 for our worldwide data centers is an integral part of our overall global strategy."
 
Tata Communications offers a full suite of managed IT infrastructure services ranging from colocation to managed hosting and managed storage services, all of which are administered from highly secure locations within its global Tier-1 IP backbone, with a footprint spanning over 100 countries. Tata Communications' corporate vision is to help businesses grow through IP enablement solutions. The fulfillment of this goal is a strategic road paved with the pursuit to confront and excel at the most contemporary, elite and rigorous technology and industry benchmarks.
 
For further information on the ISO certification and standards details visit www.iso.org/iso/iso_catalogue.
 
For more information on Tata Communications suite of managed service solutions visit www.tatacommunications.com.
 

Friday, July 25, 2008

National Bank of Azerbaijan to complete transition to ISO/IEC 27001 in autumn

Baku. Vugar Mustafayev-APA-ECONOMICS. International auditor KPMG will complete the National Bank of Azerbaijan’s Phase 1 transition to the ISO: 27001 Information Security Management Standard, said the central bank’s IT officer Ilham Hasanov. 
ISO/IEC 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls.
The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving your ISMS.

The project will be accomplished in early November, 2008. The new standard will help protect information assets and give confidence to any interested parties. 

Friday, July 18, 2008

Corporate responsibility a crucial element for Ricoh Malaysia

RICOH (M) Sdn Bhd sees corporate responsibility (CR) as a crucial element in its business processes and corporate values to make it a business partner of choice for other organisations, says business development division unit head Frankie Yun.

“Ethical business practices as well as social and environmental standards are now being looked upon as pre-conditions for doing business, especially international business.

“Companies should no longer look upon CR as being a part of any legal requirement. Besides profits, companies are also expected to focus on people and the planet,” he told StarBiz.

Ricoh Malaysia is one of the partners for the StarBiz-Institute of Corporate Responsibility (ICR) Malaysia awards presentation dinner on Aug 22. It is a CR Event Supporter under the workplace category.

“Ricoh Malaysia believes CR should be an integral part of a company’s values and conduct. As an event supporter, our objective is to assume responsibility for CR and highlight its importance to corporate Malaysia,” Yun said.

Frankie Yun

The office equipment maker has established a Corporate Social Responsibility Charter and Responsible Activities as a Corporate Citizen as CR initiatives.

These are summarised in four areas: integrity in corporate activities, harmony with the environment, respect for people and harmony with society.

According to Yun, the essence of the CR initiatives is to promote a CR-driven organisation and enable Ricoh Malaysia to gain society’s trust thus resulting in steady growth and development for the group.

Some of Ricoh Malaysia’s CR activities include turtle preservation, tree and mangrove replanting, beach cleaning as well as recycling toner cartridges and bottles into benches.

In addition, Ricoh Malaysia has also put in place many employee welfare programmes.

As part of its Integrity in Corporate Activities initiative, Ricoh Malaysia has embarked on achieving the ISO 27001:2005 certification under Information Security Management System (ISMS) by this fiscal year.

“This will help to enhance the security of our information management system and also the protection of personal information.

“We are committed to offering our customers reliable products and services to gain their absolute confidence,” Yun said.

The group is also expanding its CR initiatives to include business partners and educational facilities as part of its efforts to create a sustainable society.

This is reflected in the group’s latest effort with Inti International University College for the setting up of an E-Resource Centre within the campus to expose students to real life business environments.

Yun said this would provide and equip undergraduates with the relevant technical skills and exposure to cutting-edge information and communications technology.

Source: http://biz.thestar.com.my/news/story.asp?file=/2008/8/18/business/1774944&sec=business