Thursday, February 28, 2008

"Published" vs. "In Progress" Standards from ISO 27000 family

Take a look on "published vs. in progress" standards from ISO 27000 family. It's nice to see that will surge new standards to fill the lack of "industry" oriented controls compilation, like ISO 27799 and ISO 27011.

Published standards:
  • ISO/IEC 27001 - the certification standard against which organizations' ISMS may be certified (published in 2005)
  • ISO/IEC 27002 - the code of practice with good practice advice on ISMS (previously known as ISO 17799 and before that BS 7799 Part 1 (last revised in 2005, and renumbered ISO/IEC 27002:2005 in July 2007)
  • ISO/IEC 27006 - a guide to the certification/registration process (published in 2007)

In progress standards:

  • ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus a glossary of common terms
  • ISO/IEC 27003 - an ISMS implementation guide
  • ISO/IEC 27004 - a standard for information security management measurements
  • ISO/IEC 27005 - a standard for information security risk management
  • ISO/IEC 27007 - a guideline for auditing ISMSs
  • ISO/IEC 27011 - a guideline for ISMSs in the telecommunications industry
  • ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry

Wednesday, February 20, 2008

The truth about fortresses (ISO 27001 Paradigm)

How does a service provider who offers data hosting and datacentre services in the region ensure that his/her customer information is secure?

This was the principal question that drove me to converse with a good number of the biggest hosting companies in the Middle East region. I discussed in length with them security across the physical infrastructure, the logical security - of where datacentres are located and manned - and application security. (Read in detail on the defence layers implemented by regional service providers in the March issue of NME).

It is a statement of fact that security measures undertaken by these hosting companies are often of the highest level. In most developed markets, they are trend setters in implementing the latest of security technologies and also in following the metrics of best practices. In most cases, this would mean the firm will need to be compliant to standards and have basic security certification, like ISO 27001, before it can expect to attract any customers. The certification is an indication to potential and existing customers, along with the rest of the market that the firm has put in place stringent processes across the handling, storage and management of data to ensure that there are no holes through which information can leak. In other words, that the company takes its customer information seriously.

The Middle East data outsourcing market is nowhere close to these developed markets. However, I was (understandably) expecting a certain level of standards implementations among these service providers, considering that this is one of the rapidly growing market segments. To my absolute horror, I found this not to be the case.

Many service providers in the region remain uncertified in any security standard. Some of them implement ISO 27001 in pockets but none of them do it across the organisation; in fact, one particular company spokesperson was kind enough to inform me that the Middle East did not need this yet. The majority of them - hold your breaths now - do not have a disaster recovery site by default for customers. This is almost always set up based on the end-user's preferences and is always a site within the same country. And none of them realise that this is a recipe for disaster.

Source: By Sathya Ashok ( )

Monday, February 18, 2008

ISO 27001 - Standard for data is hailed

Stephen Burrows, managing director of the Wigan-based Centre for Assessment, gives advice on how businesses can protect themselves and their clients' details from missing personal data."Attitudes to data protection are changing fast and rightly so. "We are all concerned about the loss of 25 million child benefit claimants' personal information, the missing details of three million learner drivers and that NHS patient details have been misplaced.

In the wrong hands this information can have detrimental consequences, and across the UK, people are taking the protection of personal information much more seriously. We're working in a world increasingly served and driven by computer technologies so it's important that companies look at the controls they have in place and identify ways to tighten up their data protection. After all, the systems are only as secure as the weakest link.

One of the measures being brought in to address this is ISO 27001. This new Information Security standard provides a systematic framework for an organisation to account for its information assets, assess the security risks and implement effective controls to avoid these. ISO 27001 is suitable for organisations of all sizes.

We're confident that Government departments, financial institutions and the wider business community will, in the very near future, be looking to implement and gain certification to ISO 27001 in order to gain the public's confidence that their data is indeed protected. Centre for Assessment will certainly be recommending the new standard to clients, many of whom are already certificated to ISO 9001.


Thursday, February 14, 2008

Who is who? ISO 27001 and others...

  • Sarbanes Oxley (SOX) requires companies to disclose information regarding finances and accounting. SOX helps prevent financial malpractice and accounting disclosures. All public companies must adhere to SOX regulations.
  • Gramm-Leach Bliley Act (GLBA) requires financial institutions to protect customer data and provide privacy notices. Banks and financial institutions must follow GLBA.
  • Health Insurance Portability and Accountability Act (HIPAA) requires health care organizations to ensure the privacy of personal health information. Hospitals, medical centers and any business dealing with patient medical records must comply with HIPAA.
  • Payment Card Industry (PCI) specifies how to secure information systems and media containing cardholder account information to prevent access by or disclosure to any unauthorized party. PCI also covers how to effectively delete unnecessary data. Companies that store, process or transmit credit card holder data must follow PCI.
  • ISO 17799 / 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission. Its full name is ISO/IEC 27001:2005 - Information technology — Security techniques — Information security management systems – Requirements, but it is commonly known as "ISO 27001."
  • COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.