Tuesday, April 22, 2008

Solution for ISO 27001 promises to Heat Up the Information Security Market

New York, April 21 - Axur Information Security, a global company, leader in information security, launched AXUR ISMS, a complete solution for implementing and managing international standard ISO 27001. New on the market and totally aimed at best practices, this is the first world solution made available entirely in the SaaS (Software as a Service) model. Axur ISMS can be evaluated for free at http://isms.axur.net/.

According to Bibi Bosak, International Sales VP, ISO 27001 is currently the only internationally accepted certificate of information security. "Having ISO 27001 certification is a public demonstration that the company has excellent information security, and applies good practices for preserving the confidentiality, integrity and availability of information." According to a report issued by ACNielsen, there are 5,797 companies certificated in 64 countries. The adoption of the standard has increased at the rate of 200 new certificates per month.

Axur ISMS is present in markets where ISO 27001 certification is important, such as Japan, the United Kingdom, Taiwan and China. "Our solution is cross-industry and adapts to any purpose, regardless of its size. Axur ISMS was developed to be completely in accordance with the criteria of the risk management standard, security policies and continuous improvement. The two great benefits of Axur ISMS is the reduction in the risk of non-certification for those in the process of implementation, and a drastic reduction of the costs for maintaining certification," states Bosak. "Using the SaaS model to distribute our solution guarantees greater security, reliability and lower costs for our clients. Additionally, the online model allows the delivery of Axur ISMS in real time"

Axur Information Security (http://www.axur.net/) is an information security Management Solutions leading company. We act as a global player in the ISO 27001 solutions market. Founded in 1999, Axur has hundreds of clients present in several market sectors, including financial, telecom, industry, government, retail, energy, mining, dot-com, service sector and oil & gas.

Axur provides high technology solutions to reduce organizational risk, measuring and demonstrating the controls efficiency regarding the organization's information assets protection using worldwide best practices.

For further information, please contact us.

Axur Information Security
626, Glenn Curtiss
Uniondale, 11556
New York - USA
Manager: Bibi Bosak
Telefone: +1 516 522 2573
Email: sales@realiso.com

Thursday, April 17, 2008

Your supplier suffers a disaster: The case for ISO 27001

You've built out your disaster recovery plan. You've tested it. You are meeting your objectives. You keep your plan updated with regular reviews and testing. You've mitigated your risks and have systems and processes in place to handle any disaster that comes your way. You feel confident in your plan. Then one of your suppliers suffers a disaster. They cannot ship the raw materials you need. Now your supplier's disaster has become your disaster!

This should only be a bad dream. A large enterprise would have established risk mitigation practices to ensure that multiple suppliers are available for critical raw materials. A number of years ago I toured the manufacturing facility of a large PC server hardware vendor. While there, I posed a question on this subject, and they readily indicated that they source from three different manufacturers. Not only that, they perform audits on each shipment to ensure the component quality met standards they'd set. Furthermore, they regularly alternated between sourcing manufactures to ensure that the process to integrate an alternate component was always running well -- a sound and tested backup plan.

I suspect that all large enterprises source critical components from multiple suppliers to ensure a supplier's disaster never hurts the enterprise. But what about supplies for noncritical business processes? A large European enterprise approached me with an interesting question on this subject. They were in the process of updating their risk analysis for secondary back-office processes and stumbled across what appeared as a risk from their chosen supplier of desktop PC equipment. They required localized keyboards for PCs in branch offices of the various countries in which they did business – just as the French, German and Italian languages are different, so are their keyboards. They happened to know that their PC supplier's localized keyboard production facility was located in France. What if that facility is destroyed or compromised in some way? Would their supplier be able to build an Italian keyboard in another facility? They had not negotiated that requirement as part of their supplier agreement with the PC manufacturer, and realized they needed to update their PC supplier requirements. This is what they proceeded to do, ensuring that they would not suffer this risk.

What happens if only one supplier exists for a critical component? I'm sure you can think of a situation where this is the case. I've spoken with a smaller manufacturing company that sells about $250 million of product per year. They build very unique products that target the oil exploration industry. Two suppliers of one of their components exist in the market, but only one of those suppliers is able to produce the component with the quality that the company requires. This is a risk for the company, but they just plug along hoping that a large disaster never hits their supplier. They maintain large quantities on hand in reserve as a mitigation plan. I asked them if they have ever requested proof of business continuity plans from their supplier. They had not. Furthermore, they haven't created comprehensive business continuity plans for their own business operations. They only have about 20% of their business processes covered. I have found that this is the case in many small to medium-sized businesses, especially those that have been growing rapidly.

What I found surprising is that for the past 10 years, this small manufacturing company has focused on process efficiency, lean manufacturing, six-sigma quality and efficiency improvement, and has been ISO 9001-certified for about 15 years. But even with all of that, if their one supplier suffers a dramatic disaster, all of those quality improvement and lean manufacturing efforts will have been for nothing. (And yes, I keep bugging them about this, but the desire to rectify the problem has to come from the top.)

I've spoken to many other enterprises that demand proof of viable business continuity plans from their suppliers. And just as many of these enterprises have their customers demanding proof of business continuity plans from them. I have noted, however, that the supplier/consumer proof-of-business-continuity-plan requirements occurs ad-hoc. I have not seen a standard used in the United States. The ISO 27001 Information Security Management System certification standard is the only corporate-level certification standard that includes business continuity. It is almost three years old now and has seen some uptake in Japan. I'm hoping that corporations around the globe will begin to obtain ISO 27001 certification and demand the same of their suppliers as a proof point that suppliers have plans to survive any disaster the world throws at them.

Are you looking at ISO 27001 and demanding this certification stamp of approval of your suppliers?

Author: Richard Jones, VP and Service Director for Data Center Strategies, Burton Group

Source: http://searchdatacenter.techtarget.com  


Thursday, April 10, 2008

Japan firms to start information security rating body

TOKYO -- Eighteen Japanese firms said Tuesday they were creating the world's first ratings agency looking at data security, which they said was a rising concern for companies.
The new firm, called IS Rating, will be launched on May 1 and start issuing ratings in July, both to Japanese and foreign companies and organizations.

It will give out ratings based on how they manage data, including files containing personal information, which circulates within the firm or is shared with third parties.
IS Rating will also offer training and edit documents to encourage security.

"For businesses, it's extremely complicated to measure whether the internal handling of their masses of data is appropriate," the firms creating the new agency said in a joint statement.
Major international firms generally adhere to an international code of technical safety standards known as ISO 27001.

But the statement said: "In addition to existing norms on the security of information management such as ISO 27001, a new scale provides a complementary tool that has been asked for."

Companies which are shareholders in the new agency include electronics giant Matsushita Electric Industrial Co., best known for the Panasonic brand, along with computer maker Fujitsu Ltd. and photocopier producer Fuji Xerox Co. Ltd.

Other firms in the initiative include a subsidiary of electronics maker Canon Inc., the Nikkei business media group, the Mitsubishi Corp. trading house and banks Mizuho Corporate Bank Ltd. and Sumitomo Mitsui Banking Corp.

Source: http://newsinfo.inquirer.net

Wednesday, April 9, 2008

Business Benefits of ISO 27001 Certification

We first met Mark Bernard last fall. The Security & Privacy Officer at Credit Union Central of British Columbia, Mark discussed risk management and ISO 27001 Certification

Today, Mark's credit union is the first financial institution to achieve ISO 27001 certification. Read this interview for his insights on:

  • What it means to be ISO 27001 certified;
  • How the institution has changed as a result;
  • Potential payoffs for your institution if you follow this same path.
TOM FIELD: Hi, this is Tom Field with Information Security Media Group. I'm talking today with Mark Bernard, Security and Privacy Officer with Credit Union Central in British Columbia. You may recall him talking to us earlier last year about his institution's work in the ISO 27001 Certification. Mark is here today to tell that this institution has completed that certification. Mark, thanks for joining me today.

MARK BERNARD: My pleasure, Tom, and thanks for having me drop in and visit.

FIELD: Mark, what does this achievement really mean for your credit union?

BERNARD: Well, the credential is widely accepted within our industry, both here in North America and in Europe, and it's a way of our credit union being to demonstrate to the other credit unions and our other financial institutional clients the level of security that we've applied here at Credit Union Circle.

FIELD: How would you say that your institution has changed as a result of this 10-month process that you've gone through?

BERNARD: Well, I think that the big thing that has changed is the level of awareness, certainly within the various departments that we have here, and the credit union system has gone up substantially. People now recognize the value of, or they are realizing the value of having an information security credential such as this, and it is helping us to identify information security issues and address them more effectively.

FIELD: Mark, what would you say is the big payoff for the institution for having achieved this certification?

BERNARD: I think there are many different payoffs. There is an economical payoff by simply reducing the number of. I guess, external consulting engagements that are necessary, which are costing hundreds of thousands of dollars. And now we have a bonafide external audit group that comes by twice a year to monitor our activity and provide a list of opportunities for improvement. So it has benefited us economically, and I think as an organization in general, the culture has benefited as well. It's more focused on information security now and the identification of assets and how we treat assets and how we treat the threats and the risk, and the vulnerability associated to those assets. So, it's been very positive actually.

FIELD: Now how about for your members; what if anything will they notice from the changes that you've undergone?

BERNARD: It's really designed to be a measurement; the process is a measurement of the performance of practices and identification of opportunities to improve those practices. So, the membership doesn't immediately see anything substantial. Although, the members that I have come into contact with and spoken to are extremely impressed with the amount of due diligence that we've applied to our information security practices, and feel a higher extent or level of trust fort he information that they've entrusted to us.

FIELD: Well, that makes sense, and of course trust is the most fundamental currency you have with your members.

BERNARD: Yes, absolutely.

FIELD: Mark, what would you say are your biggest sort of lessons learned from this whole experience you've been through?

BERNARD: I think taking a very -- one of the most important things is taking a very sort of pragmatic approach. Identifying the culture within the organization and not be sort of, the implementation activities and integration activities around that culture. Providing ample room for for people to adjust to change is important. As well as giving them an opportunity to learn and understand what information security means. These are all very crucial components.

FIELD: Now, have you heard from other financial institutions that have been sort of on the sidelines watching what you've been going through?

BERNARD: Absolutely. Two of our biggest partners here in British Columbia have acknowledged the fact that they're very impressed with the work that we've done. And now they are actually considering becoming ISO 27000 certified themselves.

FIELD: O.K., for those that are sort of watching and waiting and thinking about maybe dipping their feet in, what advice would you give to them if they are considering the same move?

BERNARD: Well, again, I think paying attention to the culture is probably the most important part to avoid any disruption to the current organization. There are many, speaking of the organization, there are likely very many things that are already being accomplished within the ISO framework that just need to be pulled together in a way that can be recognized and reported and documented. So, it's not going to likely create a lot of disruption, but there will be a difference, and it will be a positive difference.

FIELD: You know, it occurs to me, you bring a team together for a project like this that there must be sort of a team culture that remains that you can sort of channel into other areas in the business?

BERNARD: Absolutely, and that's a very good point, because after becoming ISO certified and after getting the information management system institutionalized if you like ... you have this framework in place where you audit conformity to controls and evaluate the need to accept, reject or transfer that risk and as well monitor the change within the organization. So that framework exists, and because of that framework now in existence we are looking at other standards such as the BS 25999, which is Business Continuity Standard, and integrating those controls within the ISMS.

FIELD: Excellent, so there is always another big project on the horizon?

BERNARD: Yes, and the ISO framework provides many of opportunities for improvement and to draw new sets of controls and to manage those more effectively likely than they have been in the past.

FIELD: Well, Mark, next time we talk, we may have to get you come in here for a longer session to show us how it is all done.


FIELD: Mark Bernard, I appreciate your time and your insights today. Congratulations to you and good luck with your future endeavors.

BERNARD: I appreciate the opportunity to speak you and all the members.

FIELD: We've been talking with Mark Bernard of Credit Union Central in British Columbia. For Information Security Media Group, I'm Tom Field. Thank you very much.

Source: http://www.cuinfosecurity.com

Wednesday, April 2, 2008

ISO 27001 - A standard choice

Through a perplexing alphabet soup of choices in security standards, most Middle East enterprises are selecting and working with the ISO/IEC 27000 series of benchmarks, especially the 27001 standard. Choosing a security standard is easier said than done.

The average enterprise in the Middle East which is looking for an enterprise wide security standard is faced with an absolutely perplexing, alphabet soup of choices that can deter everybody but the keenest.

To add to the confusion, names of standards often get changed, even when the content remains the same, as these moves from one standards body to another.

Security service providers and consultants, such as Kurt Information Security, tend to pick and choose among different standards to form the basis of their practices and procedures. Such companies have a research and development arm which integrates pieces of various standards to form a security matrix for the firm to employ with its customers.

This is not a choice available to most enterprises. For one, standards cost money and for another, integrating the best among standards requires valuable resources, time and capital - none of which an enterprise can or should rightly be expending.

Read more at: http://www.itp.net/news/515187-a-standard-choice