Wednesday, July 30, 2008

Dubai Bank gets ISO award

DUBAI - Dubai Bank, a Dubai Group company, has announced its Information Security Management System (ISMS) has been accredited at the highest possible level, receiving ISO 27001:2005 certification. This is an all-encompassing international standard, designed to protect and improve the security of financial information and transactions for the bank and its customers. The accreditation endorses Dubai Bank as being ultimately modern and reliable to its customers in terms of protection of information, meeting top international level requirements. 
Accredited ISO auditors TUV Rheinland ME FZE assessed Dubai Bank’s compliance with the various requirements for certification and after conducting the audit, the team recommended the issue of a certificate of compliance, which was received by Dubai Bank on June 25, 2008.

Dubai Bank’s CEO Salaam Al-Shaksy said: “This is yet another accomplishment in line with Dubai Bank’s quest for continual improvement and customer satisfaction. Being ISO-certified is an important achievement for any business in this day and age. Dubai Bank has received the highest accreditation available today for information security, a vital step forward in line with the demands associated with modern technology and the risks attached thereto.”

Chief Risk Officer of Dubai Bank, Pravin Kandhari said “today’s customers are better educated, and they understand the risks of living in a constantly connected world, so they have higher expectations of service quality and security. Dubai Bank’s ISMS was developed to address the needs of control standards and system compliance.”


Monday, July 28, 2008

Tata Communications Attains ISO 20000 and 27001 Certifications for Managed Services and Data Centers

Tata Communications (NYSE:TCL), a leading provider of the new world of communications, announced today that it has successfully attained the International Organization for Standardization (ISO) 20000-1:2005 and 27001:2005 certifications for its Global Managed Services Operations in the areas of Managed Hosting, Managed Storage Services and Hosted Messaging Services. The company's data centers in India have attained the ISO 27001 and renewed the ISO 14001 certifications. These certifications represent another milestone in Tata Communications' path to securing a leadership position in the hosting and managed services space.
ISO is the entity responsible for developing and publishing standards across a variety of business, government and societal subjects. The ISO 20000 and 27001 certifications validate that basic operational best practices are followed in the areas of customer service and security, respectively. ISO certifications serve as a trusted and authoritative element of the standards-based foundation from which Tata Communications delivers managed services.
"The managed services offered by Tata Communications are characterized by complexity and high levels of information security," said L. Shekar, Vice President, Global Managed Services, Tata Communications. "ISO certifications will help us to significantly scale up our Global Command Center operations and will lead to a consistent and improved customer experience, positioning our company as a true global player in the managed services domain."
Tata Communications owns and operates data centers located across three continents, all centrally managed by the Managed Services Operations Center (MSOC) in India. The ISO certification can externally substantiate the fact that all operational processes at the Tata Communications MSOC are built for compliance with the IT Infrastructure Library (ITIL), the prescribed manual for managing IT infrastructure, development, and operations.
"Tata Communications continues to pursue a leadership position among global managed hosting and storage service providers," said Abid Qadiri, Vice President, Data Center and Application Services, Tata Communications. "Our continued data center expansion in the US, UK, Asia and India, in addition to our portfolio expansion in the areas of virtualization, IBM AIX support, application management and server clustering are some of the key milestones planned to achieve this leadership. Attaining industry-leading certifications and participating in compliance reviews such as ISO and SAS-70 for our worldwide data centers is an integral part of our overall global strategy."
Tata Communications offers a full suite of managed IT infrastructure services ranging from colocation to managed hosting and managed storage services, all of which are administered from highly secure locations within its global Tier-1 IP backbone, with a footprint spanning over 100 countries. Tata Communications' corporate vision is to help businesses grow through IP enablement solutions. The fulfillment of this goal is a strategic road paved with the pursuit to confront and excel at the most contemporary, elite and rigorous technology and industry benchmarks.
For further information on the ISO certification and standards details visit
For more information on Tata Communications suite of managed service solutions visit

Friday, July 25, 2008

National Bank of Azerbaijan to complete transition to ISO/IEC 27001 in autumn

Baku. Vugar Mustafayev-APA-ECONOMICS. International auditor KPMG will complete the National Bank of Azerbaijan’s Phase 1 transition to the ISO: 27001 Information Security Management Standard, said the central bank’s IT officer Ilham Hasanov. 
ISO/IEC 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls.
The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving your ISMS.

The project will be accomplished in early November, 2008. The new standard will help protect information assets and give confidence to any interested parties. 

Friday, July 18, 2008

Corporate responsibility a crucial element for Ricoh Malaysia

RICOH (M) Sdn Bhd sees corporate responsibility (CR) as a crucial element in its business processes and corporate values to make it a business partner of choice for other organisations, says business development division unit head Frankie Yun.

“Ethical business practices as well as social and environmental standards are now being looked upon as pre-conditions for doing business, especially international business.

“Companies should no longer look upon CR as being a part of any legal requirement. Besides profits, companies are also expected to focus on people and the planet,” he told StarBiz.

Ricoh Malaysia is one of the partners for the StarBiz-Institute of Corporate Responsibility (ICR) Malaysia awards presentation dinner on Aug 22. It is a CR Event Supporter under the workplace category.

“Ricoh Malaysia believes CR should be an integral part of a company’s values and conduct. As an event supporter, our objective is to assume responsibility for CR and highlight its importance to corporate Malaysia,” Yun said.

Frankie Yun

The office equipment maker has established a Corporate Social Responsibility Charter and Responsible Activities as a Corporate Citizen as CR initiatives.

These are summarised in four areas: integrity in corporate activities, harmony with the environment, respect for people and harmony with society.

According to Yun, the essence of the CR initiatives is to promote a CR-driven organisation and enable Ricoh Malaysia to gain society’s trust thus resulting in steady growth and development for the group.

Some of Ricoh Malaysia’s CR activities include turtle preservation, tree and mangrove replanting, beach cleaning as well as recycling toner cartridges and bottles into benches.

In addition, Ricoh Malaysia has also put in place many employee welfare programmes.

As part of its Integrity in Corporate Activities initiative, Ricoh Malaysia has embarked on achieving the ISO 27001:2005 certification under Information Security Management System (ISMS) by this fiscal year.

“This will help to enhance the security of our information management system and also the protection of personal information.

“We are committed to offering our customers reliable products and services to gain their absolute confidence,” Yun said.

The group is also expanding its CR initiatives to include business partners and educational facilities as part of its efforts to create a sustainable society.

This is reflected in the group’s latest effort with Inti International University College for the setting up of an E-Resource Centre within the campus to expose students to real life business environments.

Yun said this would provide and equip undergraduates with the relevant technical skills and exposure to cutting-edge information and communications technology.


Monday, July 14, 2008

Become Confident in Your ISO 27001 Practices

Managers who claim that their organizations comply with ISO/IEC 27001:2005 but that they see no need to go through the bureaucracy of getting the ‘badge on the wall’ are only deceiving themselves. The reality, I suspect, is that the vast majority of organizations that won’t submit their Information Security Management Systems (ISMS) to an external audit against ISO 27001 fear that, when it comes to the push, their systems would fail the test. Survey after survey tells a depressingly familiar information insecurity story. Most recently, the 10th annual CSI/FBI survey revealed that, amongst the security-conscious, information security control-focused members of the CSI, computer crime continued to have a significant financial impact. The average incident last year cost $204,000, and the top two security breaches were through virus attacks and unauthorized access – both of which are comprehensively controlled through the controls and management systems mandated by ISO 27001.

ISO27001 Effectively Manages Data Security

This evidence, combined with the findings of a recent survey carried out amongst UK-based organizations that ISO27001, suggests – somewhat contradictorily – that securing information is rarely the primary driver for achieving certification. The top reason was commercial advantage, summed up by one respondent who said that a certificate ‘gives customers confidence that our data security is well managed and certified by an independent source.’
And it’s that certification ‘by an independent source’ which is the real benefit of pursuing ISO 27001 in the first place. US regulators implicitly recognized the importance of external validation for information security effectiveness when they observed that: ‘the best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’

Achieve High Security Standards through ISO 27001

There are sectors in which the ‘badge on the wall’ debate is already history, and in which certification is now becoming a basic business requirement. UK cheque printers, for instance, are required to comply with a sectoral version of ISO27001 and suppliers to the NHS are expected to be on track for certification (there is now a health sector version of ISO17799) – even if the NHS itself still has some way to go. Business Process Outsourcing companies are finding it much simpler to provide a copy of their ISO 27001 certificate in their tender documentation than to answer detailed information security questionnaires. Some of this might be expected: BS7799 was, after all, a British Standard, and the UK government’s Cabinet Office has, for several years now, driven take-up across the UK public sector. And as more and more local authorities and public-sector organizations become certified, so the pressure for their private-sector suppliers to achieve the standard will increase – and today’s early adopters are clearly stealing a march on their competitors.

Achieve Your Certificate in ISO 27001

Internationalised as ISO 27001 , information security certification can also be a short cut to best-practice compliance with a wide range of data compliance and regulatory requirements, ranging from Data Protection Acts across the EU, privacy and breach legislation across the OECD, and specific legislation such as GLBA, HIPAA and Sarbanes Oxley. Determined outsourced suppliers are increasingly insisting that their certificate be taken into account when preparing for and costing their annual SAS 70 audit, with consequently substantial reductions in both the cost of, and disruption caused by, the audit.

Are organizations beginning to recognize that, in fact, it is the badge on the wall that counts? Yes, as evidenced by the increasing number of badges. It took about seven years (to December 1994) for the first 1,000 certificates to be achieved, but less than two and half years later there are more than 3,500 successes. And certification has a ripple effect: every organization that achieves ISO 27001 will expect its key suppliers to meet the standard. And this means that anyone who thinks the badge doesn’t count will have nowhere to hide when the CEO comes asking why your competitors have stolen your lunch.

1 BS7799 Survey 2005, Information Security Ltd 2 ‘Information Security Governance: a Call to Action’, US National Cyber Security Summit Task Force, April 2004


Monday, July 7, 2008

The importance of security in e-Governance

Technology has proliferated in all spheres of life. Accompanied by the rapid growth of the Internet there has been a concomitant rise in online transactions. The government sector has been no exception to these facts and it has wholeheartedly embraced IT in general and Internet-based technologies in particular, of late, in order to extend the benefits of governance to all citizens—urban and rural—through a slew of e-Governance projects.

At the Sabha, Anil Sagar, Additional Director, Indian Computer Emergency Response Team (CERT-In) said, “As computer systems have become more user friendly and easy to access, their adoption has grown phenomenally. As a result, we have a scenario wherein multiple operating systems and infrastructure components co-exist. This has increased the potential for security threats.”

Too often, security is described as something necessary to keep you out of trouble. It is more than that. When your information is secure, you can use it to accelerate your business. Amuleek Bijral, country manager, RSA Securities commented, “Despite massive investments in security technologies and services, few companies can claim that all their data is adequately protected.”
Like any other IT-enabled project, an e-Governance project also runs on a network. A government department deals with a considerable amount of information that may be critical to several other government departments concerned as well as external parties and citizens.

Security without borders

In the past, guarding the perimeter against external threats was sufficient, but today’s organizations are virtual, global, and dynamic. Simply deploying perimeter-based security is no longer enough to protect data, as information does not reside within static boundaries. On the contrary, a perimeter-centric security model hinders the frictionless movement of information between users spread across the globe what with users accessing data from a variety of devices such as PCs, PDAs, mobile phones, laptops, etc. Anil Sagar emphasized, “Attackers and users, both, are not confined to a particular geographical location so it becomes difficult to trace back the attacker. Also users are not always aware of and do not give sufficient importance to security measures.” The weakest link in the system is the human one.

As Bijral put it, “Data cannot be confined to one place; the importance of data lies in sharing it. When you share your data, it is spread across several devices including PCs, laptops, data centre servers, mobile phones etc. You need to secure the end-point. Rather than securing the environment, greater emphasis should be given to secure the information that is flowing across several networks.” Information-centric security binds security directly to information and to the people who need it.

The aim of attacks is changing from ‘preserving oneself and wiping out the enemy’ to ‘preserving oneself and controlling the opponent.’ Cyber attacks involve collecting the tactical information and using the same to overpower enemy systems, which brings down servers and thereby, business activities to a standstill. Hemal Patel, MD & CEO Elitecore Technologies, predicted the possibility of cyber warfare, which he defined as ‘an attack on information in the information age’.

A full-fledged Cyber attack involves gaining control over networks and there are four steps in it. They are:

1 Gain control over Network of Government and Defense Establishments.
2 Bring down the Financial Systems: The Stock Markets and Banks.
3 Take Control of a Nations’ Utilities (Power, Telecom etc).
4 Take control over personal identities (Passport data / Driving License / PAN No. / Ration Cards etc).

Today there are numerous threats—malware, bots, key-loggers, phishing and spoofing to name a few common ones. Lack of security awareness was cited as the biggest cause for attacks.

Control strategy

CERT-In (computer emergency research team-India) along with NIC and other IT vendors has been working towards improving the security levels of IT systems. CERT-In had recently tied up with Quick Heal to deploy the company’s anti-virus solution on government PCs. Bijral said, “If we can identify the data that we care about and where that data resides, then we need a model to discuss risks and threats.”

Draft amendments to the IT Act 2000 lack strong protection against cyber terrorism or cyber war. Patel said, “There should be a combined effort from intelligence agencies, NIC, CERT and the industry to collectively fight a Cyber War.” A central nodal agency is required, one that can frame a national strategy for countering insurgency in cyberspace. The creation of national nodal agency for IP Security deployments is vital.

There is a need for security solutions that not only cover security threats from end-to-end but also result in low CAPEX and OPEX. Another important aspect of adopting a security solution is to comply with regulations. Regulations, however, are dynamic and keep on changing. It is to handle this eventuality that the ISO 27001 and ISO 27002 standards had been developed. These adopt a framework approach combining the solutions that are required to cover end-to-end system security. ISO 27001 and ISO 27002 deliver a common language communicating security on a global basis to protect customers, outsourcers, business partners, regulators, auditors and non-security staff.

In a framework-based approach, the key areas of risk are identified to begin with, after which the solutions to counter those risks are taken into consideration, and in the next step technology controls are applied, as are policies and procedures. A review of the implementation of controls ensures that they align with an organization’s security policy and that there is consistency across data classification categories.

Furthermore, there is also the need to inculcate security awareness amongst users about recent threats/attacks as well as the dos and don’ts of using Internet. Security has become a key issue that needs to be addressed. Since government deals with sensitive information of national interest, securing data is of utmost importance. The key to securing information, however, does not lie in infrastructure security but the data and information security that are shared over various systems. That is why the need for securing such information has become a priority.

Wednesday, July 2, 2008

ISO 27001 certification helps deliver measurable difference for BT

An international security standard is giving BT’s customers peace of mind - and helping the company secure major deals.

ISO27001 - an international standard designed around 133 security controls - provides a model for setting up and running an effective information security management system.
The company now has 26 certificates covering more than 60 key sites and services - and 20 new sites have been earmarked for certification.

According to global head of IT governance for bid security and certifications Lou Garcia, this demonstrates that BT meets security control requirements - and shows a high level of security governance, especially in the area of risk management. Lou said: “Many of BT’s most significant customers demand this certification for the services BT provides - and, as demand from our customers increases, so does our programme of certification.”


The key to data wiping

You've just spent the last of the financial year's budget on new computers. Fantastic. And you might even donate your old computers to charity, or sell them on eBay. But what about the data stored on them? You may need to get rid of it before you get rid of the computers.

Adrian Briscoe, General Manager Asia Pacific, Kroll Ontrack, a data recovery company, advises businesses and individuals to be cautious when discarding old hardware with proprietary information.

A test of three PC workstations and two servers purchased by Kroll Ontrack on eBay found that, while all the hardware had been subjected to some type of data erasing, three units had a combined total of approximately 70GB of data ranging from Excel, Lotus 1-2-3, image files and back-up archives. "Take care to delete data properly," says Mr Briscoe, "and not just by using the format command on your computer. You need to erase the hard drive to a certain standard."Bill Taylor-Mountford, general manager of Acronis, a company that provides storage management and disaster recovery software, agrees."Deleting data leaves a fingerprint, or a ghosted image. With the right tools, specialists can recover the data after it has been deleted.

That's why some software-wiping algorithms use 35 passes to destroy data."Mr Briscoe says any device that has information presents some risk to organisations, and needs to be wiped permanently. "The erasing process will take anywhere from half an hour to half a day. Nobody considers buying a PC without having antivirus software. Why not run erasing software as part of the process at the end of the computer's life cycle?"But is just deleting your data every time you get rid of computers the smartest thing to do? What if you have 1000 computers to get rid of?

Wiping everything may take up more time, energy and money than it's worth, says Milton Baar, director of IT Security consultants The Swoose Partnership, and committee member of Standards Australia IT 12/4, which represents Australia for ISO27001, the international standard for information security management."Organisations should start a thousand miles earlier than end of financial year," says MrBaar. "They need corporate governance practices, which cover information security issues.

Organisations should understand what information they have on their computers and have control of it, rather than just wiping everything when they get rid of the equipment."