Wednesday, September 24, 2008

1st ISO 27001 certification in France for security audits of IT systems

Solucom, leading player in IT security, has just received certification to ISO/IEC 27001:2005 for its auditing services of the security of IT systems.

This internationally recognized certification guarantees the implementation of a management system and both organizational and technical security measures. It involves a regular reassessment of risks and facilitates continuous improvement. Solucom’s auditing service was audited and certified by LSTI[1], which is accredited by COFRAC[2].

Laurent Bellefin, Director of Security Operations at Solucom states that, “This is the first 27001 certification in France for security audits of IT systems[3]. We carry out more than a hundred audits annually, which involves handling sensitive client data. The certification and the regular, independent follow-up inspections are our clients’ guarantee that we are outstanding in the protection of the data they provide us.”

Obtaining the certification also enhances what Solucom has to offer in risk management consulting. Gérôme Billois, Security Manager, adds, “This certification demonstrates our commitment to ISO 27001 and our skill in implementing it. It is yet a further proof of our ability to support our major account clients in their own plans for certification or implementation of the standard.”

In France ISO 27001 is eliciting major interest among big companies. “Implementing the standard lets you formalize your security initiatives and ensure you are on top of the risks and constantly improving, which are essential points in today’s governance,” adds Gérôme Billois.

Tuesday, September 23, 2008

eHosting DataFort Achieves ISO 27001

Region's Leading Service Provider Enhances Customer Confidence by Implementing International Security Standard Across Business Units

Dubai: 23 September, 2008 - eHosting DataFort (EHDF), the region's leading IT outsourcing service and consulting services provider and a member of TECOM Investments, today announced its internal business units have successfully implemented the ISO 27001 Information Security Management System (ISMS), an international standard for addressing information security concerns.
The decision to implement the management system across all departments including its Data Centres and security operations confirms eHosting Datafort's continual commitment towards its customers by improving the security of business information, making it the first ever service provider in the region and among a select few worldwide to implement such a system throughout the organization.

Implementing ISO 27001 comes as part of eHosting DataFort's certification process in establishing a Corporate Governance and Management System (CGMS) program which includes a host of international standard certifications including the ISO 20000, ISO 9000 and BS 25999. These certifications will be effective across business units at eHosting DataFort shortly.

Mohamed Fouz, CEO of eHosting DataFort, said: "Information security is a critical component of our business. Protecting business information through a robust security management system using effective security controls is a key management responsibility."

eHosting DataFort's initiative comes as a proactive response to providing customers a more agile and secure infrastructure through establishing the Corporate Governance and Management System program, considering the recent security breaches that have affected businesses across the region.

"Implementing ISO 27001 and complying with international standards will enhance the customers overall confidence in eHosting DataFort," added Fouz.

Ahmed Baig, Manager, Security Consulting at eHosting DataFort, said: "Many organizations believe that securing their IT systems will guarantee the security of critical information. But as many organizations have realized, security breaches are the result of absence of governance including processes and controls. eHosting DataFort is not only committed to raising the level of security standards in the region, but also firmly believes in living up to its commitment of providing reliable and secure services to its customers."

eHosting DataFort's consulting team has also successfully implemented ISO 27001 at Dubai Aluminum Company (DUBAL), Kuwait National Petroleum Company (KNPC), and more recently, at the Emirates Identity Authority (EIDA).

Committed to promoting information security within the region, the team at eHosting DataFort manages a 24/7 Security Operation Centre for monitoring and managing the security of leading organizations across the MENA region.

In fact their Corporate Social Responsibility (CSR) objective focuses on spreading awareness of information security and technology amongst the community focusing on Schools, Universities and Government/Public sectors through the Marifaty (My Knowledge) and Muthabara (Persistence) programmes.

eHosting DataFort offers consulting and advisory services in Information security, IT service management, business continuity and quality management systems.

Health information security standard issued

In an effort to help protect personal health care information, the International Organization for Standardization (ISO) has published a new standard that specifies controls for managing health information security and utilizing best practices.

According to an ISO statement, the new standard - ISO 27799:2008 - applies to all health information in “whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it.”

This new standard, announced in late August, addresses the use of internet and wireless technologies to share personal medical information, and the need to better protect confidentiality and keep data private.

 “An important consideration was the adaptability of the guidelines, bearing in mind that many health professionals work as solo health providers or in small clinics that lack dedicated IT resources to manage information security,” the statement said.

Richard Rushing, CSO at wireless security firm AirDefense, told SCMagazineUS.com on Wednesday that the standard shows that many organizations have the same issues and that similar guidelines should be followed.

“If followed, it would make information more secure,” Rushing said, “but there is usually nothing that specifically states that it is to be followed, except for maybe an audit that may have occurred sometime in the past.”

The ISO standard will do things that Health Insurance Portability and Accountability Act (HIPAA)-related laws cannot do, said Rani Osnat, vice president for marketing with Sentrigo, a database security company.

“HIPAA protects privacy, but it is not an IT standard,” Osnat told SCMagazineUS.com. “It doesn't do anything to protect data from an IT standpoint. This ISO [standard] will provide a much-needed benchmark for health organizations to follow to encourage better IT security.”

Source: http://www.scmagazineus.com

Monday, September 22, 2008

Press Release - New Brand

New York, September 22th – Axur and Realiso Corp. announce that from this date, Axur ISMS solution has a new brand and is called Real ISMS, property of Realiso Corp.

Please update your bookmark. Get access to Real ISMS site at www.realiso.com/realisms   

For more information please contact us at contact@realiso.com


Realiso Corp.

626, Glenn Curtiss Blvd - Uniondale

New York, USA

Monday, September 15, 2008

Innominds software Receives ISO 27001 Certification

United States of America (Press Release) September 15, 2008 -- Innominds Software, a leading provider of Software Product Engineering Services has received the ISO 27001:2005 Certification for its information security management system from Certification International UK, accredited by United Kingdom Accreditation Service (UKAS). These certificates validate that the services and security management of Innominds adheres to the highest standards in the world. With this, Innominds is among the few companies globally to be awarded the ISO 27001:2005 accreditation.

ISO 27001 is a management system that identifies, manages and minimizes a range of threats to business information. It provides guidelines for implementing a constructive risk management process, setting up policies, and ensuring a secure infrastructure is in place. This standard shows that a business has taken preventative measures to protect clients' data, and demonstrates to customers and prospects that the business is observing a duty of care.

Commenting on the accreditation Mr. Divakar Tantravahi, MD, Innominds said, “Receiving ISO 27001:2005 certification is an important milestone for our global business. As a Product Engineering service company, its imperative we have robust process in place to protect the Intellectual Property (IP) of our customers and this process helps us to ensure the confidentiality, integrity and availability of information and information processing infrastructure to protect the interests of all the stakeholders and also the physical, environmental, data and network security for our premises”

“This certification is important as it generates client confidence in the solution provider. As Innominds gears to deliver more services from its offshore locations in India, it is important that it generates confidence in handling data securely.” he adds.

About Innominds:
Ranked among Global Software 500 (source: Software Magazine 2005), Innominds Software is a specialized Software Product Engineering Services provider based out of San Jose, CA with offshore development center in Hyderabad. Innominds is ISO 9001: 2000 certified and its development methodology directly addresses the toughest challenges faced by the product engineering management who are aspiring to fuel innovation and mitigate business, financial and technology risks. For more information, visit the company's website www.innominds.com

Is information security important to your enterprise?

Arun Gupta, Customer Care Associate & CTO of Shoppers Stop Limited asks does the responsibility for protection of information remains relegated to the IT organization or the CIO at best

BANGALORE, INDIA: The question "Is information security important to your enterprise?" asked of any CEO, CFO or even a board member will evince open mouth responses akin to challenging their basic foundational beliefs, the way George Orwell classic raises a fundamental 2+2=4! Off course, it is. But ergo their inability to demonstrate their actions to support the response belies the response. In real life, the responsibility for protection of information remains relegated to the IT organization or the CIO at best. 

Through the ages, information has been equated with knowledge and power it bestows on the holder. In the current information age, it has become increasingly a challenge to protect it. The combination of distributed, fragmented storage and replication on multiple computing devices like the desktops/laptops, mobile devices and sharing by multitude of applications creates many points of potential breach. It's not always for gain that information leakage or destruction happens, but many times wilful destruction is attempted by disgruntled elements. Many a time, it is a demonstration of the power of knowledge that "You are insecure and at my mercy". In the last few years, this has been used for corporate blackmail too. 

Enterprises value information and many are paranoid about it. This is evident in the access control mechanisms implemented by almost every IT organization. Volumes have been written about information security and many companies have created business models around providing tools, technology and best practices that can be implemented to protect the valuable information assets. Their efficacy remains a topic of heated discussion depending on the frame of reference. 

Thus the challenge of information security has become a much debated topic in the IT fraternity and by virtue of that spawned service providers who use different tactics including the most elemental of all emotions "fear" to vend their products and services. Standards exist and are adopted to protect information (BS 7799, ISO 27001, etc); certification is expected to portray a secure organization. Formalized information asset classification and layers of protection offer some degree of comfort and protection. 

CIOs thus continue to face the challenge to create and enforce policies that are unpopular with the rest of the organization as they impose restrictions on information access. Complex set of rules enumerating do's and don'ts impede users of information, internal as well as external. Many technologies are deployed at the fringes to lock down all possible avenues of access to the external world. This is despite the fact that most breaches occur not always in electronic form and due to negligence, internal process failure or by people working within, as demonstrated by many surveys conducted by umpteen agencies. 

Industries that are governed by regulation around information security like Banking & Insurance, Pharmaceutical and Medical, undertake systemic programs spanning the enterprise to protect their information assets. A few FMCG and other consumer goods companies too have created framework to protect their formulae or designs that are their IP or that gives them a short to mid-term competitive advantage. 

There are many avenues through which information moves out of the company. Over the lifetime of an employee, she comes into contact with all types of information in physical and electronic form, which is used for conducting business activities and taking decisions. The information gets printed, stored, absorbed, replicated, and transmitted internally as well as externally. With no control on the instances of the information, it is virtually impossible to protect it in all its variants. With attrition, employees walk away with knowledge locked inside their minds with no feasible way to monitor or control the flow. 

At the same time, it is relatively easy to monitor and supervise access control. Many security vendors have however demonstrated that social engineering can overcome such policies and gain access at free will. Printed information lends itself to pilferage especially with organizations' inability to control the proliferation of printing devices. Every meeting that distributes printed sensitive information multiplies the risk. 

In its physical form, information ownership rested with the creators and users, the individual functions like Marketing, Finance, Executive offices and Human Resources. Each distinct part of the company worked towards keeping information secure, not the Administration function which provided the paper in which it was created or the photocopying machines using which it was replicated for distribution. So who should be the custodian of information? Technology facilitates storage in electronic form akin to what paper did in the past before IT became ubiquitous in every organization. Most Risk Committees discuss information security with a bias that it's an IT issue thereby missing the point completely. 

Thus, the question that haunts is, is the mantel of information protection rightly placed on the head of the CIO? Is the IT organization the only protector of the wealth created by information? Is electronic data the only way that information is created and stored in the enterprise? If information is a strategic asset, does the onus of protection make the CIO a strategic CXO or a convenient scapegoat under the guise that no one else understands the complexity of the technology required to protect the family jewels? 

If information is indeed one of the key assets of a company, why does information security remain unaddressed systemically by the Management? Why are not other CXOs responsible for the information they create and consume? IT can set the process, educate the employees, deploy the tools, but cannot enforce compliance, like the proverbial horse and the well story. Thus security budgets remain challenged and ROI remains elusive for most of the implementations because there is no ROI. You take insurance but no one wants to die! 

The perceived role of the CIO and the IT function here demands scrutiny. The security organization has evolved within IT and worked towards addressing the securing of information. The CISO role grew to cover hardware, networks, applications and operational data that manifested itself across the enterprise. Policies and processes addressed these issues, but business demanded exceptions to address market dynamics. Limitations thus placed on the CISO working under the CIO straightjacket the smooth functioning and implementation in the spirit with which the security was defined. This is similar to the pains faced by Internal Audit teams working under the aegis of Finance. 

It is time now to unshackle and for the CIO to involve the CEO, CFO and the CPO (Chief People Officer) to collectively create a movement towards a secure organization by addressing the people, process and technology, the three cornerstones of any successful initiative. The group needs to drive home the point that they individually and collectively, are responsible for the implicit and explicit security of the IP contained within the information. It should be on the agenda and KPIs of the management team and reviewed frequently. 

Information Security is too important a function and has implications that people talk about when it happens to others, while not believing that it could happen to them too. The ostrich approach will not will away the issue. Let the CISO be accountable to the Management team and they to him. This will also make the CIO focus on what matters and not operational issues relating to the basic security hygiene which everyone expects. 

SAVVIS UK is awarded ISO 27001 security standard

LONDON, Sep 15, 2008 (BUSINESS WIRE) -- SAVVIS UK Ltd, a leader in IT infrastructure services for business and government applications, has achieved the ISO 27001 security certification standard across its EMEA operations and data centres. The accreditation reinforces its commitment to IT security, business continuity management and ISO compliance.
The certification was extended to include SAVVIS' new Slough data centre, which will open in early October 2008. Based on the outskirts of central London, the facility boasts 24x7 advanced robust physical and logical measures including weight-sensitive entrance floor panels, 'man traps' and biometric scanning.

ISO 27001 is an internationally recognised standard for information security management that uses a continual improvement approach. The requirements of the certification focus on the security policy, physical and environmental security, access monitoring, adherence to legal requirements and internal processes of companies, as well as business continuity management.
With several recent high profile data loses reported in the UK, IT security is increasingly at the forefront of IT strategy for many enterprises, including SAVVIS' blue chip and government client base, which spans the government and legal, financial, retail, media sectors, amongst others. SAVVIS' data centres are built with multi-layer access levels and numerous parameters, as well as business continuity measures, providing a highly secure environment in which to host vital business applications and data.

"To achieve the ISO 27001 accreditation for the second consecutive year demonstrates SAVVIS' ongoing commitment to providing the highest level of security to its clients," said Richard Warley, International Managing Director for SAVVIS. "The protection of our clients' information is of utmost importance to us. The accreditation reassures our clients that we are a leading provider of IT security as well as managed hosting and network services."

Source: http://www.marketwatch.com

Saturday, September 13, 2008

Systems, Visionet receive ISO/IEC certification for outsourcing centres

LAHORE: Systems Limited and its US subsidiary Visionet Systems Inc’s Business Process Outsourcing Centres in Lahore and Karachi recently underwent an audit of their Information Security Management Systems (ISMS). The audit was conducted by Moody’s International (Pvt) Limited and as a result, Systems Limited and Visionet Systems have received ISO/IEC 27001:2005 certification for their outsourcing centres.

According to a statement, the company appreciated the efforts of its process implementation team and the 350-member outsourcing team, for the hard work and dedication that led to the achievement of this milestone. It also acknowledged the support of the Pakistan Software Export Board in this regard.

Systems Limited management pledged that it would continue its efforts for further improving its ISMS programme, in order to ensure that its information processing centers and the information assets with which they are entrusted by its clients from Pakistan, Canada, USA and Europe, would continue to be protected and kept secure and confidential.

The company expressed belief that this achievement would further strengthen its business ties with national and international clients and help Systems Limited to make significant contributions to the growth of Pakistan’s information technology exports.

Source: http://www.thenews.com.pk

Monday, September 8, 2008

Netmagic attains ISO 27001 certification

MUMBAI, INDIA: Netmagic Solutions announced that three of its premier data centers in India have received the ISO 27001 certificate from BSI India, the subsidiary of the British Standards Institute. 

Sharad Sanghi, CEO and Founder, Netmagic Solutions said, "Netmagic is expanding aggressively in the country and has recently announced the opening of the company's largest data center till date in Vikhroli, Mumbai. We have always provided services and solutions of highest standards to our customers. We have received this certification for three of our data centers in total in Mumbai and Bangalore.This has reinforced our commitment to provide quality services to enterprises globally."

In response to the growing demand for managed hosting services and datacenter services, Netmagic has been expanding rapidly in the country after the recent funding of Rs 80 crore raised from Fidelity International and Nexus India Capital. Netmagic Solutions currently specializes in Internet data centers, managed hosting, remote infrastructure monitoring and management, and mail and messaging services.

ISO/IEC 27001 is a part of a growing family of ISO/IEC standards. The 'ISO/IEC 27000 series' is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The ISO/IEC 27001 certification deals with establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system (ISMS). Since a data center hosts critical data, a sophisticated and rigorous ISMS is absolutely essential. Certification by an independent third party gives the confidence to the customers of Netmagic that their data is safe and secure within the company.

Source: http://www.ciol.com/Channel-

Tuesday, September 2, 2008

New ISO Standard Focuses on Health Information Security Management

A newly published standard from the International Organization for Standardization (ISO) helps to safeguard the confidentiality of personal health information by providing guidelines for the management of health information security. ISO 27799:2008, Health informatics - Information security management in health using ISO/IEC 27002, is applicable to many different types of records and ways of storing and transmitting information, offering a set of detailed controls for healthcare organizations of all sizes. 

This new standard builds upon the principles set forth in ISO/IEC 27002:2005, Information technology - Security techniques - Code of practice for information security management. Developed jointly by ISO and the International Electrotechnical Commission (IEC), ISO/IEC 27002:2005 provides guidelines for organizations from any industry sector to initiate, implement, maintain, and improve information security management practices.

The development of ISO 27799:2008 was guided by healthcare professionals who contributed their expertise on the specific application of ISO/IEC 27002:2005 guidelines to health information management.

ISO Technical Committee (TC) 215, Health informatics, led the development of ISO 27799:2008. Since the committee's formation in 1998, TC 215 has published 48 International Standards that help to achieve compatibility and interoperability between independent information and communication technology (ICT) systems. The U.S. has held the secretariat of this committee since its inception, and the Healthcare Information and Management Systems Society (HIMSS) has performed the secretariat duties since 2003. In addition, HIMSS serves as the Administrator of the American National Standards Institute (ANSI)-accredited U.S. Technical Advisory Group (TAG) to TC 215.

For more information on ISO 27799:2008, see the ISO news release. The Healthcare Information Technology Standards Panel (HITSP) is currently running a series of free educational webinars that aim to build awareness of the work that is currently underway to support the exchange of healthcare information in the United States.

Three more webinars remain in the series. The next session, Electronic Health Record (EHR) and Emergency Response, will take place on Thursday, September 4, from 2:00 p.m. to 3:30 p.m. For more information, visit www.hitsp.org/webinars.aspx.

About HITSP
Operating under contract to the U.S. Department of Health and Human Services (HHS), HITSP is administered by ANSI in cooperation with strategic partners including HIMSS, the Advanced Technology Institute (ATI) and Booz Allen Hamilton.

Source: http://news.thomasnet.com