ISO 27005 will assist organizations in their information security risk management

The FINANCIAL -- Organizations of all types are very concerned by threats that could compromise their information security and managing this aspect has become a primary concern for their information technology (IT) departments.

The new International Standard ISO/IEC 27005:2008, which describes the information security risk management process and associated actions, will help them to manage risks.

Threats may be deliberate or accidental, and may relate to either the use and application of IT systems or to IT's physical and environmental aspects. These threats may take any form from identity theft, risks of doing business on-line, denial of service attacks, remote spying, theft of equipment or documents through to a seismic or climatic phenomenon, fire, floods or pandemic problems. These threats may result in various business impacts, for example, financial loss or damage, loss of essential network services, loss of customer confidence through to loss power supply or failure of telecommunication equipment.

"A risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria." ISO reports.

ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management, provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.

The new standard is designed to assist the implementation of ISO/IEC 27001, the information security management system standard, which is based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002: 2005, Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of this International Standard.

The information security risk management process consists of:

• context establishment
• risk assessment
• risk treatment
• risk acceptance
• risk communication,
• risk monitoring and
• review.
  

However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

Edward Humphreys, convener of the ISO/IEC working group that developed the standard comments: “Today, most organizations recognize the critical role that information technology plays in supporting their business objectives and with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront. ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.”

Source: http://finchannel.com

DoF participates in ISO meeting in Japan

DoF's participation - the first-ever by a governmental organisation from the GCC region - reflects its commitment to adopting the latest total quality standards at all levels of Governmental practice, especially in the information security. 

This is in line with DoF's preparations to acquire the ISO 27001 Certificate by the end of this year. 

The participants in the Kyoto meeting discussed several topics related to information security systems, including applied standards and universal measurements set by ISO in this sector. 

The participants brought up issues pertaining to information security management for critical infrastructure and information security governance. 

'Our participation comes in line with the directives of DoF's top management represented by H.H. Sheikh Mohammed Bin Khalifa Al Nahyan, Chairman; H.E. Hamad Al Hurr Al Suwaidi and H.E. Mohammed Sultan Al Hameli, Executive Director, to enhance the level of IT performance and security. DoF has achieved several milestones in implementing its IT infrastructure and now works to add more value and to enhance overall quality standards,' said Salem Al Rumaithi, Head of the IT Directorate at DoF. 

The discussions at Kyoto focused on a series of standards that will help in establishing and maintaining an efficient information management system, using a constant improvement approach. Putting these standards into practice will help attain the security control objectives through a recommended range of specific security controls. 

Butti Al Rumaithi, Head of Information Security Office, said: 'We are committed to improving the performance of IT systems and information security procedures by adopting International best practices in this field. During the meeting, we exchanged ideas about ways of managing information systems and enhancing their security. We also shared views concerning the implementation of international standards related to data protection and risk management. We look forward to leveraging the department's participation in specialised International meetings, as we consider that developing the overall performance and enhancing security of our IT systems is one of our top priorities.' 

DoF recently launched its Strategic Plan for 2008-2012 which included priorities that call to develop state-of-the-art IT technologies to support the future role and activities of the Department.

Source: http://www.ameinfo.com/160017.html

The Bare Minimum

We have all heard about ISO 17799 and ISO 27001; ISO 17799 is being renamed to ISO 27002 and ISO 27001 was formally known as BS7799-2. If you haven’t and your reading this, stop now and go look them up. Here is a good place for an general overview.

These standards are the basis of least requirement for doing business, when security is concern. Instead what you see are most companies, those that care and especially here in the US, are still in a phase of “working towards” meeting these standards. Very few western organizations have implemented or even looked at these standards. In Japan over 2000 companies have been certified meaning that Japan dwarfs any country by at least 300% more compliance than the UK and the US put together.

Something needs to be done to bring the compliance level up. Especially when it comes to the base foundation for security controls and ISMS.

So what can you do? Here is a 10 step guide to becoming certified.

1. Prepare the ground: obtain copies of the ISO 17799 and BS7799-2 standards, research the background, set the objectives, understand the costs and benefits, and liaise with senior management to gain their support.
2. Define the scope: what’s in, what’s out, including issues like location, assets and so on. Prepare a Statement of Applicability.
3. Define a formal ISMS (Information Security Management System) policy.
4. Analyze the information security risks to identify the corresponding security control objectives.
5. Prepare a security implementation plan describing the implementation of specific information security controls to satisfy the objectives identified in step 4. Gain management approval and secure the budget.
6. Implement the plan. Prepare, review, approve and publish information security policies, procedures, standards and so forth. Bring controls protecting the IT infrastructure and facilities up to scratch. Review and where necessary improve application security controls. Prepare and exercise contingency plans.
7. Operate and maintain the information security management system. Keep records to document proper use of your system (e.g. information arising from the review of system security logs).
8. Perform an information security audit and management review to check that everything is in order (this typically involves an informal pre-certification assessment by the certification body).
9. Make any last-minute adjustments to the information security management system to address issues identified in the pre-certification assessment.
10. Undergo the formal certification assessment by an accredited certification body.

Source: http://securitymusings.com/article/307/the-bare-minimum

Axur ISMS is now approved by European Union

Axur ISMS is the only full ISO 27001 oriented management system recommended by ENISA - European Network and Information Security Agency. It´s a great honor for us!

You can check more about ENISA at: http://www.enisa.europa.eu

And you can read more about Axur ISMS & ENISA at: http://www.enisa.europa.eu/rmra/methods_tools/t_axur.html

Solution for ISO 27001 promises to Heat Up the Information Security Market

New York, April 21 - Axur Information Security, a global company, leader in information security, launched AXUR ISMS, a complete solution for implementing and managing international standard ISO 27001. New on the market and totally aimed at best practices, this is the first world solution made available entirely in the SaaS (Software as a Service) model. Axur ISMS can be evaluated for free at http://isms.axur.net/.

According to Bibi Bosak, International Sales VP, ISO 27001 is currently the only internationally accepted certificate of information security. "Having ISO 27001 certification is a public demonstration that the company has excellent information security, and applies good practices for preserving the confidentiality, integrity and availability of information." According to a report issued by ACNielsen, there are 5,797 companies certificated in 64 countries. The adoption of the standard has increased at the rate of 200 new certificates per month.

Axur ISMS is present in markets where ISO 27001 certification is important, such as Japan, the United Kingdom, Taiwan and China. "Our solution is cross-industry and adapts to any purpose, regardless of its size. Axur ISMS was developed to be completely in accordance with the criteria of the risk management standard, security policies and continuous improvement. The two great benefits of Axur ISMS is the reduction in the risk of non-certification for those in the process of implementation, and a drastic reduction of the costs for maintaining certification," states Bosak. "Using the SaaS model to distribute our solution guarantees greater security, reliability and lower costs for our clients. Additionally, the online model allows the delivery of Axur ISMS in real time"

Axur Information Security (http://www.axur.net/) is an information security Management Solutions leading company. We act as a global player in the ISO 27001 solutions market. Founded in 1999, Axur has hundreds of clients present in several market sectors, including financial, telecom, industry, government, retail, energy, mining, dot-com, service sector and oil & gas.

Axur provides high technology solutions to reduce organizational risk, measuring and demonstrating the controls efficiency regarding the organization's information assets protection using worldwide best practices.

For further information, please contact us.

Axur Information Security
626, Glenn Curtiss
Uniondale, 11556
New York - USA
Manager: Bibi Bosak
Telefone: +1 516 522 2573
Email: sales@realiso.com

Your supplier suffers a disaster: The case for ISO 27001

You've built out your disaster recovery plan. You've tested it. You are meeting your objectives. You keep your plan updated with regular reviews and testing. You've mitigated your risks and have systems and processes in place to handle any disaster that comes your way. You feel confident in your plan. Then one of your suppliers suffers a disaster. They cannot ship the raw materials you need. Now your supplier's disaster has become your disaster!

This should only be a bad dream. A large enterprise would have established risk mitigation practices to ensure that multiple suppliers are available for critical raw materials. A number of years ago I toured the manufacturing facility of a large PC server hardware vendor. While there, I posed a question on this subject, and they readily indicated that they source from three different manufacturers. Not only that, they perform audits on each shipment to ensure the component quality met standards they'd set. Furthermore, they regularly alternated between sourcing manufactures to ensure that the process to integrate an alternate component was always running well -- a sound and tested backup plan.

I suspect that all large enterprises source critical components from multiple suppliers to ensure a supplier's disaster never hurts the enterprise. But what about supplies for noncritical business processes? A large European enterprise approached me with an interesting question on this subject. They were in the process of updating their risk analysis for secondary back-office processes and stumbled across what appeared as a risk from their chosen supplier of desktop PC equipment. They required localized keyboards for PCs in branch offices of the various countries in which they did business – just as the French, German and Italian languages are different, so are their keyboards. They happened to know that their PC supplier's localized keyboard production facility was located in France. What if that facility is destroyed or compromised in some way? Would their supplier be able to build an Italian keyboard in another facility? They had not negotiated that requirement as part of their supplier agreement with the PC manufacturer, and realized they needed to update their PC supplier requirements. This is what they proceeded to do, ensuring that they would not suffer this risk.

What happens if only one supplier exists for a critical component? I'm sure you can think of a situation where this is the case. I've spoken with a smaller manufacturing company that sells about $250 million of product per year. They build very unique products that target the oil exploration industry. Two suppliers of one of their components exist in the market, but only one of those suppliers is able to produce the component with the quality that the company requires. This is a risk for the company, but they just plug along hoping that a large disaster never hits their supplier. They maintain large quantities on hand in reserve as a mitigation plan. I asked them if they have ever requested proof of business continuity plans from their supplier. They had not. Furthermore, they haven't created comprehensive business continuity plans for their own business operations. They only have about 20% of their business processes covered. I have found that this is the case in many small to medium-sized businesses, especially those that have been growing rapidly.

What I found surprising is that for the past 10 years, this small manufacturing company has focused on process efficiency, lean manufacturing, six-sigma quality and efficiency improvement, and has been ISO 9001-certified for about 15 years. But even with all of that, if their one supplier suffers a dramatic disaster, all of those quality improvement and lean manufacturing efforts will have been for nothing. (And yes, I keep bugging them about this, but the desire to rectify the problem has to come from the top.)

I've spoken to many other enterprises that demand proof of viable business continuity plans from their suppliers. And just as many of these enterprises have their customers demanding proof of business continuity plans from them. I have noted, however, that the supplier/consumer proof-of-business-continuity-plan requirements occurs ad-hoc. I have not seen a standard used in the United States. The ISO 27001 Information Security Management System certification standard is the only corporate-level certification standard that includes business continuity. It is almost three years old now and has seen some uptake in Japan. I'm hoping that corporations around the globe will begin to obtain ISO 27001 certification and demand the same of their suppliers as a proof point that suppliers have plans to survive any disaster the world throws at them.

Are you looking at ISO 27001 and demanding this certification stamp of approval of your suppliers?

Author: Richard Jones, VP and Service Director for Data Center Strategies, Burton Group

Source: http://searchdatacenter.techtarget.com  

Source:

Japan firms to start information security rating body

TOKYO -- Eighteen Japanese firms said Tuesday they were creating the world's first ratings agency looking at data security, which they said was a rising concern for companies.
The new firm, called IS Rating, will be launched on May 1 and start issuing ratings in July, both to Japanese and foreign companies and organizations.

It will give out ratings based on how they manage data, including files containing personal information, which circulates within the firm or is shared with third parties.
IS Rating will also offer training and edit documents to encourage security.

"For businesses, it's extremely complicated to measure whether the internal handling of their masses of data is appropriate," the firms creating the new agency said in a joint statement.
Major international firms generally adhere to an international code of technical safety standards known as ISO 27001.

But the statement said: "In addition to existing norms on the security of information management such as ISO 27001, a new scale provides a complementary tool that has been asked for."

Companies which are shareholders in the new agency include electronics giant Matsushita Electric Industrial Co., best known for the Panasonic brand, along with computer maker Fujitsu Ltd. and photocopier producer Fuji Xerox Co. Ltd.

Other firms in the initiative include a subsidiary of electronics maker Canon Inc., the Nikkei business media group, the Mitsubishi Corp. trading house and banks Mizuho Corporate Bank Ltd. and Sumitomo Mitsui Banking Corp.

Source: http://newsinfo.inquirer.net