This is a pic of me.
Saturday, 26 October 2013
Monday, 26 November 2007
Business Continuity Standard Launched
Email received re BS25999
BS25999 Part 2 Launched
Its here, the long awaited specification is now available.
BS25999 Part 2 has now been launched. Officially titled BS 25999-2:2007 ‘Specification for business continuity management’ it joins and complements Part 1, or BS 25999-1:2006 Business continuity management. Code of practice.
BS 25999-2 specifies requirements for establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System (BCMS) within the context of managing an organization’s overall business risks.
The requirements specified in BS 25999-2 are be generic and intended to be applicable to all organisations, regardless of type, size and nature of business. The extent of application of these requirements depends on the organisation's operating environment and complexity.
BS 25999-2 can be used by internal and external parties, including certification bodies, to assess an organization’s ability to meet its own business continuity needs, as well as any customer, legal or regulatory needs.
Over the next few weeks we will be updating our Part 2 content to reflect the published standard rather than the draft version and a number of articles on the certification process. The site supplier directory now lists a couple of certification bodies.
BS25999 Part 2 Launched
Its here, the long awaited specification is now available.
BS25999 Part 2 has now been launched. Officially titled BS 25999-2:2007 ‘Specification for business continuity management’ it joins and complements Part 1, or BS 25999-1:2006 Business continuity management. Code of practice.
BS 25999-2 specifies requirements for establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System (BCMS) within the context of managing an organization’s overall business risks.
The requirements specified in BS 25999-2 are be generic and intended to be applicable to all organisations, regardless of type, size and nature of business. The extent of application of these requirements depends on the organisation's operating environment and complexity.
BS 25999-2 can be used by internal and external parties, including certification bodies, to assess an organization’s ability to meet its own business continuity needs, as well as any customer, legal or regulatory needs.
Over the next few weeks we will be updating our Part 2 content to reflect the published standard rather than the draft version and a number of articles on the certification process. The site supplier directory now lists a couple of certification bodies.
Tuesday, 13 November 2007
Who's responsible for security awareness?
Why do so few organisations run comprehensive security awareness and training? Some seems to think the CIO, or possibly HR, should be responsible but I'm not sure about either of those suggestions. Most CIOs naturally focus on IT - as in technical - security, if indeed they take any interest in security. Relatively few HR people I've worked with have had much interest in IT, let alone information security.
No, it seems to me we have created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working hand-in-hand with IT, HR, Legal, Risk, Compliance, R&D, Ops ... in fact I can't think of anyone the ISM can safely ignore (is there any department that doesn't rely on information?).
To have any real effect on the organization's security stance and culture, the ISM needs the full support of executive management. My reasoning goes like this:
- Security awareness is part of information security.
- Information security is part of IT governance.
- IT governance is part of corporate governance.
- Corporate governance applies across the whole organization, and is a matter for senior management collectively.
- Ultimately the CEO and the Board are accountable for information security. They have the power to prioritize it, allocate sufficient funding, mandate security policies, standards etc. The CIO is much too far down the food-chain to have teeth.
Monday, 29 October 2007
Nice simple FAQ for ISO27001
Good overview here thanks to Sevennine and some editing and updates by me.
What is information security?
Information is an asset which has value to an organisation and needs to be suitably protected. Information assets can be electronically stored, printed or written, transmitted by post or electronically.
Information security is the preservation of
• Confidentiality – Ensuring that information is accessible only to those authorised to have access.
• Integrity – Safeguarding the accuracy and completeness of information and processing methods
• Availability – Ensuring that authorised users have access to information and associated assets when required.
This confidentiality, integrity and availability of information may be essential to maintain your organisation's commercial position, legal compliance and profitability.
Many organisations are now being asked by their business partners to provide clear statements about their information security management position. Working to an existing standard such as ISO 27001 is the best means to achieve a comprehensive and thorough system that will satisfy regulators and business partners. Seven Nine can help you meet these challenges.
What is information security?
Information is an asset which has value to an organisation and needs to be suitably protected. Information assets can be electronically stored, printed or written, transmitted by post or electronically.
Information security is the preservation of
• Confidentiality – Ensuring that information is accessible only to those authorised to have access.
• Integrity – Safeguarding the accuracy and completeness of information and processing methods
• Availability – Ensuring that authorised users have access to information and associated assets when required.
This confidentiality, integrity and availability of information may be essential to maintain your organisation's commercial position, legal compliance and profitability.
Many organisations are now being asked by their business partners to provide clear statements about their information security management position. Working to an existing standard such as ISO 27001 is the best means to achieve a comprehensive and thorough system that will satisfy regulators and business partners. Seven Nine can help you meet these challenges.
What is the scope of the standard?
Eleven areas are covered within ISO 27001. (plus the clauses 4-8 which constitute the managment system activities)
- Information Security Policy – Is there management direction and a written policy to provide support and direction for information security activities?
- Organisational Security – Is there an infrastructure to manage security within the organisation? - includes management forum and processes, third party access and outsourced arrangements
- Asset Management – Are organisational assets protected? - Includes inventory and classification
- Human Resources Security – Are the risks of human error or fraud reduced? - Includes personnel screening and T&C's, security training and incident reporting
- Physical and Environmental Security – Is unauthorised access to business premises controlled? - Includes physical security, secure areas, equipment security, maintenance and disposal.
- Communications and Operations Management - Are information processing facilities operated in a correct and secure manner – Includes operating procedures and change control, system planning, protection against malicious software, backup, media handling, information exchange, and email security.
- Access Control – Is access to business information and processes controlled on the basis of business and security requirements? - Includes user and password management, mobile users, access to applications and network services.
- Information Systems – Is security is built into information systems? - Includes development and support processes, cryptography and data validation.
- Incident management – Are events and weaknesses reported, and are events consistently managed?
- Business Continuity – Are critical business processes protected from the effects of major failures or disasters?
- Compliance – Does the firm take measures to avoid breaches of law, statutory , regulatory or contractual obligations?
What is the difference between BS 7799 and ISO 27001?
ISO 27001 is essentially the adoption of BS 7799 Part 2 as an ISO standard. Changes have only been minor. BS7799 no longer exists.
What is ISO 27002?
ISO 27002 is a development of ISO 17799, and is a set of guidelines for Information Security best practice. Firms can seek to comply with this standard, but cannot be certified against it. ISO 27001 was created in order to provide a framework that organisations can be audited and certified against. Note If you have the ISO17799 standard, you do not need to buy ISO27002...as identical, unless you want the latest updated copy.
What is certification?
Certification is achieved through a process of external audit. A number of bodies are approved for ISO 27001 audit work. As with any external certification, regular surveillance and re-certification audits are required to maintain the certification.
What is compliance?
Any firm can produce a statement of compliance with ISO 27001. The implementation of a compliant system will require much of the same work as achieving certification. Your organisation has to consider the relative commercial merits of Compliance against Certification. You must remember that this only represents your view, and that your partners may set greater store by the recognition provided by third party audit.
Do I have to gain certification for the whole organisation?
No, you can choose to limit the scope of your implementation. Be aware that most Information Security components are closely connected throughout your whole firm, so too tight a scope might be difficult to justify. You may choose to limit the scope to specific organisational units or geographical locations.
Where can I find more information about ISO 27001?
Good starting points are the ISMS International User Group www.17799.com and BSI www.bsi-global.com. If you want to order a copy of the standards, you can get one from BSI for around £200.
Final Draft of CCTV Data Protection Code of Practice
Latest news re DPA and use of CCTV...one to be noted!
Public consultation on the revised CCTV Code of Practice The current CCTV data protection Code of Practice was published by the ICO in 2000.
Since then we have:
- learnt a lot about CCTV and how the existing code is used;
- witnessed advances in CCTV technology; and
- seen new legal developments, including the Freedom of Information Act 2000, which have impacted on the use of CCTV.
We are holding a public consultation on the revised code as we want to get those who are involved in, or are affected by the use of CCTV to have the opportunity to comment on the revised code.
So you can make your views known we have included a comments sheet which you should fill in and return it to the Data Protection Development Officer. We can then consider your comments before the final revised version is published later in the year.
The closing date for comments is 31 October 2007.
The final draft can be found here
Source: ICO
Sunday, 28 October 2007
VOIP Security
Very interesting subject area for me at present! Where better to find out what's hot than the VOIP Security Alliance here
Overview
History shows us that advances and trends in information technology typically outpace the corresponding realistic security requirements, which are often tackled only after these technologies are widely deployed. Voice over IP (VoIP) is no different. As VoIP's popularity increases, so will its exposure to current and emerging security threats.
Overview
History shows us that advances and trends in information technology typically outpace the corresponding realistic security requirements, which are often tackled only after these technologies are widely deployed. Voice over IP (VoIP) is no different. As VoIP's popularity increases, so will its exposure to current and emerging security threats.
The Voice over IP Security Alliance (VOIPSA) aims to fill the void of VoIP security related resources through a unique collaboration of VoIP and Information Security vendors, providers, and thought leaders.
VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, VoIP security education and awareness, and free VoIP testing methodologies and tools.
They have a blog here also..
Subscribe to:
Posts (Atom)