Nice simple FAQ for ISO27001

Good overview here thanks to Sevennine and some editing and updates by me.

What is information security?
Information is an asset which has value to an organisation and needs to be suitably protected. Information assets can be electronically stored, printed or written, transmitted by post or electronically.

Information security is the preservation of

• Confidentiality – Ensuring that information is accessible only to those authorised to have access.
• Integrity – Safeguarding the accuracy and completeness of information and processing methods
• Availability – Ensuring that authorised users have access to information and associated assets when required.

This confidentiality, integrity and availability of information may be essential to maintain your organisation's commercial position, legal compliance and profitability.

Many organisations are now being asked by their business partners to provide clear statements about their information security management position. Working to an existing standard such as ISO 27001 is the best means to achieve a comprehensive and thorough system that will satisfy regulators and business partners. Seven Nine can help you meet these challenges.

What is the scope of the standard?
Eleven areas are covered within ISO 27001. (plus the clauses 4-8 which constitute the managment system activities)

• Information Security Policy – Is there management direction and a written policy to provide support and direction for information security activities?
• Organisational Security – Is there an infrastructure to manage security within the organisation? - includes management forum and processes, third party access and outsourced arrangements
• Asset Management – Are organisational assets protected? - Includes inventory and classification
• Human Resources Security – Are the risks of human error or fraud reduced? - Includes personnel screening and T&C's, security training and incident reporting
• Physical and Environmental Security – Is unauthorised access to business premises controlled? - Includes physical security, secure areas, equipment security, maintenance and disposal.
• Communications and Operations Management - Are information processing facilities operated in a correct and secure manner – Includes operating procedures and change control, system planning, protection against malicious software, backup, media handling, information exchange, and email security.
• Access Control – Is access to business information and processes controlled on the basis of business and security requirements? - Includes user and password management, mobile users, access to applications and network services.
• Information Systems – Is security is built into information systems? - Includes development and support processes, cryptography and data validation.
• Incident management – Are events and weaknesses reported, and are events consistently managed?
• Business Continuity – Are critical business processes protected from the effects of major failures or disasters?
• Compliance – Does the firm take measures to avoid breaches of law, statutory , regulatory or contractual obligations?

What is the difference between BS 7799 and ISO 27001?
ISO 27001 is essentially the adoption of BS 7799 Part 2 as an ISO standard. Changes have only been minor. BS7799 no longer exists.

What is ISO 27002?
ISO 27002 is a development of ISO 17799, and is a set of guidelines for Information Security best practice. Firms can seek to comply with this standard, but cannot be certified against it. ISO 27001 was created in order to provide a framework that organisations can be audited and certified against. Note If you have the ISO17799 standard, you do not need to buy ISO27002...as identical, unless you want the latest updated copy.

What is certification?
Certification is achieved through a process of external audit. A number of bodies are approved for ISO 27001 audit work. As with any external certification, regular surveillance and re-certification audits are required to maintain the certification.

What is compliance?
Any firm can produce a statement of compliance with ISO 27001. The implementation of a compliant system will require much of the same work as achieving certification. Your organisation has to consider the relative commercial merits of Compliance against Certification. You must remember that this only represents your view, and that your partners may set greater store by the recognition provided by third party audit.

Do I have to gain certification for the whole organisation?
No, you can choose to limit the scope of your implementation. Be aware that most Information Security components are closely connected throughout your whole firm, so too tight a scope might be difficult to justify. You may choose to limit the scope to specific organisational units or geographical locations.

Where can I find more information about ISO 27001?
Good starting points are the ISMS International User Group www.17799.com and BSI www.bsi-global.com. If you want to order a copy of the standards, you can get one from BSI for around £200.

Final Draft of CCTV Data Protection Code of Practice

Latest news re DPA and use of CCTV...one to be noted!

Public consultation on the revised CCTV Code of Practice

The current CCTV data protection Code of Practice was published by the ICO in 2000.

Since then we have:

• learnt a lot about CCTV and how the existing code is used;
• witnessed advances in CCTV technology; and
• seen new legal developments, including the Freedom of Information Act 2000, which have impacted on the use of CCTV.

The current code has been revised to take these developments into account and make sure it still provides up-to-date practical guidance.

We are holding a public consultation on the revised code as we want to get those who are involved in, or are affected by the use of CCTV to have the opportunity to comment on the revised code.

So you can make your views known we have included a comments sheet which you should fill in and return it to the Data Protection Development Officer. We can then consider your comments before the final revised version is published later in the year.

The closing date for comments is 31 October 2007.

The final draft can be found here

Source: ICO

VOIP Security

Very interesting subject area for me at present! Where better to find out what's hot than the VOIP Security Alliance here

Overview
History shows us that advances and trends in information technology typically outpace the corresponding realistic security requirements, which are often tackled only after these technologies are widely deployed. Voice over IP (VoIP) is no different. As VoIP's popularity increases, so will its exposure to current and emerging security threats.

The Voice over IP Security Alliance (VOIPSA) aims to fill the void of VoIP security related resources through a unique collaboration of VoIP and Information Security vendors, providers, and thought leaders.

VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, VoIP security education and awareness, and free VoIP testing methodologies and tools.

They have a blog here also..

PCI DSS Scanning Procedure

Download an overview of the latest version of the requirements here

Simple but true....all you people take note!!

Best practices for servers.

This is a consolidation of general best practices for servers I've learned and developed over the years. Feel free to share some of your own as well!

1. Never use telnet or ftp - use ssh or sftp instead.
2. Never use HTTP with anything that could compromise the integrity of your system.
3. Never login as root.
4. If you install it, keep it up to date.
5. If you don't use it, remove it.
6. Always check the changelog before updating.

Source: Here

UK - Almost all CCTV systems are illegal, says expert

Slightly worrying!!!! full story here

The UK is well known for its widespread adoption of CCTV technology but a CCTV compliance consultancy has recently warned that the vast majority are operating illegaly, calling into question the validity and legality of the information they collect.

Bernie Brooks of CCTV compliance consultancy DatPro, reported by Outlaw.com radio, stated "From my own my experience after personally surveying many, many hundreds of buildings, I would say probably less than five per cent are compliant," said Brooks. "I would say that 95 per cent are non-compliant in one way, shape, form or another with the [Data Protection] Act. Obviously, that's quite a worrying thing. If the system is non-compliant it could invalidate the usefulness of the evidence in a court of law."

Brooks's assessment matches that of non-profit CCTV awareness raising body Camerawatch. It said in June that its research showed that over 90 per cent of the UK's 4.2 million CCTV systems were not compliant with the Data Protection Act.

"That has profound implications for the reputation of the CCTV and camera surveillance industry and all concerned with it," said Camerawatch chairman Gordon Ferrie in June.
The news follows the revelation last week that London's dense network of CCTV cameras may not have an effect on the solving of crimes. An analysis of London's 10,000 cameras showed that boroughs with many cameras had no better crime-solving statistics than those with few cameras.

Good info on BCM at BS25999.com

I like this site, easy to navigate and good BCM info explained in simple terms...

BS25999.COM has been created by a team of industry specialists with the intention of providing both experienced practitioners and industry newcomers relevant information, useful content and a number of interactive capabilities concerning BS25999

In addition to BS25999 we will provide information on Business Continuity and Emergency Management in general.

It is our intention for this site to be driven by the needs of its registered members and encourage everyone to let us have their thoughts on how the site and content can be developed for the benefit of all.

If you have any questions or feedback please do not hesitate to contact us

Why use ISO27001

Over the past few months more clients are asking what is ISO 27001 and what are the benefits of implementing an Information Security Management System based on the standard?

ISO 27001 is a vendor and technology neutral internationally recognised standard which provides companies with a risk based approach to securing their information. It provides organisations with independent third party verification that their Information Security Management System meets an internationally recognised standard. This provides a company, and its customers and partners, with the confidence that they are managing their security in accordance with recognised and audited best practises.

However, in my opinion companies that have implemented an ISO 27001 based ISMS can demonstrate many efficiencies and other benefits such as;

• Increased reliability and security of systems:

Security is often defined as protecting the Confidentiality, Integrity and Availability of an asset. Using a standards based approach, which ensures that adequate controls, processes and procedures are in place will ensure that the above goals are met. Meeting the CIA goals of security will also by default improve the reliability, availability and stability of systems.

• Increased profits:

Having stable, secure and reliable systems ensures that interruptions to those systems are minimised thereby increasing their availability and productivity. In addition to the above, a standards based approach to information security demonstrates to customers that the company can be trusted with their business. This can increase profitability by retaining existing, and attracting new, customers.

• Reduced Costs:

A standards based approach to information security ensures that all controls are measured and managed in a structured manner. This ensures that processes and procedures are more streamlined and effective thus reducing costs.

Some companies have found they can better manage the tools they have in place by consolidating redundant systems or re-assigning other systems from assets with low risk to those with higher risk.

• Compliance with legislation:

Having a structured Information Security Management System in place makes the task of compliance much easier.

• Improved Management:

Knowing what is in place and how it should be managed and secured makes it easier to manage information resources within a company.

• Improved Customer and Partner Relationships:

By demonstrating the company takes information security seriously, customers and trading partners can deal with the company confidently knowing that the company has taken an independently verifiable approach to information security risk management.

ISO 27001 can be implemented within an organisation as a framework to work against or indeed the organisation can seek to gain certification against the standard.

If you are serious about information security and need to know “how secure is secure enough?”, then I strngly recommend you get a copy of the standard with a view to implementing it.

Thanks and source: Security Watch

Telecity gain PCI Compliance for unmanaged Hosting

It appears that Telecity now comply with PCI- se below Thanks to Eddie for this source!

Telecity Group currently holds PCI DSS accreditations for its unmanaged hosting services. Accreditation for its managed services is currently in progress. This is scheduled for completion in 2007.

PCI Accreditation

Securing online payments

Online sales are growing rapidly and in certain sectors revenue levels are nearing those of traditional high street retailers. As a result, banks and card issuers are taking online fraud very seriously – and they expect everyone in the value chain to do so equally. Payment Card Industry Data Security Standard (PCI DSS) accreditation has been developed as the security standard and increasingly companies that do not comply are being refused a merchant license.

Full article here

The Conscious Competence Security Model

A while back I learned of the Conscious Competence Learning Model (we'll get to exactly what it is) and I knew I had to blog about it and then I forgot but I was reminded of it again when I read this article by Richard Bejtlich.

He in turn is discussing CIO Magazine's Fifth Annual Global State of Information Security which is worth a read especially if you are in the Information Security field.

It was these two quotes that reminded me of the Learning Model -

You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.

and

As [Ron] Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."

This sounds very depressing and sounds like we should just throw in the towel but I think it is more positive then that.

The Conscious Competence Learning Model has many different names and versions but the concept is as follows:

1. At first you are blissfully unaware of how much you don't know.
2. Then you start learning and get overwhelmed once you learn just how much you don't know.
3. Then you learn some more and you struggle along learning all the time.
4. Then you become a professional and know everything without having to think very much.

My Information Security spin on this is:

1. At first you have firewalls and antivirus and you feel safe. You don't know what is really happening on your network but you are sure that everything is fine.
2. Then, for some reason you take Information Security seriously and spend some more money on what is really important. You realise just how unsafe your network and information really is.
   
3. You work at it, struggling all the time to get a proper plan in place and back it up with all the good stuff you can such as technological solutions, training, awareness, processes etc all the time refining and updating the process to get more secure. At the same time new projects have security built in from day 1. All the time you are finding new issues to fix but these are getting less and less and you know that you are getting more secure.
4. All your systems are secured as much as they need to be. All new threats have action plans in place. New projects, users, systems all have procedures that make them as secure as possible. All risks are dealt with in the way Business expects them to be. There may be incidents but there are no surprises.
   

From the CSO article and Richard's blog post I think that most companies in the survey are at step number 2 moving (hopefully) to step 3.

My feeling is that most companies are at stage 1 with a resistance to move to stage 2. Companies that are at stage 1 would (probably) not be a part of the CSO magazine community. I think that very few companies would be at step 4 but many companies would be battling along at step 3.

Obviously the size of the company and what sector the company is in would help determine what step they are on. As well as the amount of leadership the Top Brass have and the enthusiasm of the Security Department.

Source: Alan Baranov, CISSP

What is ISO27001?

In a nutshell it is an ISO standard specifying the requirements for an information security management system. It was published in October 2005, and was based heavily upon the British Standard, BS 7799-2.

ISO/IEC 27001 is often considered to be the prime ISO 27000 standard because it is this against which certification can be sought. It is aligned with other ISO quality management standards, such as ISO 9001 and ISO 14001.

The standard is also intended to drive the selection of adequate and proportionate security controls. Hence the relationship with ISO 27002, (also known as ISO17799) which defines individual controls within a code of practice framework.

The ISO2700 Series. What the numbers mean

The ISO 27000 series of information security standards is a moving feast. This is a 'live page' which will be kept current with the latest situation as we understand it.

ISO 27000
Not yet published. It will define vocabulary and definitions for the rest of the series.

ISO 27001
Published. This is the specification for an ISMS

ISO 27002
Awaiting publication. This will be the rename of ISO 17799.

ISO 27003
Not yet published. This will be an implementation guide.

ISO 27004
Not yet published. This will cover measurement and metrics for information security management.

ISO 27005
Not yet published. This will cover information security risk management, and is likely to be based upon BS7799-3.

ISO 27006
Published. This is a formal guide to the certification and registration process.

ISO 27007
Not yet published. This will cover the audit process for an ISMS

ISO 27031
Not yet published. This standard will cover ICT business continuity planning.

ISO 27032
Not yet published. This is currently a proposed standard for internet security.

ISO 27799
Awaiting publication. This will be the first industry specific version of ISO 27002. It is focused upon the health sector.

Information Security Awareness

Here is a site I have admired for a long time, run by Gary Hinson.

Noticebored

Best practice security awarenessIsecT Ltd. is proud to have been acknowledged as a “best practice expert” in security awareness by ENISA, the European Network and Information Security Agency, alongside Gartner no less. Our Business Case for an Information Security Awareness Program contributed to ENISA’s Users’ Guide: How to Raise Information Security Awareness. The Users’ Guide expands considerably on our white paper with helpful advice to small companies on how to plan and establish security awareness programs.

Dilbert and Security Best Practice

Not to be recommended as meeting compliance under ISO27001 Annex 9 HERE

A good place for good tips and info on ISO27001

ISO27001security dotcom is a vendor-neutral website dedicated to promoting the ISO/IEC 27000-family international standards for Information Security Management Systems (“ISO27k”).

The ISO27k standards provide intgernationally-accepted best practice guidance on protecting the confidentiality, integrity and availability of the information and information systems on which we all depend.

Three ISO27k standards are already released and publicly available:

• ISO/IEC 27001, the Information Security Management System certification standard;
• ISO/IEC 27002, the code of practice for information security management with advice on a broad range of controls;
• ISO/IEC 27006, a guide to the ISMS certification process for certification bodies.

Here

The place for Payment Card Industry info

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Click here for more information and to download the specification.