NIST Cybersecurity Framework: Keeping Your Business Safe in an Unsafe IT Ecosystem

The Rising Strategic Risk of Cyberattacks

As the world continues to embrace technology and its many advantages, business also has begun to rely more and more on technology, storing large amounts of sensitive data electronically. The ease at which computers can store and access information is a major reason for the shift toward massive electronic storage and with the efficiencies that computers bring to the market, a new area of risk has been inadvertently created.

Evidently, cyber criminals today are increasingly leveraging malware, bots and other forms of sophisticated threats to attack organizations for various reasons – financial gain, business disruption or political agendas. In many cases, they often target multiple sites and organizations to increase the likelihood of an attack’s initial success and viral spread. With new variants of malware being generated on a daily basis, many companies struggle to fight these threats separately and the majority of attacks are often left undetected or unreported.

Cybercriminals are also no longer isolated amateurs. They belong to well-structured organizations with money, motivation and goals, often employing highly skilled hackers that execute targeted attacks. Such organizations can deploy considerable threat intelligence, time and resources in order to execute attacks that can cost cybercrime victims significant amounts of money. Unfortunately, this trend is only growing more complex as businesses experience a surge in internet use, mobile computing and the cloud, creating more channels of communication and vulnerable entry points into the network.

Cybersecurity – A Global Business Concern 

More and more business value and personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become more and more distressing.

Based on 2014 McKinsey and World Economic Forum Research, companies are continuously struggling with their capabilities in cyber risk management and believe that they are losing ground to attackers as visible breaches incessantly occurs in growing scale and severity.

Their findings show that 70% of executives from financial institutions believe that cybersecurity is a strategic risk to companies and considered internal threats (their employees) as big risk as external attacks.  Similarly, product companies such as high-tech firms see the leaking of proprietary knowledge about production process as more damaging than leaks of product specifications given the pervasiveness of “teardown” techniques and the legal protections afforded to product designs. Service companies on the other hand, are more concerned about the loss and release of identifiable information on customers and about service disruptions.

Equally worrisome, executives from various industries perceived that cyber attackers will continue to increase their leads and pace over corporate defenses – more quickly than the ability of institutions to defend themselves, thus, making cybersecurity the top priority of every business of all kinds.

 Why Does Cybersecurity Matter?

If you still haven’t developed a plan to safeguard your company’s information assets, here are the top 5 reasons why cyber security matters:

1 – Your reputation will be at risk.

If your business has an exposure to cyber risk, you can be sure people will find out about it. The fallout can be devastating. Customers may doubt their data is safe with you, prompting them to shop elsewhere as a result. After all, if you’ve had one breach, what are the chances you might have another?

A data breach could even make your vendors wary of working you. Network connections you share with them—for processing payroll, for example, or for transferring email campaign lists—could suddenly be suspect. They have their own data to protect, and a breach might identify your business as the weakest link in the security chain.

– Breaches are a financial burden.

When a breach is discovered, systems are often taken offline to plug the security hole. During that time, you may not be able to process customers’ orders or continue operations. New equipment or software may need to be purchased to prevent a recurrence of the breach.

3 – It’s not a matter of “if,” but “when.”

With the pace of breaches occurring in our hyper-connected, data-intensive world, no business, industry or region is immune. Rather than hoping to simply avoid a data exposure, businesses are learning smarter to protect themselves and be prepared to meet hackers head on.

4 – Insider threats are real.

Dangers may lurk within an organization that is just as disturbing as any cyber criminal. Resentful employees can inflict tremendous harm if they choose to take revenge on the business or a coworker by divulging sensitive information. The same holds true for employees facing financial difficulties who may see the sale of confidential data as a way to solve their money problems. One of the most challenging aspects of an insider threat is how difficult it can be to identify who presents a risk and who doesn’t. Employers often aren’t aware to the danger until a breach has occurred.

5 – A cyber attack puts your customers and partners at risk.

Breach victims could suffer financial losses through the theft of payment card and bank account numbers. It’s also possible they could fall prey to identity fraud later if criminals use their personal information to open new accounts in their name. But the damage doesn’t stop there. With a name or a Social Security number, someone could commit a crime using the victim’s identity, putting that person’s livelihood and reputation in serious jeopardy. Given the danger identity theft and fraud post, protecting customers’ data is part of being a good business.

Some of the largest breaches during the past few years have been due to small businesses serving as vendors to larger companies. As part of the larger business ecosystem, small businesses will be scrutinized for data best practices so long as they serve as third party vendors for other companies.

 Cybersecurity Landscape

Attacks on sensitive IT systems and data increased in 2015, many of which caused substantial financial and reputational damage to the companies involved. Still, a successful attack on the underpinnings of the nation’s critical infrastructure would have far more catastrophic impacts than this.

Based on ISACA 2015 Global Cybersecurity Status Report, 83% of ISACA members across 129 countries say cyberattacks are among the top three threats facing their organization today, and only 38 percent say they are prepared to experience one.

IT departments often found themselves unprepared to patch and mitigate these threats – monetization of credit card data or financial records, rapid replication of product or process, access to strategic or customer information, leaving the window for exploitation wide open and leading to a perfect storm of zero-day attacks, system infiltration and subsequent data loss for many organizations.

Here are the Must Know Cyber Security Statistics in 2015

Picture2

According to 2015 IBM Business Intelligence Index Report, 55% of attacks came from the people who has physical or remote access to a company’s assets – hard copy documents, disks, electronic files and laptops—as well as non-physical assets, such as information in transit. Although the insider is often an employee of the company, he or she could also be a third party. Think about business partners, clients or maintenance contractors, for example. They’re individuals you trust enough to allow them access to your systems.

cyberattackers

Still, it’s important to note that more often than not, breaches caused by insiders are unintentional. In fact, over 95% of these breaches are caused by human error. That can mean accidentally posting information on the company’s public-facing website, sending information to the wrong party via email, fax, or mail, or improperly disposing of clients’ records.

But insiders who set out to take advantage of the company they work for can be much more dangerous. It’s more difficult to thwart these insiders’ malicious actions because they’re willing to take extraordinary measures to circumvent access controls and are typically unconcerned with corporate policies or the potential consequences of their actions.

Taking Action: NIST Cybersecurity Framework

The NIST Framework for Cybersecurity for Critical Infrastructure was approved in February 2014 and is intended to help establish guidelines and best practices for ensuring that our critical systems are adequately protected. Although it is a voluntary framework, it is expected that it will be adopted by many companies in order to strengthen their security posture.

The Framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs. It comprises three primary components: Core, Implementation Tiers, and Profile.

NIST framework

Framework Core – A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core represents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.

The functions included in the Core include:

  • Identify – develop the organizational understanding to manage cybersecurity risk to systems, applications, and data
  • Protect- implement safeguards to ensure the secure delivery of infrastructure services
  • Detect – implement the appropriate activities to take action on a cybersecurity event.
  • Recover- maintains plans for resilience and to restore any services impacted by a cybersecurity event.

Framework Implementation Tiers – Describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. There are four tiers that can be used to identify the “current state” of your cybersecurity effort.

These tiers and their brief characteristics include:

  • Tier 1 (Partial): Informal cybersecurity risk management practices, ad hoc and reactive approach to risk management.
  • Tier 2 (Risk Informed): Management –approved risk management processes, awareness of risk at organizational level, but lack of organization of organization-wide approach.
  • Tier (Repeatable): Risk management processes expressed as policy, organization-wide approach to manage cybersecurity risk, risk-informed policies, processes and procedures.
  • Tier 4 (Adaptive): Adaptable cybersecurity practices based on lessons learned and predictive indicators, continuous improvement incorporating advanced technologies and practices, active sharing of information with partners both before and after cybersecurity events.

Framework Profile – Describes outcomes based on the business need and risk assessment that the organization has selected from the Core. This information enables you to identify opportunities for improving cybersecurity by moving from “current state” to “target state”. To develop a Profile, an assessment, determine which are most important. The Current Profile can then be used so support prioritization and measurement of progress towards the Target Profile. It can also be used to support communication within the organization.

Benefits beyond Improved Cybersecurity

The NIST Framework was designed with a very high degree of flexibility for organizations that would like to follow its guidelines. It is also technology – neutral, and incorporates existing industry standards and best practices – no “re-inventing the wheel”.  Most importantly, it enables each organization to profile its own cybersecurity efforts, define a target profile, and then put in place a plan to reach that goal.

In this regard, its guidelines should be considered not as requirements but as scorecards that are based on the unique business needs, risk appetite, and security demands for each environment and provide a guide for continuous improvement based on changing risk and threat dynamics.

For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. But it also can deliver ancillary benefits that include effective collaboration and communication of security posture with executives and industry organizations, as well as potential future improvements in legal exposure and even assistance with regulatory compliance.

Effective collaboration hinges upon open and meaningful dialogues. To that end, the Framework has created a common language to facilitate conversation about cybersecurity processes, policies, and technologies, both internally and with external entities such as third-party service providers and partners.

Looking Ahead

New technologies, well-funded and determined cyber – attackers, and interrelated business systems have joint to increase your exposure to cyberattacks. Your critical and most confidential digital assets are being targeted at an exceptional rate and the potential impact to your business has never been greater.

NIST Cybersecurity Framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards. This framework is voluntary and when you successfully adapt, you do more than protect your business, you have the potential to reap bottom line benefits.

References

https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf

http://www.isaca.org/pages/cybersecurity-global-status-report.aspx

http://www.mckinsey.com/business-functions/business-technology/our-insights/the-rising-strategic-risks-of-cyberattacks

http://idt911.com/education/blog/5-reasons-why-cyber-security-matters-for-smbs

http://public.dhe.ibm.com/common/ssi/ecm/se/en/sew03073usen/SEW03073USEN.PDF

Confidence on the Cloud – A New Cloud Privacy Standard (ISO 27018)

The Cloud Today

The growing marketplace of cloud computing.

Cloud computing’s growth in use and popularity has been soaring at a great pace! According to Gartner (2013), the marketplace for cloud computing will grow ~20% to USD 131 billion in 2017 from USD 111 billion in 2012.

What’s more?

2016 will be a defining year for cloud as this cutting-edge technology will just get more sophisticated in the next few years.

The Cloud Landscape

Cloud computing started as an in-house infrastructure established by companies such as Microsoft, Google and Amazon to serve their individual business needs. This consists of a set of technologies and service models that focus on Internet-based use and delivery of IT applications, processing capability, storage and memory space.

But now it has evolved into a platform that most part of our daily life is dependent on. While public and private cloud offers one means to differentiate the infrastructure sharing options, SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) have come to define the extent and level of control held by the cloud service provider (CSP) vs. the cloud user.

According to National Institute of Standards and Technology (NIST), the “cloud” is composed of five essential characteristics.

  1. the on-demand self-service which implies that a customer can order service via the web or some other method at any point in time, to become immediately available for his or her use.
  2. the broad network access, in the sense that services are available over the network and are accessed through standard mechanisms (mobile phone, tablet, laptop, etc.).
  3. Other characteristics are the rapid elasticity of the cloud capabilities and the fact that it is a measured service – means additional capacity remains available and accessible on an ‘as needed’ basis and customers are automatically billed for their consumption.
  4. Last but not least, resource pool, meaning the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

The Confidence for Tomorrow – ISO 27018

The massive courses of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many cloud service providers and cloud users. Given the substantial data protection risks, cloud computing measures need to be undertaken in order to mitigate their effect to the benefit of the cloud computing industry and its clients.

While there are several laws and regulations around it, a common benchmark or standard was lacking for some time. ISO 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is the first set of international privacy controls launched.

Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect customers’ personal information. This mechanism also offers beneficial effect for both cloud providers and cloud users – if a consumer is buying cloud services, it can help them to identify the requirements for selecting a cloud provider and in defining contractual clauses and for cloud service provider, it can provide them with a unique selling proposition to potential clients because as more clients become familiar of the standard, the more that they will see it in their request proposal.

ISO 27018 has taken into account as a public policy from around the world as it integrates input from many regional regulators. A cloud service provider and it’s conformation to the standard makes the whole job of compliance to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and defiance in an increasingly cloud-based information environment.

ISO 27018 – Quick Overview

Key Elements of the Standard

ISO 27018 is a standard out forward by Internal Organization for Standardization (ISO) that seeks to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a data processor. In order to fulfill the standard, cloud service providers must understand the following key elements:

  1. Personally Identifiable Information (PII) instead of Personal Data

Scope of “personal data” is not only about the information that “can be used” or “linked” to a PII principal/ data subject, but “any information” relating to an identifiable natural person 

  1. Cloud Providers as Data Processors

In ISO/IEC 27018 the client is regarded as PII controller and the cloud service provider is the PII processor.

  1. Personal Data Protection Principles

The ISO/IEC 27018 contains a comprehensive set of controls regarding:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Asset control
  • Cryptography
  • Physical and environmental security
  • Operations and communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Compliance
  • Information security aspects of business continuity management.

As the PII processor enables the cloud service client to comply with its regulatory obligations (data protection), through this controls, PII processor conforms to its own obligations, either legal or contractual.

  1. Accountability and Certification

Elements of the principle of accountability are incorporated into the standard, in particular the data breach notification, privacy by design, audits and certifications. In general, the standard may be seen as an instrument that assists the PII processor to comply with the principle of accountability requirements. Key to the demonstration of compliance in the context of the principle of accountability is third party certification. The cloud service provider that implements the new standard may ask for a conformity assessment, in order to be certified for complying with the standard.

In order to comply with the standard, participating cloud service providers must provide transparency in the following practices:

  • only process personal data in accordance with the customer’s instructions;
  • only process personal data for marketing or advertising purposes with the customer’s express consent;
  • be transparent around the use of sub-processors (which will include providing the names of, and any possible locations where the data may be processed by, any sub-processors);
  • ensure that staff who have access to personal data enter into confidentiality agreements and receive appropriate staff training;
  • make required disclosures to law enforcement authorities and/or regulators only when legally bound to do so;
  • assist cloud customers to comply when individuals assert their access rights; and
  • help cloud customers comply with their notification obligations in the event of a data breach.

Top 10 Things to Know about Cloud Security and ISO 27018

Way Forward

The current landscape for cloud security standard is best characterized as immature but emerging. ISO 27018 provides a transparent guidance for cloud service providers to establish privacy protection and allows businesses to make careful decisions about the cloud. But even with the present guidelines that ISO 27018 provides, it can also serve as reference point for standards’ future improvement. As the first international standard dedicated for cloud privacy, it initiated CSPs interchange of ideas on providing the best practice on data privacy and security.  ISO 27018 is an important step to protecting PII in the cloud, it emerges from previous ISO guidelines and it will continue to evolve along with cloud service providers’ technology to provide more secure services for the growth and success of businesses.


ECC International is a leading process improvement solutions provider in Southeast Asia, focused on process consulting, automation solutions and learning outsourcing services. We help companies achieve performance excellence by assisting them implement management systems and international standards/best practices across multiple domains and industries.

Our partnerships with nest-in-class technology companies help drive sustained excellence for our customers. As a solutions provider with instructional design capability and subject matter expertise in niche areas, we help organizations implement learning strategies and design learning content for improved performance.

APEX Global (The Academy for Professional Excellence) is the learning solutions arm of ECCI – the leading process improvement solutions provider in Southeast Asia.

Our sole aim is to promote performance excellence among professionals. We help our customers achieve greater success through effective, experiential and result – oriented training delivery.

Empowered with a strong pool of expert trainers and facilitators having expertise in a niche array of domains and a strong regional presence, we provide an extensive portfolio of excellent industry specific and functional programs coupled with high quality training materials to provide best –in – class services for professionals around.

We are a market leader when it comes to Information Security and Risk Management solutions (in the form of training, consulting and GRC solutions- www.metricstream.com) in SE Asia.

To learn more about cloud security, ISO 27018 guidelines and requirements, correlation with existing standards such as ISO 27001 and EU Data Protection Laws, join us at the Confidence on the Cloud- Data Security Best Practices based on ISO 27018 training program.

Sources

  1. http://www.bishopfox.com/blog/2015/05/iso-27018-the-long-awaited-cloud-privacy-standard/
  2. http://www.kemplittle.com/site/articles/kl_bytes/iso-27018-a-new-cloud-privacy-standard
  3. http://www.iso.org/iso/isofocus_108.pdf
  4. http://www.brusselsprivacyhub.org/Resources/BPH-Working-Paper-VOL1-N2.pdf

 

Taking the next step with the new ITIL® Practitioner Qualification

?????????????????????????????????????????

Axelos, the ITIL course owner has announced the most significant evolution for ITIL – the new ITIL Practitioner qualification.

ITIL Practitioner is being developed in collaboration with Practitioners worldwide to help organizations and individuals increase the value they obtain from using ITIL by offering additional practical guidance to adopt and adapt the framework to support the business. It will be the next step after ITIL Foundation for professionals who have already learned the basics of IT Service Management (ITSM) and the business value of well-designed and delivered services. It will help guide them through the practical side of successfully applying the theory in the workplace.

A specific amount of credit points will be assigned to ITIL Practitioner that will count towards ITIL Expert the same way as Foundation, Intermediate and Managing Across the Lifecycle (MALC) do today.


thinkWhy was this introduced?

The demands organizations are putting on their IT teams and IT service providers have changed significantly in the recent years. In many cases, we have moved from “let’s keep everything as stable as possible” to “let’s be as agile as possible (and make sure we can recover instantly)”. The technological capabilities – such as those enabled by rapidly evolving cloud computing – and associated practices have made it possible to better answer those demands. The detailed ‘how’ of all of this depends, though – what works for a Bay Area start-up might not work for a large multinational enterprise, and the expectations from existing customers of 10+ years differ from those acquired yesterday. For ITSM professionals, there is an ever-growing demand for more practical guidance on how to design fit-for-purpose and fit-for-use services and supporting processes.

That is where ITIL and other philosophies, frameworks and methodologies – such as Lean, DevOps and Agile – need to intersect for the best results. There are no silver bullets – organizations need to wisely choose the best ways to address specific challenges. ITIL helps with this by providing the framework where good practice of the ‘how’ can be plugged into. Additional, practical guidance was needed to bring this to life.

Enter… ITIL Practitioner

Setting what is often (mistakenly!) considered to be the last ITIL lifecycle stage, almost a nice-to-have feature – Continual Service Improvement (CSI) – as the backbone of the new qualification, ITIL Practitioner brings what is one of the most under-used and under-valued parts of ITIL to the real world. It is CSI that helps organizations to focus on the improvements delivering most value and to make sure the services and the practices supporting these can keep up with the needs from the ever-changing organization, and continually improve.

ITIL Practitioner equips ITSM professionals with the tools to identify the improvement needs and priorities in their organization, to successfully start and run the improvement initiatives and to deliver the value expected. The qualification – and the guidance supporting it – brings together various parts of ITIL, adding more detail as required, and combines this with the practical ‘how to’. The good practice from ITSM professionals from around the world is distilled into concepts, models and capabilities, and complemented with tools and methods to place it in the context of a specific organization. This is ITIL Practitioner.

For more information, please check this ITIL Practitioner page.

Reference:

https://www.axelos.com/news/blogs/march-2015/taking-the-next-step-with-itil

Servicing ICT – Merging Security and Service Management

A broad range of ISO/IEC (International Electrotechnical Commission) standards are addressing key issues faced by the world’s fast- growing information and communications technology (ICT) industry. These include preventing cyber attacks, ensuring information security and maintaining business continuity.

A common business tool in most organizations, ICT serves many business purposes and is used in a wide range of business applications and processes. Their use requires associated services provided within an organization, for example through an internal ICT services department, or through a third party.

 Up and running

Over recent years, cloud computing has become a fashionable term for the delivery of services such as applications as a service, software as a service and infrastructure as service.

An example is data storage in a third- party cloud server. This can reduce an organization’s costs as it does not need to manage and maintain its own server. There is a possible downside too: can the cloud provider manage the ICT and data storage service efficiently, securely and effectively?

This raises issues of how to provide effective ICT service management and information security. For example, if the cloud service provider is in one country and the provider of personal data is in another, how does the cloud provider protect its customers? In addition, how does the cloud provider conform to national laws when its clients are geographically dispersed around the world?

ICT services management also has a key role in the delivery of ICT services. If these are implemented properly it can increase efficiency and cost-effectiveness, increase flexibility in the use of ICT resources and applications, reduce response times and improve quality of service. To achieve these benefits, information security plays a key role in ensuring effective service delivery.

In the case of critical national infrastructure, service provision needs to be carefully considered. Appropriate solutions and controls are necessary for ICT service management, ICT readiness and preparedness for dealing with disasters and continuity issues, incident handling and information security.

To guarantee delivery, critical infrastructure requires many services to be able to work together. Examples include medical, food, energy, utility and emergency services. Most of these rely on ICT-based systems to keep services up and running.

In cyber attacks or other disasters, it is essential to be able to recover ICT systems to restore services quickly. Before an incident occurs, it is also necessary to have effective early warning, detection and monitoring systems in place.

 Best practice guidelines

The delivery of effective ICT service management is being addressed by the ISO/IEC 20000 (Information technology – Service management) family of standards; and information security issues are being addressed by the ISO/IEC 27000 (Information technology – Security techniques) family of standards.

There are also sector and application specific information security standards such as ISO/IEC 27011 for telecom services; ISO/IEC 27017 and ISO/IEC 27018 for cloud computing; and a standard for integrating information security with ICT service management, ISO/IEC 27013.

One area covered by ISO/IEC 20000 is service availability and continuity management. This addresses key questions such as:

What level of customer service does the service level agreement guarantee?

What does the service provider need to do to deliver this level of service?

What does the service provider need to do to withstand an online denial-of- service attack?

What if the service provider experiences a malware attack on its systems?

Does the service provider have the information security controls in place to deal with these cyber attacks and maintain its services?

ISO/IEC 20000 features several processes to maintain service availability while tackling problems such as cyber attacks and system failures. These processes include service continuity and availability monitoring and testing, incident handling and problem management, capacity management and information security management.

In the case of information security, ISO/IEC 20000 is linked with the information security management system standard ISO/IEC 27001, which provides a full range of solutions to assist service providers with protecting their systems.

One of the important aspects of system protection is to understand the risks the service provider faces. A risk-based process, ISO/IEC 27001 requires the service provider to undertake a risk assessment to help it decide what information security controls should be implemented to ensure service availability and continuity.

ISO/IEC 27005 provides guidance on risk management for service providers that implement ISO/IEC 27001.

Given the importance of information security to the provision of ICT services, ISO/IEC 27013 is being developed to consider the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000.

The “ other ” business options

Additional standards in the ISO/IEC 27000 series provide guidance and service and application specific controls to support service providers. For example, ISO/IEC 27031 applies to any organization developing its ICT readiness to deal with incidents or threats, therefore ensuring business continuity.

ISO/IEC 27035 provides organizations with guidance on information security incident management. This standard describes a basic set of documents, processes and routines. It also gives guidance to external organizations supplying information security incident management services.

ISO/IEC 24762 gives guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management. This applies to both in-house and outsourced ICT DR service providers of physical facilities and services.

In cloud computing, ISO/IEC JTC 1/SC 27, IT Security techniques, is developing two new standards: ISO/IEC 27017 covers cloud-specific information security controls; and ISO/IEC 27018 considers controls for personal data. Both of these standards are being designed and developed to work alongside ISO/IEC 27001.

This article was originally published in ISO Focus  by Edward Humphreys.

Make Your Organization’s Security Program Relevant in 2012

By: Chris Hinkley, from SecurityWeek.com

Today more than ever, organizations are examining existing security programs. Those that don’t have a formal security plan in place are thinking about, if not scrambling, to make one. Great security means first identifying your needs and then making a resolution to revamp or create your company’s plan for the New Year. Here are some tips to help lay the groundwork.

  • Assess your technology. While technology should be a major (but not the only) focus of your security program, chances are your software might not be totally up to date, or in some cases even relevant to your company anymore depending on how the business has grown. Revamping or creating a security program is a great time to look at all of the technology you have in place, from servers to software, and see what needs an upgrade, a patch, or a replacement. A small patch missed, can mean a large breach. And a solution you passed on a year ago may have a better feature set and fit better with your organization now than what you currently have in place. If you’re working with regulatory compliance mandates, there are likely new protocols that you need to follow and become current on. This is because compliance standards and regulations change quite frequently, sometimes too quickly for us to keep up with. Remember though that compliance follows security and not the other way around. Don’t mistake following a compliance mandate as sufficient security.
  • Define Your Company’s Security DNA.There is no one-size-fits-all approach to security. Every organization has different structures, both physically and logically. This translates to unique risks and vulnerabilities.Don’t overlook the physical facilities such as the office building and back up facilities. No matter what size of business you have, if you’re dealing with sensitive and critical customer data, then the easiest way for a thief to access that data is to walk into your building and take it. Do you have a security system? Do you need security cameras or new lighting around the building? Is your business big enough where it makes sense to move into a building with a security guard, or hire a few of your own?

    Next is your hardware.

    Few employees sit at their office desk 9-5, Monday through Friday. How is information protected on laptops that go to work in coffee shops, home offices, airports, and trade shows? This measure mostly involves training for the people who carry the devices. There are policies you should develop and enforce on those devices and with your personnel as an added layer of protection. You can also invest in specific software (back to my earlier point) that will lock up mobile devices and programs automatically on a scheduled basis when they’re not in use.

    Also, be logical about who in the organization has access to certain physical areas and information. Not everyone should be allowed in the server room. Not everyone, even certain management, should have access to back end systems, financial software, and any other data where a leak would be devastating. Make sure you have checks and balances in place so the risk of fraud is minimized and the possibility of any kind of internal threat possibility is reduced. Be sure to establish a policy for when employees quit or are let go that their administrative rights are revoked immediately – before they can take data with them.

  • Make Security Part of the Culture.Just like anything else in leadership, it has to come from the top down to work. Start by getting the whole c-suite engaged with the program. Impress upon them that wide spread adoption throughout the company is critical to keeping the company safe from both internal and external threats. If you sense that the leadership is just nodding their heads but doesn’t understand the level of importance, share with them use cases of other companies that have experienced attacks in the last year and the consequences that were suffered because of these actions. Without management and executive approval, you are essentially dead in the water.Share the plan with the entire company. Add into your plan a budget to do company-wide training, that’s the best-case scenario. Corporate training and engagement can greatly boost the likelihood that employees will learn and retain what they need to know to do their part. It also sends a message of the importance of the security plan.

    If formal training isn’t an option, then create content that will explain the program in a simple way, using relatable scenarios that make sense to everyone from IT to marketing. Training doesn’t have to happen in a formal settings, sometimes training is even more effective in informal avenues. Think of a company screensaver that is constantly cycling through updates, announcements, and security news. Intranet landing pages and Yammer posts (if you use a social system like this internally) are also a good place to disseminate information.

    Finally, don’t make security education a one-time thing. Your organization’s employees can either be the biggest vulnerability or the biggest security asset. They won’t know what a suspicious email that contains a virus looks like unless you teach them. Continual participation and education on how to create a safe, secure business is ultimately what will make it a success. Send out quarterly reminders, put posters up in the break room, whatever you have to do to make it visible. Above all else, make sure the IT team and entire leadership of the company lead by example.

Philippine firms view compliance as complicated maze

MANILA–While the global market, thanks to the Internet, has undoubtedly been a boon to the Philippine outsourcing industry, ensuring compliance to various regulations is proving to be a headache for local companies in the borderless business era.

With reports of security breaches and data leaks making headlines around the world, the Philippines is in the midst of implementing a host of measures that can benefit, or constrict, local businesses.

Recently, in the Senate deliberations for the proposed Data Privacy Act, a top-ranking senator cautioned the chamber against enacting an excessively strict law that could hamper the ease of access that companies need to operate efficiently.

IT companies, such as software maker ECCI Group, also have to consider the data privacy policies in the markets they target. “Each country has a different Data Protection Act that we need to be in compliance to,” said Chenthil Kumar, sales director of the ECCI. “The other thing that needs to be considered is how we are protecting critical customer transactions.”

Local companies have acknowledged that compliance is a necessary task, but also agree that applying numerous regulations remains an enormous challenge to most.

Source: ZDNet Asia. Read the full article here.

Security Techniques

ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).

ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance, and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks. It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, and nonprofit organizations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.

Bringing information security under management control is a prerequisite for sustainable, directed, and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities, and impacts of information security failures, using review and improvement activities specified within the management system.

According to JTC1/SC27, the ISO/IEC committee responsible for iso 27000 and related standards, ISO/IEC 27001 “Is intended for different types of use.”

The information security controls from ISO/IEC 27002 are noted in an appendix (annex) to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information security risks, which is one vital part of the ISMS.

HISTORY OF ISO/IEC 27001
ISO/IEC 27001 was born as BS 7799 Part 2 in 1999. It was revised by the British Standards Institute (BSI) in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cycle, and was adopted by ISO/IEC in 2005.
Since ISO/IEC 27001 is an active certification standard, major/structural changes are likely to be difficult and even minor changes will have to be justified in order to retain “backwards compatibility” with the existing standard wherever possible. Nevertheless, there is pressure to realign 27001 with 27000, 27002, 27003, and 27005, reducing duplication and potential conflict, and to realign with other ISO management systems standards such as ISO 9000 and ISO 14000. Hopefully, confusion around the meaning and purpose of “Statement of Applicability,” “ISMS Policy,” and “Information Security Policy” will be resolved.