NoticeBored blog

An ISO/IEC 27000-series multi-part standard on application security is 'in the works'.

I'm currently reviewing the second Committee Draft of ISO/IEC 27034-1 "Information technology — Security techniques — Application Security — Part 1: Overview and concepts" which lays out the basic concepts and principles for other parts of 27034 to elaborate upon.

Despite this overview section being around 78 pages in length, part 1 states explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas.

The standard explictly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security of an application system but as "a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them".

The draft standard draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems. It tends to emphasize deliberate threats arising from external adversaries over those from insiders, and perhaps more importantly in many situations accidental threats and hence the need for integrity and availability controls.

The standard is not projected to be released until 2012 - such is the glacially slow pace of ISO/IEC. The upside, though, is that the final product will - we hope - be well worth the wait.

Labels: Development, ISO27000

Over at ISO27001security dotcom I've just posted:
- a 2.2Mb ZIP file containing the full contents of the free ISO27k Toolkit
; and
- a printoutable PDF version of the ISO27k FAQ.

Although they are already useful and generating good feedback, these are both works-in-progress. Further contributions to the toolkit and FAQ are always welcome. If you have implemented the ISO27k standards, are there policies, procedures etc. that you would be willing to donate to the cause? If you wish, I can help you format them to suit the purpose, for example removing any proprietary content to make them generic and adding a Creative Commons license. In return, you will be openly acknowledged as the contributing author in the material and on the website. Clearly, it is vital that you either personally own the materials you submit or have the copyright owner's express permission since they will end up in a public forum.

Visit the website or contact me (Gary@isect.com) for more info.

Labels: Compliance, Governance, Infosec, IPR, ISO27000

FERC, the Federal Energy Regulatory Commission, has approved eight new mandatory critical infrastructure protection (CIP) reliability standards developed by NERC, the North American Electric Reliability Corporation, covering:
- Critical cyber asset identification (NERC standard CIP-002) - essentially inventory and risk assessment of critical information assets;
- Security management controls (CIP-003) - security policy and management structure, exceptions process etc.;
- Personnel and training (CIP-004) - personnel risk assessment, training and, of course, security awareness;
- Electronic security perimeters (CIP-005) - a 'crunchy outer shell' for networks;
- Physical security of critical cyber assets (CIP-006) - physical perimeter controls, card locks, processes, visitor logs etc.;
- Systems security management (CIP-007) - security testing and patching, controlled network services, antivirus, security monitoring and various other IT security controls including, I note, minimum 6 alphanumeric+punctuation character passwords with a lifetime of up to one year (!);
- Incident reporting and response planning (CIP-008) - an annually-reviewed incident response plan; and
- Recovery plans for critical cyber assets (CIP-009) - DR plans with at least annual exercises.

For completeness, CIP-001 covers sabotage reporting, the critical infrastructure equivalent of SB-1386 and similar requirements to report unauthorized credit card or personal data disclosures.

FERC's IT security standards are stronger that mere recommendations and will probably become fully mandatory when get-out clauses relating to business judgement are removed. In-scope companies should all have started work on this by now and have to be fully compliant by mid-2008 or mid-2009 depending on the type of company and the specific standards.

FERC did not go as far as to mandate NIST's SP800-series security standards, however, excellent though they are, nor indeed international standards such as ISO/IEC 27002. The stated reason was not to delay implementation. While I applaud their haste to beef up infrastructure security, it's a shame to ignore the large existing body of work on information security from the likes of NIST, ANSI, BSI, ISO, IEC and others. Arguably there is a need for specific security standards covering SCADA (Supervisory Controls And Data Acquisition) systems, but the electricity industry is not pure SCADA by a long shot: there are conventional systems, many running Microsoft Windows and various UNIX/Linux variants, and TCP/IP networks all over the place, and security architecture, operations and management issues are basically the same as for any other industry. [I guess adopting existing standards would put a posse of electricity industry security consultants out of jobs but IMHO they are better deployed implementing security standards than creating new ones.]

Looking over the lit of bullets above, it is not hard to align FERC's advice with ISO/IEC 27002 ... whereupon gaps such as compliance stand out. FERC evidently intends to assess or audit the utilities' security against the standards but there's more to compliance than formal assessments/audits. Electricity companies should have suitable governance structures and processes in place to ensure compliance with their internal security requirements (policies, standards, guidelines and procedures) and with legal obligations unrelated to FERC (e.g. software license compliance plus other intellectual property issues, SOX and protection of Personally Identifiable Information) along with compliance by their suppliers and business partners. There are solid commercial drivers for information security in the electricity industry, quite separate from the critical infrastructure protection angle. Surely FERC could leverage this to their advantage?

The standard on DR is also notable for the absence of any advice on contingency planning and business continuity. I would have thought that 'keeping the light on' is absolutely number 1 top priority for the electricity industry, therefore resilience is more important than recovery. Perhaps this is so ingrained that it is taken as read but I'm surprised by the omission.

By the way, I also couldn't help but notice that "Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission" are explicitly excluded from the scope of the standards. I trust the nukes have their own, strong, rigorous, comprehensive cyber security standards ... they do, don't they?

Labels: Awareness, Compliance, Infosec, ISO27000, Physical

We have completed and published our collaborative white paper listing the top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls, as we head towards the new year.

My sincere thanks are due to all who participated in the project, contributing directly to the shared document on Google Docs or commenting on it through the fora. I suspect there are still several points of disagreement but I hope we are all reasonably happy with the end result. I have certainly enjoyed the process and value the discussion.

Labels: Awareness, Infosec, ISO27000, Risk

A blog describing Intel's 'defense in depth' approach to information security has a neat description of the 4 main phases:
(1) Prediction (essentially risk assessment);
(2) Prevention i.e. classic preventive security controls;
(3) Detection and monitoring for threats that evade, disable or bypass preventive controls; and
(4) Response and recovery - corrective controls, a last resort.

Add a pinch of continuous improvement to learn from every event, and there you have it. Sure beats ISO/IEC 27001's somewhat simplistic plan-do-check-act model!

[By the way, Intel, the 'defense in depth' concept also applies within any of those phases e.g. using multiple information sources to broaden and deepen the analysis of security vulnerabilities in phase 1, or combining real-time alerting with near-time log anaysis in phase 3.]

Labels: Infosec, ISO27000

The Information Security Forum's Standard of Good Practice for Information Security has been updated and re-released just a few days ago. I have long admired the ISF standard for two key reasons:

1. It is well written, clearly laid out and eminently usable. As a user, I really like pragmatic standards!

2. It is free. If the ISO/IEC 27000 standards were free, I'm sure they would be even more popular and widely used than they are and the world would be a safer place. For organizations or individuals who are unwilling or unable to afford ISO27k, the ISF standard makes a good second choice ... along with the NIST SP 800 standards and a raft of others.

The 2007 version is a weighty 372 pages but is fluff-free. Each of the controls is simply and directly stated with very little in the way of explanation, context, justification or implementation guidance. That's great for those of us with sufficient experience to fill in the gaps for ourselves but could be a bit ambitious for those new to information security management.

I'm sure I'll be referring to the standard in our security awareness materials, though not as much as ISO27k.

Labels: Infosec, ISO27000

ASIS International has released a guideline on protecting information assets.

"This guideline is organized into three primary sections. The first section offers a general framework and some guiding principles for developing an effective Information Assets Protection (IAP) policy within any organizational setting. The second section proposes recommended practices that may be applied in the implementation of a high-quality IAP program. The third section consists of two appendices that provide useful tools for any size organization. Appendix A consists of a Sample Policy on IAP. Appendix B is a Quick Reference Guide, a sample flow chart for assessing information protection needs that can be modified and customized to meet an organization’s needs."

The guideline recommends categorizing, classifying and valuing (or rather "valuating"!) the organization's information such as
● Proprietary information - customer lists, marketing plans, pricing strategies, test results etc.
● Trade secrets
● Patent information
● Copyright information
● Physical products - prototypes, models, molds, dyes and manufacturing equipment etc.
● Trademarks and service marks
● Privacy information - personal data, evaluations, credit info etc.
● Regulated information - health information, financial data, government
classified etc.

It recommends technical/logical, procedural/manual and physical security controls, although technical controls such as firewalls are merely noted and not explained. Information security awareness and training however merits a specific mention in section 12.7:

"Almost invariably, security awareness and training is one of the most cost effective measures that can be employed to protect corporate and organizational information assets. This is largely due to the fact that protecting information, generally more so than any other asset, is best achieved through routine business practices that permeate every element of an organization. Therefore, where each individual entrusted with sensitive information takes prudent measures and personal responsibility for protecting those assets, a robust security environment should occur naturally."

The sample organizational policy on information asset protection in Appendix A is a decent model for a high level/overarching information security policy such as that recommended by ISO/IEC 27002 section 5.

Labels: Awareness, ISO27000, Physical, Privacy, Trade secrets

If you are planning or just starting out on your ISO/IEC 27002 implementation project, this may be just what you need. The ISMS Documentation Checklist is simply a list of the documents typically required by and/or created by an Information Security Management System. Your project plans should include researching, drafting, reviewing, approving, publishing and promoting your own suite of ISMS documents, so it helps to know what is typically expected.

The list was created by a team of ISMS users on the ISO27k implementers' forum, a mailing list run at ISO27001security.com

Phase 2 of this collaborative project involves collecting and publishing examples of each of the documents in the checklist. If you would like to get involved in the project, please contact me (Gary@isect.com) to join the fun. We anticipate publishing example documents gradually between now and the end of the year.

Labels: Infosec, ISO27000

I have been researching the origins of ISO27k, particularly the bit before it was launched as BS7799 in 1995, to complete the 'definitive history' on ISO27001security.com.

I dimly recall using an A5/booklet version of the Code of Practice for Information Security released by BSI DISC as PD003 in 1993, and an accompanying informational booklet PD005. I have also heard about but can't quite remember a "Users code of practice for security" released by the UK's National Computing Center (NCC) in the late 80s/early 90s, which I believe was largely derived from a Royal Dutch/Shell information security policy manual.

Does anyone reading this have copies of PD003, PD005, the NCC document or Shell's original policy manual, please, or other relevant information from that pre-1995 period? If so, please contact me (gary@isect.com). I'd really appreciate your help to set the record straight.

Labels: ISO27000

A thoughtful and well-written paper by David Lacey is strong on linking infosec/risk management metrics to organizational objectives, and on using them to improve security practices. David references a paper from the 1930 stating that for every significant safety incident there are around 20 minor incidents and 300 near-misses - an interesting analogy that reminds me of the "days since a lost time accident" boards outside many British factories in the latter half of the 20th Century. I can just imagine a "Days since a major security incident" counter on the corporate intranet, with a click-through to suppporting details on the nature of the last incident and a count of minor incidents, or perhaps even a "security events seismograph" showing the incidence and gravity of incidents. Implicit in this kind of approach, of course, is that someone needs to know about all the incidents and ideally the near misses, meaning that internal reporting must be mandatory. The same principle applies in the public context, hence the reason that many US states already mandate disclosure of privacy incidents, and the UK's Information Commissioner is considering a similar approach.

A few of the infosec metrics suggested in David's paper could be accused of falling into the trap of being easy to count or measure but providing limited value to management, whereas most are more worthwhile. I'm constantly on the lookout for 'elegant' metrics - things that are not too difficult to count, measure or calculate and that have been shown to indicate genuinely useful facets of the efficiency or effectiveness of the organization's information security management system. One of my favourites is the proportion of all system changes processed by IT as emergency changes: this has been shown to correlate closely with the department's process maturity and, I believe, closely reflects the stability and security of the systems.

I like David's suggestions to track compliance exceptions for various categories of control. That ties in neatly with the concept of accountability, namely that anyone who requests a policy exception has to accept personal accountability for the associated risks, quite a burden for any manager. Measuring and reporting exceptions thus provides a mechanism to remind those people carrying the burdens until the exceptions are cleared (either by upgrading the controls or, potentially at least, downgrading the policy requirements) or until incidents occur and they are 'called to account' (aka walked off site).

[For those who don't recognize the name, David Lacey is a visionary, one of the founding fathers of BS 7799 (now the ISO/IEC 27000 family). The first version of 7799 was largely based on the internal security policy manual generously contributed by David's employer at that time - the Royal Duitch/Shell Group.]

Labels: ISO27000

I have it on good authority from a representative at the ISO JTC1/SC27 meeting in Moscow earlier this month that the renaming of ISO 17799 to 27002 has been delayed until later this year, probably Q3 or Q4 2007. Although there are no changes to the content of the standard, ISO has to complete its formal process of explaining the name change to all the national standards bodies and gaining their acceptance. Oh, the joys of international standardization!

On a more positive note, progress is being made on the other ISO 2700* standards currently in the works. I will update the ISO27001security website accordingly when I have had a chance to get my head around the notes - early June probably. Head's too full right now.

Labels: ISO27000

An excellent article by Ismael Valenzuela in the latest issue 11 of [IN]SECURE eZine explains how information security can and indeed should be integrated with the systems development lifecycle (SDLC), using ISO/IEC 27002:2007 (currently known as ISO/IEC 17799:2005). There is a useful table linking specific clauses in the ISO standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to eventual retirement of the system at the end of its life.

The NoticeBored security awareness module on this topic a year ago took the same basic idea one step further. The concept was simple: we provided a 'sales brochure' to help the Information Security Department sell their services to software development project managers and hence to the development teams. The brochure is a folder containing two sheafs of glossy leaflets, one set explaining the kinds of security-SDLC process integration issues covered by Ismael, the other outlining the range of information security controls that are typically required for most IT systems. Contact me (Gary@isect.com) if you'd like more information on the module but that's not a bad brief to write your own!

Labels: Awareness, Development, ISO27000

A 3-day training course " ISM3: Making ISMS (ISO 27001) Measurable, Manageable and Improvable" in Dubai next month has been announced by the ISM3 Consortium. The course emphasizes how ISM3's approach helps ISMS implementations through a strong focus on security processes and metrics, supplementing the best practice guidance in standards such as ISO 27001 and ISO 20000 (ITIL). Course leader Anup Narayanan has just over 7 years experience in the field but has contributed to the development of ISM3 and so has reasonable credentials.

Although I don't personally agree with everything in ISM3, the Consortium is to be congratulated for making a determined and consistent effort to improve information security practices and advance the profession. I believe this initiative would benefit from wider involvement by the international infosec community and encourage you to visit their website or sign-up to their discussion forum (email ism3-subscribe@yahoogroups.com).

By the way, the ISO27001security forum which we initiated last July has just welcomed its 500th member and is turning into an excellent source of well-informed pragmatic advice and support for ISO 27000-series ISMS implementers.

Labels: ISO27000

Like expectant parents, we are anxiously awaiting news of the renaming of ISO/IEC 17799:2005 to ISO/IEC 27002:2007. We are keeping our beady eye (just the one, you understand) on the ISO and BSI websites and all the usual press release outlets. Idly searching Google to distract us from the noise of the labour, we chanced across a Forrester Research report in 2005 that spells out the pros and cons of ISO 17799. Author Michael Rasmussen neatly summarized the benefits of applying accepted good practices in information security management, and the drawbacks of expecting too much from a framework. The ISO standards are necessarily generic guidance, meaning that the nitty-gritty details of risks of concern to, and controls that are required by, any specific organization are left to management and expert advisors. The argument that ISO 17799 is "not specific enough" is widely made but minsunderstands the value and purpose of such international best practice management systems standards.

Anyway, we wil soon be taking up knitting or smoking or something. The tension is killing us.

Labels: ISO27000

Today I've published a generic flowchart showing a typical process for implementing ISO 27002 (formerly ISO 17799 and before that BS7799 Part 1) and gaining certification against ISO 27001 (formerly BS 7799 Part 2), within the FAQ at ISO27001security.com The website is purely an information source - no advertising, nothing to sell - but judging by the number of hits we are getting, this is definitely a hot area. Anyone reading this who is actively using the ISO 27000-series standards is invited to join their peers in the free ISO 27000 implementers' discussion forum - a self-help community for information security practitioners. I've uploaded the Visio version of the flowchart to the forum's files area as a benefit for members: further contributions are very welcome.

More links on information security standards and laws

Labels: ISO27000

The IT Compliance Institute (ITCi) has produced a useful cross-reference matrix showing the points of contact/overlap between a whole bunch of US/international laws, standards and regulations relating to information security (free access requires registration on the ITCi site - there are other useful resources too so it's probably worth doing). Some of the main ones are: ISO 17799 and 27001, COBIT4, COSO ERM, NIST SP 800-14/26/53, FISMA, Mastercard SDP, HIPAA, various FFIEC, SAS 94, PCAOB and SOX. They are listed along one axis with control objectives on the other axis and the page or section references in the body note the coverage.

So, here are three ways you might use the matrix:

- ISMS coverage by control objective: check down the list to confirm that your ISMS covers most of the control objectives, and if there are any you do not recognize or you know are weak, look across the rows to find references from the standards that will explain the requirements;

- ISMS coverage by laws/standards/regs: highlight the vertical columns for all those laws/stds/regs which which your organization has to comply, then highlight the horizontal rows where there are any entries in a marked column. Rows with multiple entries are common controls so you probably already have them but implementation should integrate the multiple requirements. Be careful about the rows with single entries: do you have them all covered in your ISMS? If not, there's a noncompliance risk to consider.

- Linking standards to laws & regs: management are strangely concerned about compliance to laws and regs if not standards, presumably because they fear the personal accountability and business impact of non-compliance. The cross-reference matrix can help the information security manager who is promoting best practice ISMS standards by identifying the legal and regulatory requirements that coincide with best practice controls.

A lot of work must have gone into compiling the matrix. Make the most of it.

There's further information on ISMS best practices at our ISO 27001 Security website.

A webinar explains the ITCi's Unified Compliance Project which is making excellent plans to simplify, harmonize and perhaps even unify the IT compliance problem across laws, standards and regs.

More information security links here

Labels: Infosec, ISO27000

We all know about the off-shore call-centers in places like India and Indonesia, but there's more to outsourcing than call-centre operations. A fascinating article in Bank Technology News paints a beautifully clear picture of IT outsourcing in India, particularly the islands of investment awash in a sea of poverty.

It's easy for us Westerners to overlook the cultural differences and make false assumptions about India, especially if we have never visited that part of the world. Outsourcing may be a massive earner for India and is still growing strongly but the local infrastructure is creaking under enormous strain. The caste system survives, meaning inherent inequalities. India has over a billion citizens, half of them under 25, and an average wage of just US$3,300 per year. Whereas two thirds of the population survives on less than a dollar a day, highly-trained IT specialists earn well and are in short supply. High IT staff turnover creates its own security issues.

The article specifically calls out the information security and privacy concerns in India. "... background checks of personnel remains a nagging concern. No central criminal databases exist and credit agencies remain relatively new, so any background checks must be done in person, which is often invasive. "Sometimes they'll just ride around the [potential employee's] neighborhood and talk to the constable," says Crosby. "None of this stuff is documented."

"... the Indian Information Technology Act of 2002 makes cyber crimes a federal offense, enforceable by India's Central Bureau of Investigation. The CBI established the Cyber Crime Investigation Cell in March 2002 to patrol such crimes, including a crime lab to train investigators. Parliament is now debating an amendment to the act, already approved by the Cabinet, that would make fines and jail time more stringent for those convicted of IT privacy crimes."

Indian data centers are reasonably secure according to those who have inspected the facilities. "... most outsourcers are compliant and certified for BS779 and ISO17799 controls, the two U.S. best-practice controls for information security, which have now become internationally recognized." [Some artistic license there by the journalist: British Standard BS 7799 became ISO standard ISO/IEC 17799, neither of which are American!].

More privacy and information security management links

Labels: Infosec, ISO27000, Privacy

In Japan, "More than 71 percent of people worry their personal information will be leaked as a result of inadequate security measures, according to a recent government survey." The article summarizes an opinion survey regarding awareness of and support for Japan's data protection laws introduced last year. Judging by the large number of Japanese companies already certified against ISO 27001, Japan is taking information security very seriously but the Japanese populace is not yet comfortable.
More links on ISO 27001 and data protection

Labels: Awareness, ISO27000, Law, Privacy

I almost missed it! Earlier this month, I noted that over 2,800 organizations had been certified compliant with ISO 27001 or the equivalent national standards. Well, the number has just crept over 3,000 mark and seems to be increasing exponentially (I really ought to graph it at some point). It's no secret that I've been an ardent fan of BS 7799 and the standards it has spawned for well over a decade, since before it even became a British Standard. I've been predicting for years that it would take off, rather like the ISO 9000 series quality assurance standards did. Well, we're still on the up-curve but all the signs are positive. I reckon, before too long, we'll start to see organizations compelling their first tier suppliers to confirm their ISO 27001 certifications as a condition of bidding for information security-relevant products and services ... and they in turn will conmfront the second tier ... and soon it will be a basic condition of entry into certain markets. "The military" and government departments will probably lead the way, closely followed by financial and information services companies.
More on the ISO 27000-series standards here

Labels: ISO27000

Clement Dupuis over at cccure.org put me on to a new infosec risk management handbook from an organization I haven't come across before - a Swiss organization called the Security Officers Management and Analysis Project. The handbook is described as "high level informations" containing 14 core pages on risk management, both in general and specifically in relation to information security - in fact, it probably has more to say on information security management than risk management. It aims to describe "how to plan, implement and manage an information security risk strategy and ISMS (Information Security Management System) activities." The language is rather naive in places but this could easily be due to its being translated into English, and the meaning comes through. For example: "A security officer never should be the owner of an asset. Even if this could look like a good idea, it is not. At the end the security officer would be responsible for all the assets which he obviously can not be." It is loosely structured around ISO 17799 / ISO 27001.
The accompanying Information Security Risk Assessment Guide is still in development with a 31-page draft already available. The guide looks as if it will focus on risk management in greater depth than the handbook. At the moment, it is little more than a collection of placeholders, ideas and notes to be explained/expanded later.
Both documents are released under the GNU Free Documentation License giving recipients the freedom to create and sell derivative works provided they reference the originator, retain section headings etc. SOMAP are actively inviting readers to get involved with and contribute to the project. If their appeal succeeds, the project has the potential to clear up an area of information security management that remains poorly served by other works. Although maybe a dozen information security risk management methods are in use worldwide, they seem to be the realm of specialists rather than general practice in the field.
More risk management resources

Labels: Infosec, ISO27000, Risk

In similar fashion to the chronology of privacy breaches maintained by the Privacy Rights Clearinghouse, a table of privacy breaches in 2006 tells several stories. For a start, it's already 19 pages long after three quarters of a year. Secondly, the breaches reflect a variety of security threats (e.g. accidental disclosure, hacks, Trojans, theft of equipment/media from offices/homes/cars or in transit), vulnerabilities (e.g. no encryption, inadequate logical or physical access controls, careless disposal of information) and impacts (e.g. public disclosure of the breaches, thefts, around 50 million victims' personal details compromised/exposed to fraud) at all sorts of organization. Thirdly, virtually all of the incidents have had to be publicly disclosed under California State Bill 1386 (presumably a similar level of privacy incidents occur elsewhere outside the remit of SB1386). Finally, the authors of the table have identified the ISO 27001 controls that appear to have been missing or inadequate in each case (sections 7 through 11 feature prominently).
More incident management and privacy links

Labels: Fraud, Incidents, ISO27000, Physical, Privacy

A security manager outlines the security issues he is tackling during a tour of various offshore partners in parts of the world where intellectual property rights don't necessarily mean quite what they do at home. He describes doing an hour's security awareness presentation , starting with an explanation of intellectual property by analogy to the [secret] recipe for chocolate chip cookies. Fair enough but I'm left with the impression that his well-meaning pep-talk will be forgotten as soon as he leaves the premises. Do they even eat chocolate chip cookies there, I wonder?
The article hints at the issues involved in generating security awareness amongst culturally diverse populations, something that we are constantly reminded of in our own security awareness products. On the trivial end of the scale, we sometimes let the odd English spelling or phrase slip into our US-biased writing and very occasionally someone feels compelled to tick us off about it (now that's a culturally charged phrase!). At the other extreme, we are struggling to make any headway whatsoever into the Middle and Far Eastern markets and I suspect the problem goes much deeper than the language of our materials. It is entirely possible that "security" means different things in different cultures, despite being generally accepted as a fundamental human/animal concept.
The Japanese lead the world in BS 7799-2/ISO 27001 certificates so information security is clearly important to them but I can't recall offhand a single sales inquiry from Japan. If anyone can tell me how the Japanese tackle security awareness, I'd love to know and to learn more.
Read our security awareness white paper and find more links on intellectual property protection

Labels: Awareness, IPR, ISO27000

Although it is evidently intended to be an exam manual or study guide, the Federal Financial Institution Examination Council's IT Examination Handbook on Information Security could easily be mistaken as an information security manual. It bears more than a passing resemblance to ISO 17799, NIST, COBIT and SAS70 (amongst others) which are acknowledged as reference sources. There are "action summaries" containing key points from each section, such as this one for authentication: "Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include: Selecting authentication mechanisms based on the risk associated with the particular application or services; Considering whether multi-factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and Encrypting the transmission and storage of authenticators (e.g., passwords, personal identification numbers (PINs), digital certificates, and biometric templates)." A free 138 page infosec manual is not to be sneezed at.
More authentication and identity theft resources

Labels: Authentication, ISO27000, Risk

Our ISO27001security website is going from strength to strength. Today we added a new page of information about books on ISO 27001 and ISO 17799 including two new booklets by Alan Calder giving overviews of the standards and the implementation process.

Alan kindly gave me the opportunity to review the drafts and I duly fired a stream of feedback comments at him, most of which I'm pleased to say were accepted - the end results are well worth 22 Euros each.
Join the new ISO27001 Security Implementors' discussion forum

Labels: ISO27000

At last! We have finally completed and released our generic information security policy manual based on ISO 17799, the latest 2005 version (BS 7799, ISO 27001, ISO 27002). If you need security policies, either because you don't have any or your existing materials are showing their age, save yourself hundreds of hours of work by starting with our manual. Its 115 pages cover the full scope of '7799, with a complete set of 39 high level policy statements derived from the control objectives identified in the standard, supported by a comprehensive suite of more detailed policies inciorporating best practice and common controls. Download an extract from the manual in PDF format from the IsecT website or contact us for the editable Word version. Find out more about the ISO standard at www.ISO27001security.com. The manual is realistically priced at NZ$800 (approximately US$500).

Labels: ISO27000

Information Security Management Maturity Model (ISM-cubed) is a new method that seeks to apply ISO 9000-style quality management processes to information security management. The method’s description paper naturally mentions ISO 17799, ISO 27001, COBIT, ITIL, CRAMM and other buzzwords. Unfortunately it does not explain how the method was developed (e.g. does it have an academic or pragmatic basis?).

Capability maturity model and metrics are particularly interesting aspects of the method. Standards such as ISO 17799 and COBIT are quite 'flat' with no obvious sequence in which organizations might implement the basics and then progressively improve their security. ISO 27001 does include the classic Deming PDCA continuous quality improvement model but falls short on metrics. ISO 21827 is a security maturity model, again with limited metrics. NIST SP 800-55 includes an enormous list of security metrics but little in the way of practical guidance on selecting or using them to mature an organization's information security management.

More information security management links

Labels: Infosec, ISO27000

Through ISO27001security.com we are helping to spread good information security practices and promote the use of the new ISO 27000-series information security management standards. We have finally published an update to the page describing the latest version of the information security management standard ISO 17799:2005 (which is due to become ISO 27002 next year). We have documented the history and outlined the content of the standard with a brief summary of the main sections and subsections.
Explore links to further web resources on the standards, regulations and laws applying to information security on the NoticeBored.com website.

Labels: Infosec, ISO27000, Law

ISO has earmarked the ISO 27000-series for the information security management standards including ISO 17799, BS 7799-2 and a new standard currently in preparation on security management metrics. This new website gives an overview and will gradually become a useful public resource for those implementing the ISO security standards.
More security standards links here

Labels: Infosec, ISO27000, Law

The fifth newsletter from the ISMS (Information Security Management System) IUG (International User Group) contains two pages by Angelica Plate on the changes in ISO 17799:2005, due for publication in a month or two.
More security standards links

Labels: Infosec, ISO27000, Law

A public Wiki has been set up for people to contribute to an FAQ on ISO17799, BS7799-2 and so on. This is a collaborative community project, a good opportunity to information security professionals with '7799 experience to share best practice with our peers. It's early days yet but that means there's plenty of scope for you to add questions and, most of all, add useful answers.
More links to information security standards, laws and regulations

Labels: ISO27000, Law

This is a fascinating case study expounding the business value of implementing ISO17799 (BS7799). The case reveals some surprising linkages between information security management and general business management, plus several indirect benefits that are seldom mentioned elsewhere.
More IT governance and information security management resources

Labels: Governance, ISO27000