ISO 17799 Information Aggregator

About ISO27001 Benefits And Features

Posted: June 20th, 2010 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , | No Comments »

What is commonly known as ISO 27001 is an information security management system. This is an expansion of ISMS standard. Its full name is ISO 27001. It was introduced in 2005 by the International Organization for Standardization (ISO) in collaboration with the International Electro Technical Commission (IEC). There are various features and benefit available to organization by getting the ISO 27001. Organizations can apply for independent certifications of their ISMS. The standard covers all types of organizations (like commercial enterprises, government agencies and non-profit organizations) and all sizes from micro-businesses to huge multinationals.

ISO 27001 generally plays a very important role in monitoring, review, maintenance and improvement of an information security management system. It works like an overall management and control framework for managing an organization’s information security risks. There is no specific code or condition is available to stop the management function using this certificate. Bringing information security under management control is a necessity for sustainable, directed and continuous improvement of an information security management system. In doing so, it generates greater interest in and awareness of information security that seeks an independent certification of its ISMS. Every organization should try to get such kind of quality certificate, this help the organization to gain more profit in business as well as to get brand name in society.

It is released public on Oct 2005 but is based heavily upon the British Standard, bs7799-2. Bs7799 itself was also released in same year. This contains some set of rules and regulation followed by the organization. Around more than ten thousand institution applied and obtained this certificate.

ISO 27001 is not only an advanced version of BS7799-2 and also inherit other international standard also there are various certification released by government and well so international local bodies to make sure organization is running properly. Organization can apply for this kind of certificate and show their code of conduct to public. ISO 27001 is often considered to be the most important and more reliable in the society hence many organizations like to get the ISO 27001 certificate. The ISO 27000 is also partnered with the many ISO certificates like ISO 9001, ISO 14001, etc. ISO 27001 is applied by organization to show that they are very good in ethics and following all the rules and regulation properly put forward by their government.

The prime objective of this standard normally supports to establish, design, implement and manage an effective information management system which protects information of an organization from any risks. Decision adoption of this standard should be followed in every organization. The certificate also keen in valuing the people which were working in company as well as how company treating employee.

There are various sub standards also present in the ISO 27001. Each sub section denotes some specific quality and specification should be followed by the organization. There also a standard called plan to check, this help the organization to plan their quality and they can check whether they attained or not. ISO 27001 also help the organization to maintain ethic rules in as well as help the organization in business by getting new order. Organization also gain more profit by using this ISO 27001 certificate. The benefits of ISO 27001 are not only numerous but also diverse.

Design and manage an independent information management system. ISO 27001 can be used within any organization to design and formulate its specific set of security requirements and desired objectives. It can also help in seeing that the plans are implemented and the desired security objectives are met. This standard makes the implementation process of security management system more formal and rigorous apart from diminishing the risks considerably.

Minimize and manage security risk. ISO 27001 helps to make sure that unacceptable information security risks are avoided. It further helps in managing any risk in the most cost effective manner.

Win the confidence of business partner. Certification improves the organizations marketing potential by causing its business partners to be convinced of the stable state of the organization’s information security. It also relieves the business associates of the necessity of carrying out its own research on the organization’s information security management.

Organizations can use this standard to provide relevant information about information security policies, directives, standards and procedures to its trading partners as well as any other organization that they interact with for operational or commercial purposes.

Analyze existing information security management process. ISO 27001 helps in identifying, understanding and analyzing the status of the current information security management processes. It is utilized by internal as well as external auditors of organizations to explain the information security policies of the organization and also the directives and standards that it adopts and to what extent the organization complies with those policies, directives and standards.

Interpretability. If the partner organizations both follow ISO 27001 standardization, then they can achieve a comfortable level of interoperability even though they may belong to very different backgrounds because of the common set of standardization guidelines that they follow.

Quality assurance. Whether it is the organization or the business partners, there should be some quality in the information security system and hence of the organization in general since a clearly defined standardization process is applied.

Bench marking. An organization can use the ISO 27001to measure its status against that of its competitors. They can emphasize on their current rank and the developments that they make as opposed to their rivals.

General security awareness. The ISO 27001 is a formal set of specifications that establishes, manages and controls and implements a security management system and hence avoids any possible information security risks. In doing so, it generates greater interest in and awareness of information security that seeks an independent certification of its ISMS.

Alignment of staff. Implementation of this standard generally demands the involvement of both the business management staff and the technical staff. Hence, as a consequence, communication and information technology coordination is achieved easily in greater measure.

This is a good certification standard for a company to reach a new quality goal for raising the bar to the next level.

Retrieved from “http://www.articlesbase.com/information-technology-articles/about-iso27001-benefits-and-features-1172547.html”

Follow this link: About ISO27001 Benefits And Features

Top 10 Information Systems Security Controls in the Enterprise

Posted: June 20th, 2010 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , | No Comments »

The modern Enterprise IT Infrastructure as we know it today has evolved over the years, from the huge computers in the mid 1940s, which could not even do what our small calculators can do today, to the years of mainframes. We now have high processor computers with lots of storage space and high speeds that are easily affordable. We have seen a shift of focus from centralized to decentralized, distributed, network computing within enterprises. All these developments have been great, as they have eased the way we do business, but also brought myriad of enterprise security issues.

In this article we look at the top 10 enterprise security controls that we could deploy to reduce on the effect of known enterprise infrastructure security issues.

1. Take a holistic approach to security

Successful enterprise security requires good planning and a holistic security strategy that considers everything in the organizations, from business processes to the people, on an ongoing basis. Many at times enterprises consider costly technical solutions, as a reaction to security breaches.

2. Develop an Enterprise security program / policy

Organizations need to develop security programs that outline the Roles, policy, procedures, standards and guidelines for the Enterprise security.

Roles: Outline who is responsible for what e.g. Chief Information security officer (ISO) could be s responsible for ensuring a good security posture for the organization.

Policies: These are general organization wide statements that set out the mandatory requirements to ensure a minimum security level. Examples include: Acceptable E-mail Use Policy, Internet use policy, Mobile devices use policy etc…

Standards: these are derived from policies, laying out specific steps or processes required to meet a certain requirement. For example a requirement that all email communication be encrypted.

3. Manage Risk – On a continuous basis

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This involves identifying the assets in the organization that you need to secure; these could include human resources, technology, trade secrets, patents, copyrights etc… Then identify all possible risks that could affect the availability, confidentiality and integrity of these assets. Management can then decide what to do with the identified risks; risks can either be mitigated or transferred to a third party like an insurance company.

4. Refine Business Processes: Adopt Industry best Practices

Beyond the need to manage Enterprise IT technology, is the need to establish and employ best practices and processes to optimize IT services. A number of internationally recognized frameworks have been developed already to describe effective ICT infrastructure management processes. Hence there is no need to re-invent the wheel.

Examples include:
COBIT - Control Objectives for Information and related Technology {1},
ITIL - The Information Technology Infrastructure Library {2}
and ISO 27001 {3}

5. Streamline physical / environmental security

Physical and environmental security is vital in protection of information assets and ICT Infrastructure in the Enterprise. Physical security should look at issue like, monitoring and detection e.g. security guards, alarms, CCTV. Access control and deterrent solutions e.g locks, fencing, lighting, mantraps, Biometrics etc. Environmental control and design, server room temperature, humidity, air conditioning, static electricity, fire suppression and detection, Power generation and backup, all these should be well streamlined.

6. Deploy content filtering / inspection solutions.

As content, (email, internet traffic etc…) moves in and out of the enterprise, there is need for it to be managed well to avoid any security breaches and attacks. Controls could include:

- Web filters to enforce organizational Internet usage policies through content filtering, application blocking, and best-of-breed spyware protection.

- Spam filters / Firewalls to protect your email server from spam, virus, spoofing, phishing and spyware attacks.

- Unified Threat management solutions(UTM): Several organization choose to deploy UTM solutions that offer industry leading functionalities within one package including Intrusion Prevention System; Antivirus with Antispam; Web Filtering; Antispam; Firewall; SSL – VPN; Traffic Shaping and many more.

7. Manage the inside of the Corporate Network

We have already seen that there are increased security breaches that come from within the enterprise; therefore it’s vital to manage the inside of the enterprise network very well. Some of the steps we could take include the following:

- Taking an inventory of all authorized and unauthorized software and devices on the network.
- Maintenance, Monitoring, and Analysis of Audit Logs
- Continuous Vulnerability Assessment, patch management and Remediation
- Limitation and Control of Network Ports, Protocols, and Services

8. Have an Identity and Rights Management System

Identity management is very vital and important to avoid user rights violation and excessive rights issue. Put in place procedures, guideline and a system for Identity management, which involves creation of users, change of user rights, removal of rights, resetting lost user password. This also calls for Controlled Use of Administrative Privileges. Is access in the Enterprise based on a need to know basis? For example should everyone in the organization have access to the payroll database?!

9. Put emphasis on Data Loss Prevention (DLP).

Data loss prevention puts into consideration the security of data, both in motion and static. With the advent of portable devices and memory sticks that have lots of storage space, it very easy for someone to copy lots of corporate data on a removable media in just a matter of seconds. I have heard of stories of disgruntled employees selling clients databases to the competition. Data loss prevention (DLP) encompasses the tools that prevent accidental data leakage, including device and port control, encryption (both hard-drive and removable media encryption).

Also how does your organization handle hard disks that have sensitive information and need disposing off? How about paper documents? I bet one could get lots of information by just dumpster diving into corporate trash bins (am told some investigative journalists use this method to “snoop”). There is no excuse for organization not to shred sensitive paper documents, given all the shredders available on the market; some can even shred plastic and CD media.

10. Don’t go it alone

Securing information assets is becoming more vital every day; unfortunately many organizations do not consider it important until a breach has actually happened.

You can imagine the direct cost of not being proactive as far as information security is concerned, which could include, the cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance and indirect costs e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes, and so many. Therefore it’s crucial to seek for external assistance from an external firm or consultant if need be, to assist in areas like:

- Carrying out an IT audit and Penetration Tests a.k.a “Ethical hacking” on your own infrastructure.
- Assisting with Information security awareness training for your staff etc…

It’s important to note that securing information assets in an enterprise is not just an event, but is a continued process that requires an ongoing effort and support of the top management, this is because the threats to information systems continues to evolve and change daily.

References:

1 itgovernance
2 itlibrary.org
3 http://www.27000.org

About the Author

Mr. Thomas Bbosa – CISSP, is an Information Systems security Consultant and Managing Partner with BitWork Technologies Ltd – http://www.bitworktech.com, an IT firm based in Kampala, Uganda. He is a certified Information Systems Security Professional (CISSP), with over 10 years Experience in the IT industry. He has been involved in various roles of IT infrastructure management and support, Information systems Security management & solutions deployment.

Article Source:

http://EzineArticles.com/?expert=Thomas_Bbosa

Read the original post: Top 10 Information Systems Security Controls in the Enterprise