Articles / Blogs

reykjavik from above

How to Create Cybersecurity Risk Management Strategy

Companies, big or small, must realize that the first step is to acknowledge the existing cybersecurity risks that expose the organization to malicious hackers. A single successful attack could seriously damage your business and cause financial burden for you and your customers
ocean sunset

RM Studio v5.6 Release – STPA Update

Over the past 2.5 years a large portion of our resources have been occupied with designing and developing a ground-breaking software for the engineering world. When the project started our vision was to create a solution for performing STPA for the purposes of Engineering a Safer World.

GDPR Non-Compliance Challenges and Solutions

Penalties for non-compliance are business threatening enough for organizations to consider the regulation more than an administrative exercise. But the long term brand and reputation impact may be even more impactful.

The GDPR is a Threat to Your Organization

The EU GDPR, enforceable for 3.5 months, hasn’t made too many headlines regarding the fines levied for non-compliance. Hopefully by now your organization is ready with the basics and have been moving forward with raising the awareness and understanding of behaviors and processes for everyone in the organization.
ladder over wall

How to Use NIST Frameworks for GDPR Requirements

The NIST SP (Special Protection) 800 publications, the NIST SP 800-53 in particular, can be successfully used for an organization’s GDPR requirements because it contains multiple recommendations that meet several requirements under Article 32 of the GDPR.

RM Studio v5.5 Release-GDPR Data Flow Mapping

Most organizations have been slow to identify and map the data flows within the organization, because it is a labor intensive task. Those organizations that have already mapped data flows, but are using spread sheets to manage the task, will definitely appreciate the visual editor. C-level and D-level management,

EU GDPR – Are You Ready?

General Data Protection Regulation (GDPR) rolled out in Europe on 25 May 2018. The enforcement of the regulation is aimed at ensuring that companies within 28 EU economies rigorously follow international best practices of data security management while handling personal data of EU citizens through changes in consumer privacy protection.
church mountain waterfall

Information Security–vs–Cybersecurity

Information security vs. cybersecurity risk management is confusing many business leaders today. More and more the terms information security and cybersecurity are used interchangeably. The media and recently elected government officials are 'dumbing down' the world of digital security, specifically the protection of

Implementing ISMS Controls Is Only First Step

The risk management strategy requires the implementation of the recommended security controls in Annex A, but that is only the first step. Next is the implemented controls should be assessed based on the maturity and effectiveness of the implementation to determine whether the work is actually meeting expectations.

Access Control: Moving Beyond Compliance

Threats to access control is inevitable because of the participation of human control of the technological business environment which creates constant threats, deliberate or accidental, to confidential information. Creating a strategy to prevent the access control threats is a foundational element of ISMS.
small waterfalls in a lake

RM Studio v5.4 Release

RM Studio release v5.4 with Hierarchical Business Entities that can have assets assigned individually and shared among the business entities. The risks can be associated with the assets uniquely under each business entity allowing for different strategies for risk mitigation based on the business entity.

GDPR for Personal Data Protection

The GDPR aims to better protect data subjects against personal information abuse through reduction of the collection, storage, and distribution of such data. Company and institution managers, potentially new Data Protection Officers (DPO), who work with or have access to personal data need to refocus data protection strategies.

Best Practice ISO 27001 Required Documentation

ISO/IEC 27001 implementation best practices are provided through strict implementation guidelines that have been accumulated and evolved over a decade plus. The benefits of regularly maintaining the ISMS implementation through audits and corrective actions are highly attractive.

Most common IT Risks threatening SMEs

Small and medium size enterprises, often referred to as SMEs, make up the majority of the workforce in Iceland. The Icelandic SME owners and employees are well aware of the need to be resourceful when dealing with a challenging environment. Today SMEs around the world are affected more and more by the rapid changes in the IT environment and IT security awareness, as the volume and significance of digital data continues to increase. Although the headlines often focus on data theft, hacking of sensitive

RM Studio v5.3 – GDPR + ISO27001

RM Studio is now ready to support your GDPR compliance obligations through the Integrated Risk Management Framework and the implementation of the ISO 27001 providing you with a head start before the GDPR goes into force on 25 May 2018.

Vendor Risk Assessment for ISO 27001

The IT/IS vendor risk assessment has become a vital element of business today, because of the increasing reliance on 3rd parties for critical system infrastructures. The importance of choosing the most reliable vendors has never been more important and finding vendors that meet or match your level of security deserves the time investment, so your resources aren't taxed fixing mistakes or resolving system failures.
Inside the volcano

RM Studio v5.2 Release

RM Studio v5.2 New Features include Control to Control Mapping or Control to Regulation mapping tool for reducing work duplication through an implementation report, improved the risk treatment calculations, and updated the ISO 27001:2013 to the 2015 corrections.

Strategy for ISO 27001 Certification-Phase 4-BCM

After completing the previous phases towards ISO 27001 Certification, the final step in the process is the implementation of a Business Continuity Management plan. Business Continuity Management (BCM) is a holistic management process of identifying potential threats to a business entity (based on the Risk Assessment), the impact to operations those threats pose and the necessary steps needed to recover business operations after a disruption. The BCM provides a framework for building organizational resilience

Strategy fo ISO 27001 Certification-Phase 3

The ISO/IEC 27001:2013 Standard introduces a process approach for integrating structures that strengthen an organization’s ISMS reducing the risks to the information assets. This approach covers the adoption and implementation of systems of processes within your organization, with identification and interactions of the processes, and their management.

The third phase of our Strategy for ISO 27001 Certification is the implementation,

Strategy for ISO 27001 Certification-Phase 2

Risk Assessment and Treatment:

Organizational information, whether customer data, credit card information, intellectual property, or other forms is considered a vital asset for organizations. The confidentiality, integrity, and availability of information allows for organizations to sustain a competitive advantage, cost-effectiveness, a steady cash flow, profitability, legal compliance and a positive reputation.

Strategy for ISO 27001 Certification

Your organization has decided or more than likely has become obligated to certify your ISMS to the ISO/IEC 27001:2013 Standard in order to comply or satisfy a regulation in your industry. Without the certification your organization will start to lose business opportunities.

First you need to understand what is the ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems and then, what you need to accomplish

2016 Information Security Spending $81.6 Billion

The preparation to combat the sinister characters threatening our information security increases more than expected each year. On the other hand, the expectation and wish seems to be – what lack of a robust resolution and visible absence of diligent efforts to implement preventive measures haven't been able to achieve – would be duly covered up by incremental budget boosting. While information security for states has ‘gone fishin,’ software companies providing accounting,

Lessons on Managing Reputation Risk post Dieselgate

“Reputation is an idle and most false imposition, oft got without merit and lost without deserving. You have lost no reputation at all unless you repute yourself such a loser,” Iago endeavors to make Cassio forget his sense of shame in Othello. Shakespeare’s antagonist, driven by his infamous “motiveless malignity,” knew it is not true as the manipulator himself used his reputation as “honest Iago” to bring about the downfall of Othello himself. Business organizations must accept

Hacker with a conscience or whistleblower?

Mossack Fonseca (MossFon) and the Panama Papers information security leak is the largest amount of data stolen from a single company in history. The story has made the German newspaper Süddeutsche Zeitung (SZ) a celebrity of investigative journalism, but don‘t mistake the extraordinary amount of work SZ and the International Consortium of Investigative Journalists put in to properly disclose the revealing information.

Was it a sophisticated hacker or was it an inside job?

The Pirates are invading the Vikings

By now you have heard of the Panama Papers and the Mossack Fonseca. A massive data breach that was distributed through the media exposing the financial dealings through offshore accounts of many world leaders, politicians, celebrities and alleged nefarious individuals flooded the headlines last week. The first public figure casualty from the largest data breach in history was the Icelandic Prime Minister, Sigmundur Davíð Gunnlaugsson. After the revelations of the more than 11 million documents were distributed

Instituting efficient insider threat prevention in aviation

Risk management disasters continue to capture the limelight with the latest one involving massive civilian causality. Growing evidence from the US and British intelligence indicate that terrorists successfully planted a bomb in cargo downing the Russia-bound flight in Egypt’s Sinai peninsula on October 31, killing all 224 people on board. While it is true that it is no easy task to “hermetically seal” any country border against these kinds of attacks, but it is equally true

Avoid Being a Target this Holiday Season

The concerns surrounding information security in credit cards are not limited to a particular season, but they acquire added prominence during the holiday shopping season. While retailers look to gain optimum increase in sales through their online and in-store channels, gift giving spree combined with year-end buoyancy drive consumers to buy more. Hackers too wait for this season and look to gather credit card information by breaching any defense. In addition, poor information and data security

Retina scan for access control

Information Security Access Control – Sweat the small things

As businesses endeavor to explore new horizons of possibilities riding the unprecedented growth in information and communication technologies, data security concerns are at the forefront of conversations, and thankfully, involving even the board of directors. However, the recent history of information security is replete with organizations’ unsuccessful efforts to protect valuable data. Institutions across every industry are exhibiting fragile/futile risk management approaches.

Security spending increasing to $75.4bn for 2015

A reported boost in the global information security spending during the ongoing year should have been something to cheer about, if you are related to the risk management discipline. However, with the incremental association of inevitability with cyber attacks, any such good update is failing to provide a prolonged duration of happiness, forget about a sense of security that consumer data is going to be protected well from here on.

Lean Thinking for ISMS and ISO 27001:13

We have now crossed the threshold of one year since the release of the 2013 revision for ISO/IEC 27001, the internationally recognized standard for information security management systems (ISMS) in enterprises of all industries and sizes. Since this was a revision to the previously released ISO/IEC 27001:2005 Standard, enterprises had a grace period for the re-certification or certification to the newly released standard. As of October, 2015 the 2005 version is no longer valid.

Preventing information security breaches in healthcare

The research estimates data breach losses at a whopping $6 billion and calculates healthcare firms’ average data breach cost at more than $2.1 million, while the average cost of a data breach to BAs is estimated at more than $1 million

Risk events are constantly increasing. Are you prepared?

Unfortunately, a data security incident is no longer an eyesore or ear-sore. The number of attacks are increasing and scaling to higher points of sophistication. “It’s a 24-7 onslaught. It’s a barrage of attacks and attempts to penetrate the defenses,” as was stated by Websense director of security research, Jeff Debrosse. The onslaught indeed continues. But sadly, businesses are caught under-prepared or defenseless; but are settling with credit card issuers by paying millions of dollars. While the growing sophistication is a moving menace, companies are also found devoid of understanding of their own vulnerabilities and what to do about them.

RM Studio v4.8 released today

Today we officially released the newest version of Risk Management Studio, v4.8. The new release includes several new upgrades to the standards available for deployment and […]

Product demo of a network forensic tool discovers OPM cyber breach

Security intrusion stories unfolding in the cyber space authenticate that companies are not the only targets. Government department systems, viewed to be the most trusted custodian of personal information, are the obvious next frontiers for hackers. In the latest and the largest breach of personal information in US history, hackers breached the computer system of the Office of Personnel Management (OPM), potentially exposing the entire Federal workforce.

Information and Data Security Risk Management in Retail Industry

As the pace of change from ‘Brick and Mortar’ to ‘Online Shopping’ is gathering momentum in the retail industry, unprecedented scale and speed of disruptions are also accelerating, making the retail landscape more vulnerable than ever before. While increased consumer spending is pushing the industry towards an estimated $20,002 billion in 2017, retailers are facing renewed challenges to re-engage savvy consumers who seek confirmed protection and enhanced buying experience at the same time. The onus is on the industry itself to implement information and data security infrastructures to protect their businesses and regain customer trust.

Proactive IT Risk Management in Banking Sector

Banks function in a dynamic operating environment marked by rising customer expectations, constantly changing economic landscape, widening scope and intensity of industry regulation, and leveraging technological innovation, while staying vigilant against evolving IT risks. Further, the success of the banking sector is contingent upon maximizing the shareholders’ wealth while controlling the financial health of the world economy with fairer practices amidst increasing transparency.

Therefore, supervisors and regulators have continued to propose measures for improving global banking practices, including governance and guidance for IT risk management as business functions performed by banks are underpinned by IT risks.

GDPR and the Role of Risk Management: Some Perspectives

  Risk Management has long been the most important tool to achieve regulatory compliance with the law of the land in matters related to information security. […]

EU General Data Protection Regulation is Imminent


First thing first, the answer should not be anything less than a resounding “YES”. You don’t need more reasoning: There is more than 50% chance that the IT department of your organization is miserably unprepared for the proposed EU General Data Protection Regulation (GDPR). Frankly, with no noteworthy changes in data loss prevention regulation, enterprises in the European Union have been on a honeymoon since 1995. Like all good things, this phase will come to an end, and soon! There is no wishing away the imminent reality.

Cyber Warfare Risk Management: Finding Ways for Future Data Defense

 

With transformation of the digital landscape into a highly complex phenomenon, cyber attacks from state and non-state actors have continued to increase.  While the use of new types of devices, networks and infrastructure has enabled countries and businesses to move forward with success, the involvement of the same has also exposed vulnerabilities in security systems, policies and practices. Foreign nations and organized crime groups use this form of asymmetrical warfare to target strategic or tactical resources involving government and corporate networks.

Cyber Warfare and the Importance of Risk Management

 

The advancement of technological innovation has armed attackers to expose cyber vulnerabilities inherent in networks and systems that handle sensitive information. Once believed to be exclusively designed and executed for military purposes, the realm of cyber warfare is fast expanding to include civilian industries. Menacingly, advanced information technology expertise and superior executional skills of cyber reconnaissance rogues are far outpacing policy developments and forging of combined international strategies, if any.

Mature IT Risk Management Drives Business Performance

As organizations embrace technology, competitive pressures, and globalization to drive business growth, they are redefining success to include the responsibility of restoring economic stability. While some enterprises are moving forward by creating strategic value, a large proportion has failed to effectively measure and manage business performance. Organizations aspire to create a culture of performance based on accountability, intelligence and informed decision-making. By combining structured and unstructured data, gleaned from efficient use of information technology, businesses are trying to ensure the delivery of strategic priorities and goals.

Integrating Technology Risk Management into Business Planning

Thanks to the rising competition and constantly changing economic scenario, business planning is no longer a one-time exercise. Regular reviews and revisions of the goals as well as the means to achieve the objectives are becoming increasingly important in business planning. For startup businesses, planning involves a bouquet of careful approach to walk through the uncertainties. Business planning for existing enterprises entails disciplined strategies that support sustainability efforts to steer ahead with goals. While business planning for both the types involves multitude of unique activities, integrating technology risk management into the overall framework is of paramount importance for both business types.

RM Studio v4.7.2 Released

Risk Management Studio v4.7.2 release includes several new upgrades and minor modifications. Here is the release summary:

Anthem Breach – Sophisticated Heist vs. Sloppy Security

A massive data security breach takes place. Investigators point fingers at state-sponsored perpetrators from either China or North Korea. Flurry of accusations and the resultant denials ensue. Before the aura surrounding a breach fades, another is reported, often eclipsing the one before. Enterprises pay fines after completion of investigation. Things move on.

Overcoming Barriers to Efficient Risk Assessment

Efficient risk assessment has always represented a type of challenge that businesses are seldom comfortable admitting it. Surprisingly, the denials permeate corporate boardrooms and management meetings in mid-tier organizations, while young businesses are too often happy to deem themselves out of any such purview. These could just be considered as individual examples of a much larger issue. And consequences have manifested in more ways than enterprises would have ever anticipated.

ladder over wall

Overcoming Information Security Challenges in Small & Medium Enterprises

Information security challenges combined with rapidly rising related regulatory concerns have made large corporations constantly realign their business strategies, backed by substantive resources with management guidelines often tweaked to suit their needs. The result? Well, not too convincing. Small and medium enterprises (SMEs) on the other hand, despite being at distinct disadvantage of scant resources and lack of well-defined guidelines, are expected to overcome information security challenges with the same efficiency and at no lesser scale as penalties – financial or reputational.

Data protection in the cloud: solutions

The emergence of the cloud has revolutionized the IT industry and has allowed businesses to reap sizeable benefits. Enterprises are switching faster than ever from owning hardware to applications and services delivered through the Internet, to the extent of reducing earnings projections for traditional technology heavyweights like SAP and IBM. These have been called “the latest ripple effects of a major disruptive shift from onsite hardware-based implementations to cloud-based solutions, amid improving technology and bigger bandwidth to support it.” Frankly, it is a fascinating evolution in cloud technology that is flipping the paradigm around.

Data Security in the Cloud: Challenges

With the advancement of information and communications technology, cloud computing has evolved as one of the most significant trends. Offering ‘borderless’ access to customer data or computer capacity for data processing, the cloud has created opportunities for enterprises to achieve improved IT flexibility, cost efficiency, and value from their data. While businesses have achieved economies of scale and reduced capital costs by leveraging the cloud, the end user has unrestrained access to limitless information, documents, spreadsheets, presentations and photographs.

Information Security Challenges in SMEs

As opposed to popular belief, the intricacies of information security involved in running small and medium-sized enterprises (SMEs) are often tricky. For one, formulation of information security management practices, which are primarily developed for bigger enterprises, has not traditionally included SMEs. Further, the unique nature of the ways in which these businesses operate warrant customized approaches.

Information Security in Credit Cards

As cybercriminals search for another ‘bebe’ this holiday shopping season, it is likely that your credit card information system will become an easy ‘target’. Persistence and sophistication of hackers seem to be winning against the intentions and strategies of businesses to prevent credit card information security. The fraudsters’ success list is becoming embarrassingly long with the latest being BeBe Stores Inc., a chain of 200 women’s fashion apparel stores in the US, after million dollar credit card data thefts involving Target, Neiman Marcus, Home Depot, Staples, UPS, Michaels, P.F. Chang’s, LaCie and many more.

Ebola Risk Management: Countermeasures

The risk of Ebola was brewing silently and found perfect communities in remote villages of Guinea, before spreading to Liberia and Sierra Leone – countries that truly portray dysfunctional health care infrastructure. Gradually increasing human death toll since December 2013 and the threat of the Ebola virus disease (EVD) spreading to other West African countries made the World Health Organization (WHO) declare the deadly outbreak as a “public health emergency of international concern”. The official death count has crossed the 5000 mark while reported suspected cases stand at the menacingly massive 14,000 levels – numbers that are widely and truly believed to be under-reported.

Challenges in Ebola Risk Management: Some Perspectives

The Ebola threat has survived on the inequalities of the global healthcare, to the extent of an inevitability that the hotbed could not be other than Liberia, Sierra Leone and Guinea. These countries truly represent what could go wrong in healthcare – 1 doctor attends to about 76,000

Volcanic Risk Mitigation Strategies

The earth’s lifespan has likely seen thousands of volcanoes while recorded eruptions stand roughly at 550, of which 50 to 70 erupt each year. Recently, new activity has been noticed in 6 volcanoes while ongoing activity has been recorded at 12 volcanoes. Notable among these include Etna in Italy, Kilauea in Hawaii, Bardarbunga in Iceland, Sinabung in Indonesia, Poas in Costa Rica and Mount Ontake volcano in southern Japan. Just as types of volcanoes vary due to their inherent scientific reasons, so do their consequences, based on locations, proximity to business establishments and population, and their longevity.

Volcanic Eruptions and Challenges in Risk Management

Of all the natural disasters, volcanic eruptions are perhaps the most distinctive: they are dramatic yet potentially the most devastating, intimidating and awe-inspiring yet phenomena to behold and entail events that turn everything they touch into ashes. Also, while the relentless flow of lava and other hazardous materials coupled with the uncertainty associated with the next big eruption only create anguish in the scientific community, the extremely complex dynamics involved in the process render the mankind helpless.

Important Steps to an Effective PCI DSS Assessment

The PCI (Payment Card Industry) DSS (Data Security Standard) mandates are growing larger, encompassing more and more organizations – small and large alike. While adhering to the requirements ensures the prevention of card security breach, non-compliance invites hefty fines from authorities in addition to damaging the business reputation. Despite PCI DSS providing guidance to become secure by raising awareness about payment card security breaches, organizations fail to meet PCI's mandates, exposing themselves to cybercriminal attacks.

RM Studio v4.7 with PCI DSS 3.0 released

Risk Management Studio version 4.7, which includes the PCI DSS 3.0 integration and control mapping, has been released on our new website. The updates include several minor bug fixes and general cosmetic adjustments, along with the embedding of the PCI DSS 3.0 for immediate deployment. RM Studio is designed to optimize the work efficiency for compliance of the PCI DSS 3.0 and the ISO/IEC 27001:2013 Standards.

Common Challenges to Effective Risk Assessment

Creating a comfortable risk culture where stakeholders and employees participate in open heart discussion to find and reveal true risks goes a long way in securing an organization against ever-evolving threats.

Using Risk Management to Answer Online Privacy Concerns

We are living at a distinguished time of internet history when businesses are bringing products and services to consumers’ fingertips at a staggering pace. While with technological advancements capabilities for such offerings are only going to increase, it is a sore reality that businesses are losing the all important consumer trust due to the way online personal data is handled and processed. It is no exaggeration to state that consumers’ trust was never as low as it is now.

Building an Invisible Framework for Operational Risk Management

Despite the sure knowledge of operational risk being integrally linked to business performance, organizations prefer not to face operational risk at all. But as in so many aspects of business activity, non-preferences can seldom be chased away. It is truer in the case of operational risk as this type of risk arises because organizations function and the way they function. Therefore, operational risk can‘t be entirely prevented or avoided, but can be actively managed by allocating the same prominence as afforded to credit and market risk.

Benefits of Using Big Data Strategy in Risk Management

Emerging technologies enabling diverse forms of data creation and their integration with traditional data is generating voluminous information for organizations. Businesses – large and small alike – endeavor to derive valuable insights by processing and analyzing the big data. Efficient application of big data and analytics benefits organizations by enhanced assessment of emerging risks. Using big data strategy improves institutions’ risk profiles and paves the way to approach risk in a profitable manner.

However, despite enterprises’ efforts to gain competitive advantage not too many have succeeded, while the majority has failed to convert data into valuable insights. According to IDC, only 22% of digital data was a candidate for analysis, while less than 5% was actually analyzed.

Putting Risk Management into Practice: Challenges and Opportunities

Adverse risk events since the turning of this century have forced organizations to make a fundamental shift in how they perceive risk management. Companies that earlier focused simply on avoiding monetary losses and achieving regulatory compliance are now focusing on risk management practices to achieve business goals. The emphasis on the processes is being supported by an efficient workforce and able technology. But while an increasing number of businesses are putting risk management into practice as a key factor for value creation, there are organizations that rely on reactive actions devoid of proactive planning.

Bridging the Gap Between Commitment and Execution in Risk Management

In far too many instances of risk management, good intentions have been viewed as the destination in the journey of managing and mitigating risks. Good intentions have seldom translated into commitment, fulfilled by execution to reap the benefits of risk management. Analysis of organizations’ risk management commitment, or rather the lack of it, signals a two-pronged approach: First, commitment to risk management is not considered a core enterprise function; second, in cases where organizations devise a risk management framework, they do it without board level commitment and direct involvement.

Infrastructure Security vs. Evolving Threats

Security of critical infrastructure plays a vital role in determining how an organization performs over a long period of time. In the business world a resilient infrastructure is closely knit to the national security of the country of operation, as large scale damage could have far-reaching consequences on the economy and public safety. Worldwide, governments and international bodies have defined standards and strategies to identify and prioritize key assets protection, identify threats, and devise effective prevention and mitigation strategies.

Sustaining Business Performance in a Risk-Intensive World

Ensuring the achievement of business performance goals drives corporations to succeed. However, the road to success is fraught with challenges that could stall growth while at the same time draining the fulfillment already achieved. The challenges and threats organizations regularly face are becoming more varied in nature, as risks are evolving. The enhancement of technologies is compounding today’s risks by multiple factors acting together. Therefore, it’s not surprising the sustainability of business performance is affected, when one or more factors that influence operational and financial risks are exposed. Broadly, risks can come from volatile economic and political realities, trade conflicts, natural calamities, product recalls, data breach, insider threat, business interruption, and changing regulatory environments. All of these dynamic factors have magnified the demand for transparency in the risk management process and amplified the effects of the results.

Why Risk Assessment is the Mainstay of an Effective ERM Program

All too often organizations have considered risk assessment as a necessary evil for complying with authorities, rather than as a strategy that will contribute to the financial success. Unprecedented levels of business complexity, due to the constantly changing global socioeconomic landscape and regulatory requirements, are forcing firms to manage enterprise risk in a consistent and efficient manner. An effective Enterprise Risk Management (ERM) program significantly improves efficiency, resiliency, opportunities, business performance and stakeholder value.

A View from the Trenches, the General State of IT Security

Consultants who work with IT security audits often are a valuable resource regarding the general state of IT security. They work for a number of clients in various industries over a number of years and therefore get a perception of the general state of things such as IT security awareness. I’m one of those consultants and I believe I have some observations on this issue. While speaking of none of my clients in particular the need for IT security is mostly driven by external factors and specific incidents rather than management’s desire to leverage IT security for business objectives. For instance, new legislation and directives from the EU and the US have pushed the adoption of Information Security Standards such as ISO/IEC 27001 and PCI DSS. These increased expectations are forcing organizations to spend money and resources to implement the applicable standards, because of the new laws and directives. Given the choice, more often than not, organizations would choose to spend the investment elsewhere expecting a better return.

Risk Management and Human Resources: During Employment

How much of an impact does human resources have on the risk management strategy in your organization?

Risk management in regards to human resources does not stop once background checks, references and education confirmation is completed. The human resource department and the risk management department must continue to collaborate together to ensure employee related risks are continuously identified and strategies established for mitigation of identified risks. 

PCI DSS Mitigating Controls for Risk Management

The nearly 300 controls are comprised of the Testing Procedures and Implementation Guidelines necessary to complete the requirements are a daunting task for even the most efficient and effective risk managers to maintain and organize.

Easy Transition to ISO 27001:2013

The latest revision of the Information Security Standard, ISO/IEC 27001:2013 has been available for over 6 months now. This revision of the 2005 version requires a certification to the new standard, rather than a re-certification. Although the transition period is two years, many organizations have begun the process of the transition to the new standard and the implementation of the revised Security Controls of Annex A (ISO/IEC 27002:2013). The transition appears easy on the surface, but overlooking the importance of doing it right the first time could potentially set your organization back and prevent the certification from the auditor.

IT Audits and Risk Management

This article is a look into IT audits as they pertain to information security risk management. One of our consultants has been doing a lot of IT audits as a beginning phase of the risk management process for our clients. He is a certified (CIA, CFSA, CISA) and highly experienced auditor and his perspectives provide insight into the requirements for successful preparation and execution of IT audits and risk management.

button.png

Press Release: RM Studio v4.6.1 updated to include ISO 27001:2013

The newest revision of information security standard ISO/IEC 27001:2013 and accompanying ISO/IEC 27002:2013 (Code of practice for information security management controls) was released on the 3rd of October, 2013. Organizations operating under the previous version 27001:2005, must renew the certification by October 1st, 2015. If the renewal is due in October of 2014 or after, then you are obligated to use the revised standard for recertification.

button.png

Integrating the PCI DSS and ISO 27001 Standards for Higher Level Information Security

Recently we have noticed a large number of our customers have been using our risk management software for both the ISO 27001 and PCI DSS standards. This trend started to pick up last summer and has dramatically increase at the beginning of this year, which makes sense, as both of the standards received a recent refresh. The ISO 27001:2013 revisions to the 2005 version was released in October last year and the PCI DSS 3.0 was released in November, but went into effect on January 1st, 2014.

Why do organizations want to comply with both standards?

Updating 27001:2005 to the 27001:2013 revision

By now nearly everyone in the industry knows about the ISO/IEC 27001:2013 Standard and the supporting Code of Practice document ISO/IEC 27002:2013. Both were developed through consensus of the international community with a membership of over 47 national standards bodies. ISO/IEC 27001 is one of the fastest growing management system standards used around the globe.

According to the International Organization for Standardization's ISO Survey 2012, at the end of 2012 the ISO/IEC 27001:2005 accredited certificates issued worldwide nearly reached 20,000 in total in 100 countries. Since 2006 the number of certificates issued has increase by double digits each year, with the 2009 jump of 40% over 2008 being the largest year over year increase.

button.png

A Reputation Management Discussion

This past holiday season proved to be very costly for several major retailers in the United States. The massive US retailer Target, it turns out, was not the only victim of the cybercrime warfare during the busy holiday shopping season. A recent article from Reuters stated that up to 6 attacks on US merchants have been ongoing for months.

button.png

Is your organization using a cloud computing service for risk management?

The term „the Cloud“ is now used on a daily basis (many say the term is overused today) and everyone knows this is the next big thing in IT. What is cloud computing? The technical term cloud computing can take many forms and refer to many similar, yet different aspects of computing data outside the confines of the office.

Here are a few examples of cloud computing:

SaaS – Software as a Service: a single application accessed through a web browser by thousands of customers using a multitenant architecture.

button.png

Finite Funds: How to Get the Budget You Need to Maintain Your ISMS

The competition for internal financing in all organizations is as fierce as ever. Departments go head-to-head to get the biggest chunk of the annual budget and there always seems to be a dominant winner for those finite funds, the marketing department. Why shouldn’t they win year after year? It is their job to persuade people to spend their money on your company’s products and services. However, the other departments, namely the information security department, may see this as unfair and even a waste of internal resources. This article examines ways CISOs, CSOs, or any other information security officers can compete with the marketing department and provides insight on how to present your case to upper management to secure the funds you need to manage an effective and efficient ISMS.

button.png

Risk Management Software vs. Spreadsheets

We admit, here at RM Studio, when we started our risk management process towards ISO 27001 certification in 2002, we used in a very popular spreadsheet application. Through trial and many errors, we quickly realized that establishing formulas, double checking cell links and proper formatting and confidently believing human error is not applicable in our audit preparation was a risk in and of itself. The frustrating results became our inspiration to develop an efficient and simpler means of managing information security risk. Risk Management Studio (originally OutGuard) was created to offer a holistic solution to the risk management process and streamline our efforts ensuring sustainable success in risk mitigation and asset protection.

button.png

Security Awareness Video Training

Common sense - everyone knows what this phrase means. Correct? It is used every day in the English speaking world and everyone from a 5 year old child to an adult has heard the phrase used in a conversation and is expected to understand its meaning. The definition according to the Oxford Dictionaries online is "good sense and sound judgment in practical matters". In our journey to and from the office each work day, we encounter risks which require us to use sound judgment and good sense to determine the best course of action to mitigate these risks.

Cultivating a Risk Aware Culture

A security manager’s toughest task is to help build a culture of awareness in regards to the risks threatening the organization. The term risk-aware culture is commonly discussed in organizations working to establish an information security management system. The International Standards for the ISO 31000 framework are very clear on the expectations of an organization‘s risk-aware culture and in order to pass the certification process for ISO 27001, the organization must establish a visible environment and culture that cultivates risk awareness.

What is a risk-aware culture?

button.png

BYOD – Advantage of Smart Organizations

Everybody‘s doing it these days, that is Bring Your Own Device to work (BYOD). The vast majority of business professionals working today have some type of smart phone, tablet, or laptop; many of us have and use all three on a daily basis.

Is this a question of if employers want to allow employees to use personal devices for work tasks or if employees are demanding the option based on convenience and personal preference?

RM Studio Version 4.5 Released

We have released RM Studio version 4.5 today that includes several great additions and a few necessary subtractions. Our latest updates include: A brand new Control […]
button.png

Cyber Security Risk Management

Every day we hear more and more about cybercrime in the news. In March, the Chinese government was discovered hacking Google to steal years of surveillance data and spying information from American Law Enforcement. Several American universities have been reporting daily cyberattacks into the intellectual property and patent information the schools poses. The nine-day DDoS cyber-attack on Spamhaus, a European anti-spam organization, resulted in significant traffic-slowing of the internet from London to Hong Kong affecting millions of users.

Cloud Computing: Thunderstorms and Rainbows

Cloud computing and data storage technologies have increased in popularity over the past few years. This is due mainly to small- and medium-sized businesses 'flying into the cloud' solutions to improve business capabilities and backup critical data. The explosion of the web-based applications for mobile devices has also impacted the dramatic expansion of cloud computing vendors in the market. The belief that 'the cloud' is a safer and a more secure business solution, when compared to traditional storage devices, such as in-house servers or simple external HDDs, benefits the data solution centers as well. The cloud computing industry is expecting an even larger demand for its services from the data being created by the increasing quality of our video and image capture technologies, as well as the need to share our lives around the world.

Preventing Intellectual Property Theft Through Risk Management

We have seen it the movies, read about it in best selling novels, and heard about it in the news. The employee steals company data and uses it for unintended purposes, sometimes for good, sometimes for evil. From the movie Office Space, where a change in management brings a reduction of labor, which inspires three co-workers to upload a virus into the companies database. The purpose of the virus is to steal tiny fractions of cents left over from complex interest percentage calculations and send them to an anonymous bank account. To the idea of the movie Paycheck, where the main character is a reverse engineer specialist, who is hired by companies to steal a competitor‘s latest tech designs to copy and make a competing product.

VoIP: A New Era in Threats, Part 3

Countermeasures and Penetration Testing

In our previous two posts on this topic we discussed the threats to using VoIP. The following post discusses ways you can mitigating these threats.

If VoIP is to successfully replace PSTN some measures need to be taken in order to approach the reliability that PSTN offers. It’s somewhat unrealistic to demand PSTN’s 99,999% availability for VoIP, since IP based systems are exposed to larger threat pool than public switched ones, but there are actions available that can significantly reduce phishing and spoofing threats involved with VoIP. 

VoIP: A New Era in Threats, Part 1

Over the last decade VoIP has become increasingly popular, with service providers gaining millions of subscribers each year. However, VoIP is an inexperienced platform, which translates into millions of subscribers being exposed to new phishing and spoofing threats annually.

Are you exposed to these threats?

button.png

The broad spectrum of information security

In this rapidly changing world, well-organized, precisely documented and secure information systems are vital for any successful operation. It is equally important to work within strictly defined frameworks while retaining the flexibility to deliver the level of security required by your organization.

Organizations can improve efficiency and strengthen their reputation by focusing on information security and quality management.

Information security – management standards in a professional business environment

Demand for information security has increased in both the private and the public sector. The Financial Supervisory Authorities in various countries have recommended their fellow organizations to ensure information security in their sectors. The law regarding the protection of privacy (The Date Protection Authority) requires the persons who hold personal information to ensure their security appropriately.

Standards for information security management 

ISO has in recent years issued several safety standards in the series ISO / IEC 2700x. These are all standards of management information and specific aspects such as risk assessment. The standards deal with the best practice of information security management and the certification standard ISO / IEC 27001 is the specification for information security management systems.

button.png

Doomsday Preppers, Risk Management and Business Continuity?

Recently, I stumbled upon the show Doomsday Preppers. The show highlights three or four groups of people who are preparing for a separate catastrophic event that will change the world as we know it. Though the event they are preparing for differs, the approach to planning their survival is often the same. As I watched, I started thinking "These folks have the concept of risk management and continuity figured out." This article focuses on the concepts of risk management and continuity planning and what doomsday preppers can teach us about these concepts.

Risk Lessons from an Entrepreneur

Having written about risk for 12 years and having run my own business for a few decades, I've seen the same risk sins committed time and again by business owners. Some I've committed. Others I've watched play out from the sidelines.

If I've learned anything from owning my own business, it's how rampant risks are and how devastating they can be if ignored indefinitely. Many of my colleagues avoid buying even the most basic business insurance policy, but the greater risks lie well beyond what's spelled out in the coverage details.

Here are some of the more common oversights that threaten small businesses:

button.png

Audit Trail: A Common Mistake

Often times, our clients we assist with establishing an ISMS are surprised to hear that the Audit Trail requirement is something that should be considered prior to the actual audit. The goal of an Audit Trail is to have all of the information regarding your ISMS audit organized and ready to be presented to the auditor. In this post we cover a common mistake in the preparation of an audit and a solution on how to ensure all your hard work is organized for an audit.

What is an Audit Trail?

Riphah International University receives grant from RM Studio

Riphah International University has been awarded a grant valued at $42,000 annually to utilize RM Studio with an objective of expanding the global awareness of Information Security and Risk Management and build the capacity of Riphah to impart quality education of international standards. Through the partnership RM Studio will be integrated in the undergraduate and postgraduate curricula of the university to supplement theoretical learning with hands-on practical skills. (The International News: Riphah signs MoU with Stiki)

Cloud Computing and Security Concerns

Modern computing is increasingly becoming a shared resource. In the past, if an individual required access to an application, he or she would have to personally have it installed on the user's computer. Today, with the help of cloud computing, applications can be shared and accessed by various users from all around the world without requiring individual set-up.

Cloud computing is commonly defined as, "the provision of dynamically scalable and often virtualized resources as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers."

This post examines cloud computing and the security concerns that arise through its use. We address potential security concerns and provide you with the questions you should be asking cloud service providers.

Information Security Risk Management

The Information Security Risk Management Process with RM Studio

The RM Studio: Assessment and Treatment Module guides you through the Risk Assessment, Gap Analysis, and Risk Treatment process for your organization as described in ISO 27001.

Establishing the Risk Management Context
Prior to starting the risk management steps, RM Studio guides you through the Business Entity, Asset, and Threat Identification process. RM Studio comes equipped with a Threat Library of nearly 150 unique Threats specific to information security risk management. Further, RM Studio automatically links Assets, Threats, and ISO 27001 Mitigating Controls through RM Studio's Category feature. This feature removes the guesswork and saves you time in the risk management process.

Physical Security: Closing the gap at minimal cost

Physical security has been on our minds recently here at RM Studio. We have found that there is often disconnect between information security and the role physical security plays. In assisting our clients we have found that there are times when clients want to close physical security gaps by adding large cost to the organization. This post focuses on finding the gaps in physical security and addressing them at minimal cost while still protecting and securing information.

The Risk of the Unhappy Employee

For whatever reason, there is generally someone who is not happy with their current job, their place of employment, or job title. When unhappy with their current employment situation, risks are introduced to the organization form this unsatisfied employee. It is important that risk managers and organizational leaders recognize these threats, and similar to all threats implement, mitigating controls and objectives to prevent the risk from becoming actual threats. This post examines example risks that are raised and suggest ways to prevent the unhappy employee from damaging an organization.

Risk Management and Groupthink

When managing risk, we must consider all risk from all sources. A majority of the time identifying risk is trusted to a few individuals, although determining which risks are the highest priority is done in a collaborative environment, with managers, teams and groups of colleagues discussing the issues at hand. In this setting, it is important that the risk manager (the one whose job depends on the risk management results) recognizes and prevents any instances of groupthink.

Groupthink occurs when groups make decisions, and are willing (or unknown to the group) to take more risk than an individual would themselves. This post provides a general overview of causes and symptoms of groupthink, as well as measures that can be taken to avoid groupthink.

*Updated January 2014*

Mobile Devices and Information Security Risk Management

Mobile devices such as smartphones and tablets have found their way into everyday task for professionals. More and more software is available in mobile application form, and organizations are utilizing the convenience offered by having their staff always connected. Though there are many benefits associated with having said connectability, new threats are introduced into the enterprise environment. The following post highlights threats that exist and steps you can take to secure your mobile devices.

The ISO 27001 information security standard recommends the development of a formal policy that introduce appropriate security measure to protect against threats related to mobile devices. The Standard suggests implementing a policy that addresses physical protection, access controls, cryptographic techniques, back-ups, and virus protection.

The Seven Habits of Highly Effective Risk Managers

It is a given that a risk manager must be analytical, precise, cautious and results driven. Risk managers are often seen as the gatekeepers to decisions and often associated with the word "No." We challenge this perception and suggest

Enterprise Risk Management: It is present in your organization, why not formalize it?

Organizations manage risk by nature, whether it is through a formal enterprise risk management (ERM) process or in an informal manner. Every time your organization's board of directors or top management determines a strategy or makes a decision regarding business objectives, it is implementing the principles of ERM. This article examines informal decision making processes and how they naturally follow the principles of ERM. The article suggests that in order to protect stakeholders, formalized ERM process should be put in place.

//]]>