By now you have heard of the Panama Papers and the Mossack Fonseca. A massive data breach that was distributed through the media exposing the financial dealings through offshore accounts of many world leaders, politicians, celebrities and alleged nefarious individuals flooded the headlines last week. The first public figure casualty from the largest data breach in history was the Icelandic Prime Minister, Sigmundur Davíð Gunnlaugsson. After the revelations of the more than 11 million documents were distributed
Risk management disasters continue to capture the limelight with the latest one involving massive civilian causality. Growing evidence from the US and British intelligence indicate that terrorists successfully planted a bomb in cargo downing the Russia-bound flight in Egypt’s Sinai peninsula on October 31, killing all 224 people on board. While it is true that it is no easy task to “hermetically seal” any country border against these kinds of attacks, but it is equally true
The concerns surrounding information security in credit cards are not limited to a particular season, but they acquire added prominence during the holiday shopping season. While retailers look to gain optimum increase in sales through their online and in-store channels, gift giving spree combined with year-end buoyancy drive consumers to buy more. Hackers too wait for this season and look to gather credit card information by breaching any defense. In addition, poor information and data security
As businesses endeavor to explore new horizons of possibilities riding the unprecedented growth in information and communication technologies, data security concerns are at the forefront of conversations, and thankfully, involving even the board of directors. However, the recent history of information security is replete with organizations’ unsuccessful efforts to protect valuable data. Institutions across every industry are exhibiting fragile/futile risk management approaches.
A reported boost in the global information security spending during the ongoing year should have been something to cheer about, if you are related to the risk management discipline. However, with the incremental association of inevitability with cyber attacks, any such good update is failing to provide a prolonged duration of happiness, forget about a sense of security that consumer data is going to be protected well from here on.
We have now crossed the threshold of one year since the release of the 2013 revision for ISO/IEC 27001, the internationally recognized standard for information security management systems (ISMS) in enterprises of all industries and sizes. Since this was a revision to the previously released ISO/IEC 27001:2005 Standard, enterprises had a grace period for the re-certification or certification to the newly released standard. As of October, 2015 the 2005 version is no longer valid.
The advancement of technological innovation has armed attackers to expose cyber vulnerabilities inherent in networks and systems that handle sensitive information. Once believed to be exclusively designed and executed for military purposes, the realm of cyber warfare is fast expanding to include civilian industries. Menacingly, advanced information technology expertise and superior executional skills of cyber reconnaissance rogues are far outpacing policy developments and forging of combined international strategies, if any.
In far too many instances of risk management, good intentions have been viewed as the destination in the journey of managing and mitigating risks. Good intentions have seldom translated into commitment, fulfilled by execution to reap the benefits of risk management. Analysis of organizations’ risk management commitment, or rather the lack of it, signals a two-pronged approach: First, commitment to risk management is not considered a core enterprise function; second, in cases where organizations devise a risk management framework, they do it without board level commitment and direct involvement.
Ensuring the achievement of business performance goals drives corporations to succeed. However, the road to success is fraught with challenges that could stall growth while at the same time draining the fulfillment already achieved. The challenges and threats organizations regularly face are becoming more varied in nature, as risks are evolving. The enhancement of technologies is compounding today’s risks by multiple factors acting together. Therefore, it’s not surprising the sustainability of business performance is affected, when one or more factors that influence operational and financial risks are exposed. Broadly, risks can come from volatile economic and political realities, trade conflicts, natural calamities, product recalls, data breach, insider threat, business interruption, and changing regulatory environments. All of these dynamic factors have magnified the demand for transparency in the risk management process and amplified the effects of the results.
All too often organizations have considered risk assessment as a necessary evil for complying with authorities, rather than as a strategy that will contribute to the financial success. Unprecedented levels of business complexity, due to the constantly changing global socioeconomic landscape and regulatory requirements, are forcing firms to manage enterprise risk in a consistent and efficient manner. An effective Enterprise Risk Management (ERM) program significantly improves efficiency, resiliency, opportunities, business performance and stakeholder value.
Consultants who work with IT security audits often are a valuable resource regarding the general state of IT security. They work for a number of clients in various industries over a number of years and therefore get a perception of the general state of things such as IT security awareness. I’m one of those consultants and I believe I have some observations on this issue. While speaking of none of my clients in particular the need for IT security is mostly driven by external factors and specific incidents rather than management’s desire to leverage IT security for business objectives. For instance, new legislation and directives from the EU and the US have pushed the adoption of Information Security Standards such as ISO/IEC 27001 and PCI DSS. These increased expectations are forcing organizations to spend money and resources to implement the applicable standards, because of the new laws and directives. Given the choice, more often than not, organizations would choose to spend the investment elsewhere expecting a better return.
How much of an impact does human resources have on the risk management strategy in your organization?
Risk management in regards to human resources does not stop once background checks, references and education confirmation is completed. The human resource department and the risk management department must continue to collaborate together to ensure employee related risks are continuously identified and strategies established for mitigation of identified risks.
The latest revision of the Information Security Standard, ISO/IEC 27001:2013 has been available for over 6 months now. This revision of the 2005 version requires a certification to the new standard, rather than a re-certification. Although the transition period is two years, many organizations have begun the process of the transition to the new standard and the implementation of the revised Security Controls of Annex A (ISO/IEC 27002:2013). The transition appears easy on the surface, but overlooking the importance of doing it right the first time could potentially set your organization back and prevent the certification from the auditor.
This article is a look into IT audits as they pertain to information security risk management. One of our consultants has been doing a lot of IT audits as a beginning phase of the risk management process for our clients. He is a certified (CIA, CFSA, CISA) and highly experienced auditor and his perspectives provide insight into the requirements for successful preparation and execution of IT audits and risk management.
The newest revision of information security standard ISO/IEC 27001:2013 and accompanying ISO/IEC 27002:2013 (Code of practice for information security management controls) was released on the 3rd of October, 2013. Organizations operating under the previous version 27001:2005, must renew the certification by October 1st, 2015. If the renewal is due in October of 2014 or after, then you are obligated to use the revised standard for recertification.
Recently we have noticed a large number of our customers have been using our risk management software for both the ISO 27001 and PCI DSS standards. This trend started to pick up last summer and has dramatically increase at the beginning of this year, which makes sense, as both of the standards received a recent refresh. The ISO 27001:2013 revisions to the 2005 version was released in October last year and the PCI DSS 3.0 was released in November, but went into effect on January 1st, 2014.
Why do organizations want to comply with both standards?
By now nearly everyone in the industry knows about the ISO/IEC 27001:2013 Standard and the supporting Code of Practice document ISO/IEC 27002:2013. Both were developed through consensus of the international community with a membership of over 47 national standards bodies. ISO/IEC 27001 is one of the fastest growing management system standards used around the globe.
According to the International Organization for Standardization's ISO Survey 2012, at the end of 2012 the ISO/IEC 27001:2005 accredited certificates issued worldwide nearly reached 20,000 in total in 100 countries. Since 2006 the number of certificates issued has increase by double digits each year, with the 2009 jump of 40% over 2008 being the largest year over year increase.
This past holiday season proved to be very costly for several major retailers in the United States. The massive US retailer Target, it turns out, was not the only victim of the cybercrime warfare during the busy holiday shopping season. A recent article from Reuters stated that up to 6 attacks on US merchants have been ongoing for months.
The term „the Cloud“ is now used on a daily basis (many say the term is overused today) and everyone knows this is the next big thing in IT. What is cloud computing? The technical term cloud computing can take many forms and refer to many similar, yet different aspects of computing data outside the confines of the office.
Here are a few examples of cloud computing:
SaaS – Software as a Service: a single application accessed through a web browser by thousands of customers using a multitenant architecture.
The competition for internal financing in all organizations is as fierce as ever. Departments go head-to-head to get the biggest chunk of the annual budget and there always seems to be a dominant winner for those finite funds, the marketing department. Why shouldn’t they win year after year? It is their job to persuade people to spend their money on your company’s products and services. However, the other departments, namely the information security department, may see this as unfair and even a waste of internal resources. This article examines ways CISOs, CSOs, or any other information security officers can compete with the marketing department and provides insight on how to present your case to upper management to secure the funds you need to manage an effective and efficient ISMS.
We admit, here at RM Studio, when we started our risk management process towards ISO 27001 certification in 2002, we used in a very popular spreadsheet application. Through trial and many errors, we quickly realized that establishing formulas, double checking cell links and proper formatting and confidently believing human error is not applicable in our audit preparation was a risk in and of itself. The frustrating results became our inspiration to develop an efficient and simpler means of managing information security risk. Risk Management Studio (originally OutGuard) was created to offer a holistic solution to the risk management process and streamline our efforts ensuring sustainable success in risk mitigation and asset protection.
Common sense - everyone knows what this phrase means. Correct? It is used every day in the English speaking world and everyone from a 5 year old child to an adult has heard the phrase used in a conversation and is expected to understand its meaning. The definition according to the Oxford Dictionaries online is "good sense and sound judgment in practical matters". In our journey to and from the office each work day, we encounter risks which require us to use sound judgment and good sense to determine the best course of action to mitigate these risks.
A security manager’s toughest task is to help build a culture of awareness in regards to the risks threatening the organization. The term risk-aware culture is commonly discussed in organizations working to establish an information security management system. The International Standards for the ISO 31000 framework are very clear on the expectations of an organization‘s risk-aware culture and in order to pass the certification process for ISO 27001, the organization must establish a visible environment and culture that cultivates risk awareness.
What is a risk-aware culture?
Everybody‘s doing it these days, that is Bring Your Own Device to work (BYOD). The vast majority of business professionals working today have some type of smart phone, tablet, or laptop; many of us have and use all three on a daily basis.
Is this a question of if employers want to allow employees to use personal devices for work tasks or if employees are demanding the option based on convenience and personal preference?
Cloud computing and data storage technologies have increased in popularity over the past few years. This is due mainly to small- and medium-sized businesses 'flying into the cloud' solutions to improve business capabilities and backup critical data. The explosion of the web-based applications for mobile devices has also impacted the dramatic expansion of cloud computing vendors in the market. The belief that 'the cloud' is a safer and a more secure business solution, when compared to traditional storage devices, such as in-house servers or simple external HDDs, benefits the data solution centers as well. The cloud computing industry is expecting an even larger demand for its services from the data being created by the increasing quality of our video and image capture technologies, as well as the need to share our lives around the world.
We have seen it the movies, read about it in best selling novels, and heard about it in the news. The employee steals company data and uses it for unintended purposes, sometimes for good, sometimes for evil. From the movie Office Space, where a change in management brings a reduction of labor, which inspires three co-workers to upload a virus into the companies database. The purpose of the virus is to steal tiny fractions of cents left over from complex interest percentage calculations and send them to an anonymous bank account. To the idea of the movie Paycheck, where the main character is a reverse engineer specialist, who is hired by companies to steal a competitor‘s latest tech designs to copy and make a competing product.
Countermeasures and Penetration Testing
In our previous two posts on this topic we discussed the threats to using VoIP. The following post discusses ways you can mitigating these threats.
If VoIP is to successfully replace PSTN some measures need to be taken in order to approach the reliability that PSTN offers. It’s somewhat unrealistic to demand PSTN’s 99,999% availability for VoIP, since IP based systems are exposed to larger threat pool than public switched ones, but there are actions available that can significantly reduce phishing and spoofing threats involved with VoIP.
Over the last decade VoIP has become increasingly popular, with service providers gaining millions of subscribers each year. However, VoIP is an inexperienced platform, which translates into millions of subscribers being exposed to new phishing and spoofing threats annually.
Are you exposed to these threats?
In this rapidly changing world, well-organized, precisely documented and secure information systems are vital for any successful operation. It is equally important to work within strictly defined frameworks while retaining the flexibility to deliver the level of security required by your organization.
Organizations can improve efficiency and strengthen their reputation by focusing on information security and quality management.
Demand for information security has increased in both the private and the public sector. The Financial Supervisory Authorities in various countries have recommended their fellow organizations to ensure information security in their sectors. The law regarding the protection of privacy (The Date Protection Authority) requires the persons who hold personal information to ensure their security appropriately.
Standards for information security management
ISO has in recent years issued several safety standards in the series ISO / IEC 2700x. These are all standards of management information and specific aspects such as risk assessment. The standards deal with the best practice of information security management and the certification standard ISO / IEC 27001 is the specification for information security management systems.
Recently, I stumbled upon the show Doomsday Preppers. The show highlights three or four groups of people who are preparing for a separate catastrophic event that will change the world as we know it. Though the event they are preparing for differs, the approach to planning their survival is often the same. As I watched, I started thinking "These folks have the concept of risk management and continuity figured out." This article focuses on the concepts of risk management and continuity planning and what doomsday preppers can teach us about these concepts.
Having written about risk for 12 years and having run my own business for a few decades, I've seen the same risk sins committed time and again by business owners. Some I've committed. Others I've watched play out from the sidelines.
If I've learned anything from owning my own business, it's how rampant risks are and how devastating they can be if ignored indefinitely. Many of my colleagues avoid buying even the most basic business insurance policy, but the greater risks lie well beyond what's spelled out in the coverage details.
Here are some of the more common oversights that threaten small businesses:
Often times, our clients we assist with establishing an ISMS are surprised to hear that the Audit Trail requirement is something that should be considered prior to the actual audit. The goal of an Audit Trail is to have all of the information regarding your ISMS audit organized and ready to be presented to the auditor. In this post we cover a common mistake in the preparation of an audit and a solution on how to ensure all your hard work is organized for an audit.
What is an Audit Trail?
Riphah International University has been awarded a grant valued at $42,000 annually to utilize RM Studio with an objective of expanding the global awareness of Information Security and Risk Management and build the capacity of Riphah to impart quality education of international standards. Through the partnership RM Studio will be integrated in the undergraduate and postgraduate curricula of the university to supplement theoretical learning with hands-on practical skills. (The International News: Riphah signs MoU with Stiki)
Modern computing is increasingly becoming a shared resource. In the past, if an individual required access to an application, he or she would have to personally have it installed on the user's computer. Today, with the help of cloud computing, applications can be shared and accessed by various users from all around the world without requiring individual set-up.
Cloud computing is commonly defined as, "the provision of dynamically scalable and often virtualized resources as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers."
This post examines cloud computing and the security concerns that arise through its use. We address potential security concerns and provide you with the questions you should be asking cloud service providers.
The Information Security Risk Management Process with RM Studio
The RM Studio: Assessment and Treatment Module guides you through the Risk Assessment, Gap Analysis, and Risk Treatment process for your organization as described in ISO 27001.
Establishing the Risk Management Context
Prior to starting the risk management steps, RM Studio guides you through the Business Entity, Asset, and Threat Identification process. RM Studio comes equipped with a Threat Library of nearly 150 unique Threats specific to information security risk management. Further, RM Studio automatically links Assets, Threats, and ISO 27001 Mitigating Controls through RM Studio's Category feature. This feature removes the guesswork and saves you time in the risk management process.
Physical security has been on our minds recently here at RM Studio. We have found that there is often disconnect between information security and the role physical security plays. In assisting our clients we have found that there are times when clients want to close physical security gaps by adding large cost to the organization. This post focuses on finding the gaps in physical security and addressing them at minimal cost while still protecting and securing information.
For whatever reason, there is generally someone who is not happy with their current job, their place of employment, or job title. When unhappy with their current employment situation, risks are introduced to the organization form this unsatisfied employee. It is important that risk managers and organizational leaders recognize these threats, and similar to all threats implement, mitigating controls and objectives to prevent the risk from becoming actual threats. This post examines example risks that are raised and suggest ways to prevent the unhappy employee from damaging an organization.
When managing risk, we must consider all risk from all sources. A majority of the time identifying risk is trusted to a few individuals, although determining which risks are the highest priority is done in a collaborative environment, with managers, teams and groups of colleagues discussing the issues at hand. In this setting, it is important that the risk manager (the one whose job depends on the risk management results) recognizes and prevents any instances of groupthink.
Groupthink occurs when groups make decisions, and are willing (or unknown to the group) to take more risk than an individual would themselves. This post provides a general overview of causes and symptoms of groupthink, as well as measures that can be taken to avoid groupthink.
*Updated January 2014*
Mobile devices such as smartphones and tablets have found their way into everyday task for professionals. More and more software is available in mobile application form, and organizations are utilizing the convenience offered by having their staff always connected. Though there are many benefits associated with having said connectability, new threats are introduced into the enterprise environment. The following post highlights threats that exist and steps you can take to secure your mobile devices.
The ISO 27001 information security standard recommends the development of a formal policy that introduce appropriate security measure to protect against threats related to mobile devices. The Standard suggests implementing a policy that addresses physical protection, access controls, cryptographic techniques, back-ups, and virus protection.
Organizations manage risk by nature, whether it is through a formal enterprise risk management (ERM) process or in an informal manner. Every time your organization's board of directors or top management determines a strategy or makes a decision regarding business objectives, it is implementing the principles of ERM. This article examines informal decision making processes and how they naturally follow the principles of ERM. The article suggests that in order to protect stakeholders, formalized ERM process should be put in place.