Our Blog

Common sense - everyone knows what this phrase means. Correct? It is used every day in the English speaking world and everyone from a 5 year old child to an adult has heard the phrase used in a conversation and is expected to understand its meaning. The definition according to the Oxford Dictionaries online is "good sense and sound judgment in practical matters". In our journey to and from the office each work day, we encounter risks which require us to use sound judgment and good sense to determine the best course of action to mitigate these risks.

Everybody‘s doing it these days, that is Bring Your Own Device to work (BYOD). The vast majority of business professionals working today have some type of smart phone, tablet, or laptop; many of us have and use all three on a daily basis.

Is this a question of if employers want to allow employees to use personal devices for work tasks or if employees are demanding the option based on convenience and personal preference?

We have seen it the movies, read about it in best selling novels, and heard about it in the news. The employee steals company data and uses it for unintended purposes, sometimes for good, sometimes for evil. From the movie Office Space, where a change in management brings a reduction of labor, which inspires three co-workers to upload a virus into the companies database. The purpose of the virus is to steal tiny fractions of cents left over from complex interest percentage calculations and send them to an anonymous bank account. To the idea of the movie Paycheck, where the main character is a reverse engineer specialist, who is hired by companies to steal a competitor‘s latest tech designs to copy and make a competing product.

Countermeasures and Penetration Testing

In our previous two posts on this topic we discussed the threats to using VoIP. The following post discusses ways you can mitigating these threats.

If VoIP is to successfully replace PSTN some measures need to be taken in order to approach the reliability that PSTN offers. It’s somewhat unrealistic to demand PSTN’s 99,999% availability for VoIP, since IP based systems are exposed to larger threat pool than public switched ones, but there are actions available that can significantly reduce phishing and spoofing threats involved with VoIP. 

Over the last decade VoIP has become increasingly popular, with service providers gaining millions of subscribers each year. However, VoIP is an inexperienced platform, which translates into millions of subscribers being exposed to new phishing and spoofing threats annually.

Are you exposed to these threats?

Recently, I stumbled upon the show Doomsday Preppers. The show highlights three or four groups of people who are preparing for a separate catastrophic event that will change the world as we know it. Though the event they are preparing for differs, the approach to planning their survival is often the same. As I watched, I started thinking "These folks have the concept of risk management and continuity figured out." This article focuses on the concepts of risk management and continuity planning and what doomsday preppers can teach us about these concepts.

Having written about risk for 12 years and having run my own business for a few decades, I've seen the same risk sins committed time and again by business owners. Some I've committed. Others I've watched play out from the sidelines.

If I've learned anything from owning my own business, it's how rampant risks are and how devastating they can be if ignored indefinitely. Many of my colleagues avoid buying even the most basic business insurance policy, but the greater risks lie well beyond what's spelled out in the coverage details.

Here are some of the more common oversights that threaten small businesses:

Often times, our clients we assist with establishing an ISMS are surprised to hear that the Audit Trail requirement is something that should be considered prior to the actual audit. The goal of an Audit Trail is to have all of the information regarding your ISMS audit organized and ready to be presented to the auditor. In this post we cover a common mistake in the preparation of an audit and a solution on how to ensure all your hard work is organized for an audit.

What is an Audit Trail?

Riphah International University has been awarded a grant valued at $42,000 annually to utilize RM Studio with an objective of expanding the global awareness of Information Security and Risk Management and build the capacity of Riphah to impart quality education of international standards. Through the partnership RM Studio will be integrated in the undergraduate and postgraduate curricula of the university to supplement theoretical learning with hands-on practical skills. (The International News: Riphah signs MoU with Stiki)

Modern computing is increasingly becoming a shared resource. In the past, if an individual required access to an application, he or she would have to personally have it installed on the user's computer. Today, with the help of cloud computing, applications can be shared and accessed by various users from all around the world without requiring individual set-up.

Cloud computing is commonly defined as, "the provision of dynamically scalable and often virtualized resources as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers."

This post examines cloud computing and the security concerns that arise through its use. We address potential security concerns and provide you with the questions you should be asking cloud service providers.

Physical security has been on our minds recently here at RM Studio. We have found that there is often disconnect between information security and the role physical security plays. In assisting our clients we have found that there are times when clients want to close physical security gaps by adding large cost to the organization. This post focuses on finding the gaps in physical security and addressing them at minimal cost while still protecting and securing information.

Gap Analysis and Risk Treatment

Introduction

Now that you have completed the risk analysis, the next steps are performing a gap analysis and the risk treatment process. This article provides a simplified framework for completing these steps.

Gap Analysis

A gap analysis is the evaluation process of the status of mitigating controls. The purpose of a gap analysis is to gain an understanding of the management system in question in regards to the risk management process. Further, it provides you with an overview of where the management system will be in the future. That is to say, the gap analysis shows you where you are in relationship to where you would like to be. A gap analysis is often used in the audit process, both internally and externally, as the gap analysis provides a bird's eye view of the control implementation and risk management process status.

Part 2: Risk  Criteria and Risk Assessment

Introduction:

After determining the business entity, identifying assets and threats, the next step in the risk management process is to complete a risk assessment. The following article provides simplified guidelines for the risk assessment process.

Definitions

Risk Criteria: Risk criteria can be defined as the point of reference which the implication of a risk is evaluated.

Risk Assessment: Risk Assessment is the overall process of risk identification, analysis and evaluation.

Risk Criteria

The first step in the risk assessment process is to determine the evaluation criteria for assets and threats. The evaluation criteria can be based on legal and regulatory requirements, the risk management policy set forth by your organization, as well as international standards. Risk criteria should be reviewed continuously to ensure its alignment with the aforementioned factors. As organizational objectives, regulatory requirements, or international standards change, so should risk criteria.

Part 1: Why Risk Management and Where to Start

Introduction: Why Risk Management?

Organizations, whether a SME or multi-national corporation face internal and external factors that make reaching their business objectives uncertain at best. This effect of uncertainty on objectives is widely defined as risk. Organizations face risk in all activities and therefore should establish a systematic approach to properly managing risk effectively. Risk management should be approached in a similar manner as any other business process. Your organization has defined it sales process for success, why not define a risk management process with the same goal in mind? Organizations can only succeed and grow through effective and successful risk taking. This article covers the basics of risk management and how to approach the process in a systematic manner.

As risk manager you have setup a system that protects your data from outside attackers and you have secured your premises with all the latest advancements. However, there is a threat that can break through all the fences, social engineering.

We covered this topic in a previous post regarding physical security. In our example, a gentleman dressed as a technician was able to penetrate a bank and install a device to steal data. How was he able to do this? He utilized social engineering.

Social engineering in the context of security, is “art” of manipulating people into executing actions or disclosing confidential information. Social engineers will use tactics that tap into the human psyche and emotions of the victim. Using tactics as simple as posing as a co-worker who forgot their access badge or sending malicious links via Facebook to gain access to buildings or data.

An organization’s reputation can be viewed as a driving force for success, a driving force which is complex and difficult to define. Without a positive reputation, potential customers and clients are wary to invest in or do business with a company in which they are uncertain in the quality of products and/or services provided by the company. A reputation for sound business and quality services is a necessity for doing business; it is the key that unlocks the door to opportunities for growth. Without this key, businesses become stagnant and never reach the high performing level. While it may be difficult to state precisely what it is, reputation is recognized as one of the cornerstones of a successful business.

“It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that you will do things differently.” – Warren Buffett

Risk Management and Reputation

Risk management, as it relates to human resources, can be broken down into three phases: prior to employment, during employment, and after employment. In this article we take a look at the relationship of the human resources department's hiring process and the potential risks involved for risk managers. 

On March 20, 2012 Jarno Smeets, a.k.a. The Bird-Man, posted a video of himself flying with a winged contraption. This accomplishment (soon after Smeets admitted this is a hoax and 'online storytelling' ) in and of itself was an amazing feet and a brilliant piece of cinematography, but we are here to talk about risk management.

We often see discussions about and hear of clients segregating risk management and business continuity into two separate silos. When we have worked with organizations who have a risk manager (or similar job title) and a business continuity manager, we are surprised how often the two do not work together.·This is usually a good starting point when assisting clients and users of our solutions as a means of simplifying the risk management and business continuity management process.

Nourishing the interconnectedness of the two managers’ roles allows for the development of effective and efficient risk management and business continuity management programs. We see this as a vital relationship as we come from the school of thought that effective business continuity proficiency is found through adequately managing risks. On the flip side of this statement, we feel that risk cannot be effectively managed without a proper business continuity plan and strategy for recovery in place.

A vital part of business continuity management is the recovery plan. One question we often get when discussing the development of business continuity and recovery plans, is whether to have multiple plans or to try and produce one plan that caters to all situations. To this question, as with almost all questions regarding risk management, it depends on the organization and the internal risk management culture.

The great minds at the Massachusetts Institute of Technology have developed a single plan. The Business Continuity and Recovery Plan presented by MIT focuses on the recovery in the event of a disaster. The plan covers the details and processes for the path to recovery. In the opinion of the security experts at MIT, this single plan is enough.

Testing vulnerabilities in your ISMS is a vital practice to ensure your system is adequate to protect your information. Every week we hear about security breaches worldwide and the increased exposure of the IT vulnerabilities we all face. We now pose the following questions.

• How much of your annual security budget is allocated for vulnerability testing?
• Do you have enough of the budget for properly testing vulnerabilities?

For Google, that amount was $1 million over just a few days in 2012 (for more details on this story click here).

Our team is always on the lookout for new topics and concerns within the realm of information security. One of our team members recently came across an interesting article The Little White Box That Can Hack Your Network on www.wired.com. The article discusses a recent penetration test at multiple branches of a bank using a small computer called a Pwn Plug that simply plugs into a power outlet and the network. Once deployed the Pwn Plug releases its hacking tools. Dressed as a technician, Jayson Street was able to successfully penetrate four banks without a single issue.

This article brings attention to the point of what information security is holistically, and its ever changing nature. To many people, information security brings up images of hackers in a dark room surrounded by monitors and energy drinks, sending spam emails or attempting to hack into government networks. However, information security has a far reaching perimeter in that information security deals with everything from strong passwords, to the physical security of a building.

With the recent increase in attacks against game developers, information security is making its way into the headlines more than ever. A quick Google search on the topic brings up a plethora blogs about these incidents. The blogs which caught our attention were those questioning the compliance of the game developers to international standards that specifically protect consumer information.

Two key standards that find their way into the “blogversation” are the ISO 27001 and PCI-DSS. ISO 27001 is a management standard that focuses on information security. ISO 27001 defines conditions for the formation, implementation, monitoring and appraisal, maintenance and enhancement of a management system for managing an organization’s information security risk (read more about ISO 27001 Certification and RM Studio).  While the Payment Card Industry Data Security Standard (PCI DSS) is an information standard defined by the Payment Card Industry Security Standards Council for organizations that possess and process cardholder information for major credit, prepaid, debit, ATM, POS and e-purse cards. PCI DSS was developed in order to implement controls around cardholder information to reduce fraud as a result of disclosure of the information.

RM Studio is risk management software used by all types of organizations on a global scale. While RM Studio is an ideal solution for users looking to obtain ISO 27001, ISO 14001 and/or ISO 9001 certification, specifically for completing the required risk assessment, gap analysis, developing a risk treatment plan, and completing reports such as the Statement of Applicability, RM Studio’s functionalities go far beyond these standards.

RM Studio is an industry leading solution for risk assessments of all types; thanks to the customizations user can implement and deploy. These customization functions are simple to use and allow for users to address unique needs and ever-changing market demands. Areas you can customize include:

TNT N.V., more commonly known as TNT, is an international delivery services company with headquarters in Hoofddorp, Netherlands. In the Netherlands, TNT operates the national postal service under the name TNT Post. The group also offers postal services in eight other European countries, including the UK, Germany, Italy and Belgium. TNT's mail division recorded sales of about €4.2 billion in 2009.

BÜROTEX Synargos is an IT service provider that offers professional and efficient service in the area of data center hosting, housing, document management solutions and high information security areas. BÜROTEX focuses its activities on reducing costs and increasing the competitiveness of clients through the consistent use of both innovation and modern information technologies.