encrypted attacks

reykjavik from above

How to Create Cybersecurity Risk Management Strategy

Companies, big or small, must realize that the first step is to acknowledge the existing cybersecurity risks that expose the organization to malicious hackers. A single successful attack could seriously damage your business and cause financial burden for you and your customers.

RM Studio v5.6 Release – STPA Update

Over the past 2.5 years a large portion of our resources have been occupied with designing and developing a ground-breaking software for the engineering world. When the project started our vision was to create a solution for performing STPA for the purposes of Engineering a Safer World.

GDPR Non-Compliance Challenges and Solutions

Penalties for non-compliance are business threatening enough for organizations to consider the regulation more than an administrative exercise. But the long term brand and reputation impact may be even more impactful.

The GDPR is a Threat to Your Organization

The EU GDPR, enforceable for 3.5 months, hasn’t made too many headlines regarding the fines levied for non-compliance. Hopefully by now your organization is ready with the basics and have been moving forward with raising the awareness and understanding of behaviors and processes for everyone in the organization.
soccer field at sunset

How to Use NIST Frameworks for GDPR Requirements

The NIST 800-53 can be successfully utilized for an American organization to meet GDPR requirements, because it contains recommendations that meet the requirements of the GDPR Articles.

RM Studio v5.5 Release-GDPR Data Flow Mapping

Most organizations have been slow to identify and map the data flows within the organization, because it is a labor intensive task. Those organizations that have already mapped data flows, but are using spread sheets to manage the task, will definitely appreciate the visual editor. C-level and D-level management,

EU GDPR – Are You Ready?

General Data Protection Regulation (GDPR) rolled out in Europe on 25 May 2018. The enforcement of the regulation is aimed at ensuring that companies within 28 EU economies rigorously follow international best practices of data security management while handling personal data of EU citizens through changes in consumer privacy protection.
church mountain waterfall

Information Security–vs–Cybersecurity

That is the biggest problem with information security and cybersecurity, the best defenses can be overcome by persistence and patience. The people trying to protect and secure enterprises are constantly attempting to stay ahead

Implementing ISMS Controls Is Only First Step

The risk management requires the implementation of the recommended controls - ISO27001 Annex A, but that is only the first step.

Access Control: Moving Beyond Compliance

Threats to access control is inevitable because of the human control of the technological business environment which creates constant threats, deliberate or accidental, to confidential information.

RM Studio v5.4 Release

Hierarchical Business Entities that can have assets assigned individually and shared among the business entities are a key upgrade in RM Studio v5.4. Risks can be treated based on the business entity allowing for different strategies for risk mitigation.

GDPR for Personal Data Protection

The GDPR aims to better protect data subjects against personal information abuse through reduction of the collection, storage, and distribution data.

Best Practice ISO 27001 Required Documentation

ISO/IEC 27001 implementation best practices are provided through strict implementation guidelines that have been accumulated and evolved over a decade plus. The benefits of regularly maintaining are highly attractive.

Most common IT Risks threatening SMEs

SMEs may appear less susceptible to cyberattacks, but there are many risks, such as virus infections that cripple the network and malware designed to look for vulnerabilities in websites and LAN’s.

RM Studio v5.3 – GDPR + ISO27001

RM Studio is now ready to support your GDPR compliance obligations through the Integrated Risk Management Framework and the implementation of the ISO 27001

Vendor Risk Assessment for ISO 27001

The IT/IS vendor risk assessment has become a vital element of business today, because of the increasing reliance on 3rd parties for critical system infrastructures.

RM Studio v5.2 Release

In the Risk Assessment, assigning the status of implemented for a control from one standard will also assign the status of implemented for any linked controls of the other standards.
Continuity of the sky and water

Strategy for ISO 27001 Certification-Phase 4-BCM

Develop and implement a plan to address disruptions in business operations to shorten the period of disruption and limit the impact of disruption.
Cultivating a culture of awareness

Strategy fo ISO 27001 Certification-Phase 3

The implementation, operation, and monitoring of the policies and procedures used to reduce business risk as defined by the security standard ISO 27001.
Risk assessment - boy running into waterfall

Strategy for ISO 27001 Certification-Phase 2

Risk Assessment can be the most complex work required for a full implementation of ISO/IEC 27001, as there are many details to identify, evaluate, mitigate, and protect.
Locked gate as a metaphor for security of information

Strategy for ISO 27001 Certification

ISO 27001 addresses the security of all information, whether it is printed, written, stored electronically, spoken, presented in video or audio, or mailed.

2016 Information Security Spending $81.6 Billion

38% of organizations have experienced one or more information security breaches in 2015, while 36% stated either their organization didn’t have a formally documented policy about how company information is stored, managed and shared – or they had no idea if such a policy existed at all.

Lessons on Managing Reputation Risk post Dieselgate

Business organizations must accept that the loss of reputation is independent of acceptance and must realize that good reputation has all the attributes of being “the immediate jewel” and loss of reputation can make it “poor indeed.”

Hacker with a conscience or whistle blower?

Both of the types of security breaches could have been deterred by the use of a higher quality ISMS, which was presumably expected by the clients of the law frim.

The Pirates are invading the Vikings

By now you have heard of the Panama Papers and the Mossack Fonseca. A massive data breach that was distributed through the media exposing the financial dealings through offshore accounts of many world leaders, politicians, celebrities and alleged nefarious individuals flooded the headlines last week. The first public figure casualty from the largest data breach in history was the Icelandic Prime Minister, Sigmundur Davíð Gunnlaugsson. After the revelations of the more than 11 million documents were distributed

Instituting efficient insider threat prevention in aviation

Risk management disasters continue to capture the limelight with the latest one involving massive civilian causality. Growing evidence from the US and British intelligence indicate that terrorists successfully planted a bomb in cargo downing the Russia-bound flight in Egypt’s Sinai peninsula on October 31, killing all 224 people on board. While it is true that it is no easy task to “hermetically seal” any country border against these kinds of attacks, but it is equally true

Avoid Being a Target this Holiday Season

The concerns surrounding information security in credit cards are not limited to a particular season, but they acquire added prominence during the holiday shopping season. While retailers look to gain optimum increase in sales through their online and in-store channels, gift giving spree combined with year-end buoyancy drive consumers to buy more. Hackers too wait for this season and look to gather credit card information by breaching any defense. In addition, poor information and data security

Retina scan for access control

Information Security Access Control – Sweat the small things

As businesses endeavor to explore new horizons of possibilities riding the unprecedented growth in information and communication technologies, data security concerns are at the forefront of conversations, and thankfully, involving even the board of directors. However, the recent history of information security is replete with organizations’ unsuccessful efforts to protect valuable data. Institutions across every industry are exhibiting fragile/futile risk management approaches.

Security spending increasing to $75.4bn for 2015

A reported boost in the global information security spending during the ongoing year should have been something to cheer about, if you are related to the risk management discipline. However, with the incremental association of inevitability with cyber attacks, any such good update is failing to provide a prolonged duration of happiness, forget about a sense of security that consumer data is going to be protected well from here on.

Lean Thinking for ISMS and ISO 27001:13

We have now crossed the threshold of one year since the release of the 2013 revision for ISO/IEC 27001, the internationally recognized standard for information security management systems (ISMS) in enterprises of all industries and sizes. Since this was a revision to the previously released ISO/IEC 27001:2005 Standard, enterprises had a grace period for the re-certification or certification to the newly released standard. As of October, 2015 the 2005 version is no longer valid.

Preventing information security breaches in healthcare

The research estimates data breach losses at a whopping $6 billion and calculates healthcare firms’ average data breach cost at more than $2.1 million, while the average cost of a data breach to BAs is estimated at more than $1 million

Risk events are constantly increasing

While malicious software and rogue cloud services continue to impede growth by obstructing business as usual, enterprises continue to overlook insider threat at their own peril.

RM Studio v4.8 release

Today we officially released the newest version of Risk Management Studio, v4.8. The new release includes several new upgrades to the standards available for deployment and small […]

Product demo of a network forensic tool discovers OPM cyber breach

The lack of a very basic security practice utilized to exposes security flaws that “could potentially have national security implications,” will raise questions about the diligent implementation of multi-billion dollar security program.

Information Security Risk Management in Retail Industry

Information and data security in the retail industry must be tackled with a diverse and strategic risk management approach. Analyzing data security from this perspective will enable better decisions.

Proactive IT Risk Management in Banking Sector

Supervisors and regulators have continued to propose measures for improving global banking practices, including governance and guidance for IT risk management as business functions performed by banks are underpinned by IT risks.

GDPR and the Role of Risk Management: Some Perspectives

  Risk Management has long been the most important tool to achieve regulatory compliance with the law of the land in matters related to information security. With […]
Iceland Blue Lagoon

EU General Data Protection Regulation is Imminent

The planned regulation, aimed at uniting and simplifying data security encompassing 28 EU economies, will compel companies to strengthen storage and management of sensitive personal information.

Cyber Warfare Risk Management: Finding Ways for Future Data Defense

The decision marks an expansion of the organization’s remit, reflecting new threats that can disable critical infrastructure, financial systems, and government without firing a shot.

Cyber Warfare and the Importance of Risk Management

 

The advancement of technological innovation has armed attackers to expose cyber vulnerabilities inherent in networks and systems that handle sensitive information. Once believed to be exclusively designed and executed for military purposes, the realm of cyber warfare is fast expanding to include civilian industries. Menacingly, advanced information technology expertise and superior executional skills of cyber reconnaissance rogues are far outpacing policy developments and forging of combined international strategies, if any.

Mature IT Risk Management Drives Business Performance

Organizations aspire to create a culture of performance based on accountability, intelligence and informed decision-making. By combining structured and unstructured data, gleaned from efficient use of information technology, businesses are trying to ensure the delivery of strategic priorities and goals.

Integrating Technology Risk Management into Business Planning

Thanks to the rising competition and constantly changing economic scenario, business planning is no longer a one-time exercise. Regular reviews and revisions of the goals as well as the means to achieve the objectives are becoming increasingly important in business planning.

RM Studio v4.7.2 Release

Risk Management Studio v4.7.2 release includes several new upgrades and minor modifications.
Fall leaves with dew drops

Anthem Breach – Sophisticated Heist vs. Sloppy Security

A massive data security breach takes place. Investigators point fingers at state-sponsored perpetrators from either China or North Korea. Flurry of accusations and the resultant denials ensue. Before the aura surrounding a breach fades, another is reported, often eclipsing the one before. Enterprises pay fines after completion of investigation.
Small gental waterfall Iceland

Overcoming Barriers to Efficient Risk Assessment

While the opportunities hidden underneath risk assessment methodologies do not directly add digits to the balance sheet, they ultimately contribute by making the company resilient to avert impending threats.
Fall leaves on rock

Overcoming Information Security Challenges in Small & Medium Enterprises

SMEs on aggregate account for about 99 percent of the total number of enterprises in the EU with an estimated share of 58 percent and 66 percent in the EU nonfinancial business sector’s value added and employment, respectively.
Cloudy sky over water

Data protection in the cloud: Solutions

While businesses are keen on using the cloud due to the agility and cost efficiency the infrastructure offers, it is important they understand the security threats and the regulatory landscape involving the cloud.
Empty bench at sunset

Data Security in the Cloud: Challenges

It is equally clear that most of the world's data passes through the US due more to the lack of alternatives than the reflection of a booming belief in the US information technology infrastructure.

Information Security Challenges in SMEs

A belief permeates that individual information security system failures of SMEs are too insignificant to be cared for

Information Security in Credit Cards

Secure storage and transmissions of credit card details is complex in nature and businesses are deploying evolved solutions
Hillside tributaries

Ebola Risk Management: Countermeasures

Central to the countermeasures of Ebola risk management must be the belief that the outbreak is not unpreventable with rigorous controls

Challenges in Ebola Risk Management: Some Perspectives

The Ebola threat has survived on the inequalities of the global healthcare, to the extent of an inevitability that the hotbed could not be other than Liberia, Sierra Leone and Guinea. These countries truly represent what could go wrong in healthcare – 1 doctor attends to about 76,000

Volcanic Risk Mitigation Strategies

Threats and risks posed by volcanic eruptions are unique primarily due the dynamics of the problem and the types and levels of consequences. Therefore, the solutions need to be unique.
Bárðarbunga eruption

Volcanic Eruption Risk Management Challenges

Ensuring the availability of all these require substantive financial investment, which isn't always possible for smaller businesses and those capable of investing in the cause often find reasons not to.

Important Steps to an Effective PCI DSS Assessment

Despite PCI DSS providing guidance to become secure by raising awareness about payment card security breaches, organizations fail to meet PCI's mandates, exposing themselves to cybercriminal attacks.

RM Studio v4.7 with PCI DSS 3.0 released

  Risk Management Studio version 4.7, which includes the PCI DSS 3.0 integration and control mapping, has been released on our new website. The updates include several […]

Common Challenges to Effective Risk Assessment

Creating a comfortable risk culture where stakeholders and employees participate in open heart discussion to find and reveal true risks goes a long way in securing an organization against ever-evolving threats.

Using Risk Management to Answer Online Privacy Concerns

While 38% do not trust the way Google and Bing use their data, 53% show distrust for Facebook and Twitter, and market research companies are not believed by 41% of respondents.

Building an Invisible Framework for Operational Risk Management

A successful operational risk framework is not a formula to be applied, but a thoroughly prepared and diligently executed process to support the enterprise level risk management strategy.

Benefits of Using Big Data Strategy in Risk Management

Although it is easy to attribute this to the big data challenges, in reality this is a reflection of organizations’ inability to effectively leverage big data to their advantage.

Putting Risk Management into Practice: Challenges and Opportunities

They endeavor not to remove risk, but manage exposure to threats in such a way that the business faces just the appropriate amount of threats that allow them to seize the opportunities presented through proper risk management.

Bridging the Gap Between Commitment and Execution in Risk Management

In far too many instances of risk management, good intentions have been viewed as the destination in the journey of managing and mitigating risks. Good intentions have seldom translated into commitment, fulfilled by execution to reap the benefits of risk management. Analysis of organizations’ risk management commitment, or rather the lack of it, signals a two-pronged approach: First, commitment to risk management is not considered a core enterprise function; second, in cases where organizations devise a risk management framework, they do it without board level commitment and direct involvement.

Infrastructure Security vs. Evolving Threats

Infrastructure security risks vary based on industry and the mitigation strategies need to be distinctive and adaptable to unique evolving threats.

Sustaining Business Performance in a Risk-Intensive World

Ensuring the achievement of business performance goals drives corporations to succeed. However, the road to success is fraught with challenges that could stall growth while at the same time draining the fulfillment already achieved. The challenges and threats organizations regularly face are becoming more varied in nature, as risks are evolving. The enhancement of technologies is compounding today’s risks by multiple factors acting together. Therefore, it’s not surprising the sustainability of business performance is affected, when one or more factors that influence operational and financial risks are exposed. Broadly, risks can come from volatile economic and political realities, trade conflicts, natural calamities, product recalls, data breach, insider threat, business interruption, and changing regulatory environments. All of these dynamic factors have magnified the demand for transparency in the risk management process and amplified the effects of the results.

Why Risk Assessment is the Mainstay of an Effective ERM Program

All too often organizations have considered risk assessment as a necessary evil for complying with authorities, rather than as a strategy that will contribute to the financial success. Unprecedented levels of business complexity, due to the constantly changing global socioeconomic landscape and regulatory requirements, are forcing firms to manage enterprise risk in a consistent and efficient manner. An effective Enterprise Risk Management (ERM) program significantly improves efficiency, resiliency, opportunities, business performance and stakeholder value.

A View from the Trenches, the General State of IT Security

Consultants who work with IT security audits often are a valuable resource regarding the general state of IT security. They work for a number of clients in various industries over a number of years and therefore get a perception of the general state of things such as IT security awareness. I’m one of those consultants and I believe I have some observations on this issue. While speaking of none of my clients in particular the need for IT security is mostly driven by external factors and specific incidents rather than management’s desire to leverage IT security for business objectives. For instance, new legislation and directives from the EU and the US have pushed the adoption of Information Security Standards such as ISO/IEC 27001 and PCI DSS. These increased expectations are forcing organizations to spend money and resources to implement the applicable standards, because of the new laws and directives. Given the choice, more often than not, organizations would choose to spend the investment elsewhere expecting a better return.

Risk Management and Human Resources: During Employment

How much of an impact does human resources have on the risk management strategy in your organization?

Risk management in regards to human resources does not stop once background checks, references and education confirmation is completed. The human resource department and the risk management department must continue to collaborate together to ensure employee related risks are continuously identified and strategies established for mitigation of identified risks. 

PCI DSS Mitigating Controls for Risk Management

The nearly 300 controls are comprised of the Testing Procedures and Implementation Guidelines necessary to complete the requirements are a daunting task for even the most efficient and effective risk managers to maintain and organize.

Easy Transition to ISO 27001:2013

The latest revision of the Information Security Standard, ISO/IEC 27001:2013 has been available for over 6 months now. This revision of the 2005 version requires a certification to the new standard, rather than a re-certification. Although the transition period is two years, many organizations have begun the process of the transition to the new standard and the implementation of the revised Security Controls of Annex A (ISO/IEC 27002:2013). The transition appears easy on the surface, but overlooking the importance of doing it right the first time could potentially set your organization back and prevent the certification from the auditor.

IT Audits and Risk Management

This article is a look into IT audits as they pertain to information security risk management. One of our consultants has been doing a lot of IT audits as a beginning phase of the risk management process for our clients. He is a certified (CIA, CFSA, CISA) and highly experienced auditor and his perspectives provide insight into the requirements for successful preparation and execution of IT audits and risk management.

button.png

Press Release: RM Studio v4.6.1 updated to include ISO 27001:2013

The newest revision of information security standard ISO/IEC 27001:2013 and accompanying ISO/IEC 27002:2013 (Code of practice for information security management controls) was released on the 3rd of October, 2013. Organizations operating under the previous version 27001:2005, must renew the certification by October 1st, 2015. If the renewal is due in October of 2014 or after, then you are obligated to use the revised standard for recertification.

button.png

Integrating the PCI DSS and ISO 27001 Standards for Higher Level Information Security

Recently we have noticed a large number of our customers have been using our risk management software for both the ISO 27001 and PCI DSS standards. This trend started to pick up last summer and has dramatically increase at the beginning of this year, which makes sense, as both of the standards received a recent refresh. The ISO 27001:2013 revisions to the 2005 version was released in October last year and the PCI DSS 3.0 was released in November, but went into effect on January 1st, 2014.

Why do organizations want to comply with both standards?

Updating 27001:2005 to the 27001:2013 revision

By now nearly everyone in the industry knows about the ISO/IEC 27001:2013 Standard and the supporting Code of Practice document ISO/IEC 27002:2013. Both were developed through consensus of the international community with a membership of over 47 national standards bodies. ISO/IEC 27001 is one of the fastest growing management system standards used around the globe.

According to the International Organization for Standardization's ISO Survey 2012, at the end of 2012 the ISO/IEC 27001:2005 accredited certificates issued worldwide nearly reached 20,000 in total in 100 countries. Since 2006 the number of certificates issued has increase by double digits each year, with the 2009 jump of 40% over 2008 being the largest year over year increase.

button.png

A Reputation Management Discussion

This past holiday season proved to be very costly for several major retailers in the United States. The massive US retailer Target, it turns out, was not the only victim of the cybercrime warfare during the busy holiday shopping season. A recent article from Reuters stated that up to 6 attacks on US merchants have been ongoing for months.

button.png

Is your organization using a cloud computing service for risk management?

The term „the Cloud“ is now used on a daily basis (many say the term is overused today) and everyone knows this is the next big thing in IT. What is cloud computing? The technical term cloud computing can take many forms and refer to many similar, yet different aspects of computing data outside the confines of the office.

Here are a few examples of cloud computing:

SaaS – Software as a Service: a single application accessed through a web browser by thousands of customers using a multitenant architecture.

button.png

Finite Funds: How to Get the Budget You Need to Maintain Your ISMS

The competition for internal financing in all organizations is as fierce as ever. Departments go head-to-head to get the biggest chunk of the annual budget and there always seems to be a dominant winner for those finite funds, the marketing department. Why shouldn’t they win year after year? It is their job to persuade people to spend their money on your company’s products and services. However, the other departments, namely the information security department, may see this as unfair and even a waste of internal resources. This article examines ways CISOs, CSOs, or any other information security officers can compete with the marketing department and provides insight on how to present your case to upper management to secure the funds you need to manage an effective and efficient ISMS.

button.png

Risk Management Software vs. Spreadsheets

We admit, here at RM Studio, when we started our risk management process towards ISO 27001 certification in 2002, we used in a very popular spreadsheet application. Through trial and many errors, we quickly realized that establishing formulas, double checking cell links and proper formatting and confidently believing human error is not applicable in our audit preparation was a risk in and of itself. The frustrating results became our inspiration to develop an efficient and simpler means of managing information security risk. Risk Management Studio (originally OutGuard) was created to offer a holistic solution to the risk management process and streamline our efforts ensuring sustainable success in risk mitigation and asset protection.

button.png

Security Awareness Video Training

Common sense - everyone knows what this phrase means. Correct? It is used every day in the English speaking world and everyone from a 5 year old child to an adult has heard the phrase used in a conversation and is expected to understand its meaning. The definition according to the Oxford Dictionaries online is "good sense and sound judgment in practical matters". In our journey to and from the office each work day, we encounter risks which require us to use sound judgment and good sense to determine the best course of action to mitigate these risks.

Cultivating a Risk Aware Culture

A security manager’s toughest task is to help build a culture of awareness in regards to the risks threatening the organization. The term risk-aware culture is commonly discussed in organizations working to establish an information security management system. The International Standards for the ISO 31000 framework are very clear on the expectations of an organization‘s risk-aware culture and in order to pass the certification process for ISO 27001, the organization must establish a visible environment and culture that cultivates risk awareness.

What is a risk-aware culture?

button.png

BYOD – Advantage of Smart Organizations

Everybody‘s doing it these days, that is Bring Your Own Device to work (BYOD). The vast majority of business professionals working today have some type of smart phone, tablet, or laptop; many of us have and use all three on a daily basis.

Is this a question of if employers want to allow employees to use personal devices for work tasks or if employees are demanding the option based on convenience and personal preference?

RM Studio Version 4.5 Released

We have released RM Studio version 4.5 today that includes several great additions and a few necessary subtractions. Our latest updates include: A brand new Control Maturity […]

Cyber Security Risk Management

Everyone in the organization is responsible for intelligent decision making regarding information security requires a high quality security culture to be established and everyone contributing regularly.

Cloud Computing: Thunderstorms and Rainbows

Cloud computing and data storage technologies have increased in popularity over the past few years. This is due mainly to small- and medium-sized businesses 'flying into the cloud' solutions to improve business capabilities and backup critical data. The explosion of the web-based applications for mobile devices has also impacted the dramatic expansion of cloud computing vendors in the market. The belief that 'the cloud' is a safer and a more secure business solution, when compared to traditional storage devices, such as in-house servers or simple external HDDs, benefits the data solution centers as well. The cloud computing industry is expecting an even larger demand for its services from the data being created by the increasing quality of our video and image capture technologies, as well as the need to share our lives around the world.

Preventing Intellectual Property Theft Through Risk Management

We have seen it the movies, read about it in best selling novels, and heard about it in the news. The employee steals company data and uses it for unintended purposes, sometimes for good, sometimes for evil. From the movie Office Space, where a change in management brings a reduction of labor, which inspires three co-workers to upload a virus into the companies database. The purpose of the virus is to steal tiny fractions of cents left over from complex interest percentage calculations and send them to an anonymous bank account. To the idea of the movie Paycheck, where the main character is a reverse engineer specialist, who is hired by companies to steal a competitor‘s latest tech designs to copy and make a competing product.

VoIP: A New Era in Threats, Part 3

Countermeasures and Penetration Testing

In our previous two posts on this topic we discussed the threats to using VoIP. The following post discusses ways you can mitigating these threats.

If VoIP is to successfully replace PSTN some measures need to be taken in order to approach the reliability that PSTN offers. It’s somewhat unrealistic to demand PSTN’s 99,999% availability for VoIP, since IP based systems are exposed to larger threat pool than public switched ones, but there are actions available that can significantly reduce phishing and spoofing threats involved with VoIP. 

VoIP: A New Era in Threats, Part 1

Over the last decade VoIP has become increasingly popular, with service providers gaining millions of subscribers each year. However, VoIP is an inexperienced platform, which translates into millions of subscribers being exposed to new phishing and spoofing threats annually.

Are you exposed to these threats?

button.png

The broad spectrum of information security

In this rapidly changing world, well-organized, precisely documented and secure information systems are vital for any successful operation. It is equally important to work within strictly defined frameworks while retaining the flexibility to deliver the level of security required by your organization.

Organizations can improve efficiency and strengthen their reputation by focusing on information security and quality management.

Information security – management standards in a professional business environment

Demand for information security has increased in both the private and the public sector. The Financial Supervisory Authorities in various countries have recommended their fellow organizations to ensure information security in their sectors. The law regarding the protection of privacy (The Date Protection Authority) requires the persons who hold personal information to ensure their security appropriately.

Standards for information security management 

ISO has in recent years issued several safety standards in the series ISO / IEC 2700x. These are all standards of management information and specific aspects such as risk assessment. The standards deal with the best practice of information security management and the certification standard ISO / IEC 27001 is the specification for information security management systems.

button.png

Doomsday Preppers, Risk Management and Business Continuity?

Recently, I stumbled upon the show Doomsday Preppers. The show highlights three or four groups of people who are preparing for a separate catastrophic event that will change the world as we know it. Though the event they are preparing for differs, the approach to planning their survival is often the same. As I watched, I started thinking "These folks have the concept of risk management and continuity figured out." This article focuses on the concepts of risk management and continuity planning and what doomsday preppers can teach us about these concepts.

Risk Lessons from an Entrepreneur

Having written about risk for 12 years and having run my own business for a few decades, I've seen the same risk sins committed time and again by business owners. Some I've committed. Others I've watched play out from the sidelines.

If I've learned anything from owning my own business, it's how rampant risks are and how devastating they can be if ignored indefinitely. Many of my colleagues avoid buying even the most basic business insurance policy, but the greater risks lie well beyond what's spelled out in the coverage details.

Here are some of the more common oversights that threaten small businesses:

button.png

Audit Trail: A Common Mistake

Often times, our clients we assist with establishing an ISMS are surprised to hear that the Audit Trail requirement is something that should be considered prior to the actual audit. The goal of an Audit Trail is to have all of the information regarding your ISMS audit organized and ready to be presented to the auditor. In this post we cover a common mistake in the preparation of an audit and a solution on how to ensure all your hard work is organized for an audit.

What is an Audit Trail?

Riphah International University receives grant from RM Studio

Riphah International University has been awarded a grant valued at $42,000 annually to utilize RM Studio with an objective of expanding the global awareness of Information Security and Risk Management and build the capacity of Riphah to impart quality education of international standards. Through the partnership RM Studio will be integrated in the undergraduate and postgraduate curricula of the university to supplement theoretical learning with hands-on practical skills. (The International News: Riphah signs MoU with Stiki)

Cloud Computing and Security Concerns

Modern computing is increasingly becoming a shared resource. In the past, if an individual required access to an application, he or she would have to personally have it installed on the user's computer. Today, with the help of cloud computing, applications can be shared and accessed by various users from all around the world without requiring individual set-up.

Cloud computing is commonly defined as, "the provision of dynamically scalable and often virtualized resources as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers."

This post examines cloud computing and the security concerns that arise through its use. We address potential security concerns and provide you with the questions you should be asking cloud service providers.

Information Security Risk Management

The Information Security Risk Management Process with RM Studio

The RM Studio: Assessment and Treatment Module guides you through the Risk Assessment, Gap Analysis, and Risk Treatment process for your organization as described in ISO 27001.

Establishing the Risk Management Context
Prior to starting the risk management steps, RM Studio guides you through the Business Entity, Asset, and Threat Identification process. RM Studio comes equipped with a Threat Library of nearly 150 unique Threats specific to information security risk management. Further, RM Studio automatically links Assets, Threats, and ISO 27001 Mitigating Controls through RM Studio's Category feature. This feature removes the guesswork and saves you time in the risk management process.

Physical Security: Closing the gap at minimal cost

Physical security has been on our minds recently here at RM Studio. We have found that there is often disconnect between information security and the role physical security plays. In assisting our clients we have found that there are times when clients want to close physical security gaps by adding large cost to the organization. This post focuses on finding the gaps in physical security and addressing them at minimal cost while still protecting and securing information.

The Risk of the Unhappy Employee

For whatever reason, there is generally someone who is not happy with their current job, their place of employment, or job title. When unhappy with their current employment situation, risks are introduced to the organization form this unsatisfied employee. It is important that risk managers and organizational leaders recognize these threats, and similar to all threats implement, mitigating controls and objectives to prevent the risk from becoming actual threats. This post examines example risks that are raised and suggest ways to prevent the unhappy employee from damaging an organization.

Risk Management and Groupthink

When managing risk, we must consider all risk from all sources. A majority of the time identifying risk is trusted to a few individuals, although determining which risks are the highest priority is done in a collaborative environment, with managers, teams and groups of colleagues discussing the issues at hand. In this setting, it is important that the risk manager (the one whose job depends on the risk management results) recognizes and prevents any instances of groupthink.

Groupthink occurs when groups make decisions, and are willing (or unknown to the group) to take more risk than an individual would themselves. This post provides a general overview of causes and symptoms of groupthink, as well as measures that can be taken to avoid groupthink.

*Updated January 2014*

Mobile Devices and Information Security Risk Management

Mobile devices such as smartphones and tablets have found their way into everyday task for professionals. More and more software is available in mobile application form, and organizations are utilizing the convenience offered by having their staff always connected. Though there are many benefits associated with having said connectability, new threats are introduced into the enterprise environment. The following post highlights threats that exist and steps you can take to secure your mobile devices.

The ISO 27001 information security standard recommends the development of a formal policy that introduce appropriate security measure to protect against threats related to mobile devices. The Standard suggests implementing a policy that addresses physical protection, access controls, cryptographic techniques, back-ups, and virus protection.

The Seven Habits of Highly Effective Risk Managers

It is a given that a risk manager must be analytical, precise, cautious and results driven. Risk managers are often seen as the gatekeepers to decisions and often associated with the word "No." We challenge this perception and suggest

Enterprise Risk Management: It is present in your organization, why not formalize it?

Organizations manage risk by nature, whether it is through a formal enterprise risk management (ERM) process or in an informal manner. Every time your organization's board of directors or top management determines a strategy or makes a decision regarding business objectives, it is implementing the principles of ERM. This article examines informal decision making processes and how they naturally follow the principles of ERM. The article suggests that in order to protect stakeholders, formalized ERM process should be put in place.

reykjavik from above

How to Create Cybersecurity Risk Management Strategy

Companies, big or small, must realize that the first step is to acknowledge the existing cybersecurity risks that expose the organization to malicious hackers. A single successful attack could seriously damage your business and cause financial burden for you and your customers.