After completing the previous phases towards ISO 27001 Certification, the final step in the process is the implementation of a Business Continuity Management plan. Business Continuity Management (BCM) is a holistic management process of identifying potential threats to a business entity (based on the Risk Assessment), the impact to operations those threats pose and the necessary steps needed to recover business operations after a disruption. The BCM provides a framework for building organizational resilience
The ISO/IEC 27001:2013 Standard introduces a process approach for integrating structures that strengthen an organization’s ISMS reducing the risks to the information assets. This approach covers the adoption and implementation of systems of processes within your organization, with identification and interactions of the processes, and their management.
The third phase of our Strategy for ISO 27001 Certification is the implementation,
Organizational information, whether customer data, credit card information, intellectual property, or other forms is considered a vital asset for organizations. The confidentiality, integrity, and availability of information allows for organizations to sustain a competitive advantage, cost-effectiveness, a steady cash flow, profitability, legal compliance and a positive reputation.
Your organization has decided or more than likely has become obligated to certify your ISMS to the ISO/IEC 27001:2013 Standard in order to comply or satisfy a regulation in your industry. Without the certification your organization will start to lose business opportunities.
First you need to understand what is the ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems and then, what you need to accomplish
The preparation to combat the sinister characters threatening our information security increases more than expected each year. On the other hand, the expectation and wish seems to be – what lack of a robust resolution and visible absence of diligent efforts to implement preventive measures haven't been able to achieve – would be duly covered up by incremental budget boosting. While information security for states has ‘gone fishin,’ software companies providing accounting,
“Reputation is an idle and most false imposition, oft got without merit and lost without deserving. You have lost no reputation at all unless you repute yourself such a loser,” Iago endeavors to make Cassio forget his sense of shame in Othello. Shakespeare’s antagonist, driven by his infamous “motiveless malignity,” knew it is not true as the manipulator himself used his reputation as “honest Iago” to bring about the downfall of Othello himself. Business organizations must accept
Mossack Fonseca (MossFon) and the Panama Papers information security leak is the largest amount of data stolen from a single company in history. The story has made the German newspaper Süddeutsche Zeitung (SZ) a celebrity of investigative journalism, but don‘t mistake the extraordinary amount of work SZ and the International Consortium of Investigative Journalists put in to properly disclose the revealing information.
By now you have heard of the Panama Papers and the Mossack Fonseca. A massive data breach that was distributed through the media exposing the financial dealings through offshore accounts of many world leaders, politicians, celebrities and alleged nefarious individuals flooded the headlines last week. The first public figure casualty from the largest data breach in history was the Icelandic Prime Minister, Sigmundur Davíð Gunnlaugsson. After the revelations of the more than 11 million documents were distributed
Risk management disasters continue to capture the limelight with the latest one involving massive civilian causality. Growing evidence from the US and British intelligence indicate that terrorists successfully planted a bomb in cargo downing the Russia-bound flight in Egypt’s Sinai peninsula on October 31, killing all 224 people on board. While it is true that it is no easy task to “hermetically seal” any country border against these kinds of attacks, but it is equally true
The concerns surrounding information security in credit cards are not limited to a particular season, but they acquire added prominence during the holiday shopping season. While retailers look to gain optimum increase in sales through their online and in-store channels, gift giving spree combined with year-end buoyancy drive consumers to buy more. Hackers too wait for this season and look to gather credit card information by breaching any defense. In addition, poor information and data security
As businesses endeavor to explore new horizons of possibilities riding the unprecedented growth in information and communication technologies, data security concerns are at the forefront of conversations, and thankfully, involving even the board of directors. However, the recent history of information security is replete with organizations’ unsuccessful efforts to protect valuable data. Institutions across every industry are exhibiting fragile/futile risk management approaches.
A reported boost in the global information security spending during the ongoing year should have been something to cheer about, if you are related to the risk management discipline. However, with the incremental association of inevitability with cyber attacks, any such good update is failing to provide a prolonged duration of happiness, forget about a sense of security that consumer data is going to be protected well from here on.
We have now crossed the threshold of one year since the release of the 2013 revision for ISO/IEC 27001, the internationally recognized standard for information security management systems (ISMS) in enterprises of all industries and sizes. Since this was a revision to the previously released ISO/IEC 27001:2005 Standard, enterprises had a grace period for the re-certification or certification to the newly released standard. As of October, 2015 the 2005 version is no longer valid.
Unfortunately, a data security incident is no longer an eyesore or ear-sore. The number of attacks are increasing and scaling to higher points of sophistication. “It’s a 24-7 onslaught. It’s a barrage of attacks and attempts to penetrate the defenses,” as was stated by Websense director of security research, Jeff Debrosse. The onslaught indeed continues. But sadly, businesses are caught under-prepared or defenseless; but are settling with credit card issuers by paying millions of dollars. While the growing sophistication is a moving menace, companies are also found devoid of understanding of their own vulnerabilities and what to do about them.
Security intrusion stories unfolding in the cyber space authenticate that companies are not the only targets. Government department systems, viewed to be the most trusted custodian of personal information, are the obvious next frontiers for hackers. In the latest and the largest breach of personal information in US history, hackers breached the computer system of the Office of Personnel Management (OPM), potentially exposing the entire Federal workforce.
As the pace of change from ‘Brick and Mortar’ to ‘Online Shopping’ is gathering momentum in the retail industry, unprecedented scale and speed of disruptions are also accelerating, making the retail landscape more vulnerable than ever before. While increased consumer spending is pushing the industry towards an estimated $20,002 billion in 2017, retailers are facing renewed challenges to re-engage savvy consumers who seek confirmed protection and enhanced buying experience at the same time. The onus is on the industry itself to implement information and data security infrastructures to protect their businesses and regain customer trust.
Banks function in a dynamic operating environment marked by rising customer expectations, constantly changing economic landscape, widening scope and intensity of industry regulation, and leveraging technological innovation, while staying vigilant against evolving IT risks. Further, the success of the banking sector is contingent upon maximizing the shareholders’ wealth while controlling the financial health of the world economy with fairer practices amidst increasing transparency.
Therefore, supervisors and regulators have continued to propose measures for improving global banking practices, including governance and guidance for IT risk management as business functions performed by banks are underpinned by IT risks.
First thing first, the answer should not be anything less than a resounding “YES”. You don’t need more reasoning: There is more than 50% chance that the IT department of your organization is miserably unprepared for the proposed EU General Data Protection Regulation (GDPR). Frankly, with no noteworthy changes in data loss prevention regulation, enterprises in the European Union have been on a honeymoon since 1995. Like all good things, this phase will come to an end, and soon! There is no wishing away the imminent reality.
With transformation of the digital landscape into a highly complex phenomenon, cyber attacks from state and non-state actors have continued to increase. While the use of new types of devices, networks and infrastructure has enabled countries and businesses to move forward with success, the involvement of the same has also exposed vulnerabilities in security systems, policies and practices. Foreign nations and organized crime groups use this form of asymmetrical warfare to target strategic or tactical resources involving government and corporate networks.
The advancement of technological innovation has armed attackers to expose cyber vulnerabilities inherent in networks and systems that handle sensitive information. Once believed to be exclusively designed and executed for military purposes, the realm of cyber warfare is fast expanding to include civilian industries. Menacingly, advanced information technology expertise and superior executional skills of cyber reconnaissance rogues are far outpacing policy developments and forging of combined international strategies, if any.
As organizations embrace technology, competitive pressures, and globalization to drive business growth, they are redefining success to include the responsibility of restoring economic stability. While some enterprises are moving forward by creating strategic value, a large proportion has failed to effectively measure and manage business performance. Organizations aspire to create a culture of performance based on accountability, intelligence and informed decision-making. By combining structured and unstructured data, gleaned from efficient use of information technology, businesses are trying to ensure the delivery of strategic priorities and goals.
Thanks to the rising competition and constantly changing economic scenario, business planning is no longer a one-time exercise. Regular reviews and revisions of the goals as well as the means to achieve the objectives are becoming increasingly important in business planning. For startup businesses, planning involves a bouquet of careful approach to walk through the uncertainties. Business planning for existing enterprises entails disciplined strategies that support sustainability efforts to steer ahead with goals. While business planning for both the types involves multitude of unique activities, integrating technology risk management into the overall framework is of paramount importance for both business types.
Risk Management Studio v4.7.2 release includes several new upgrades and minor modifications. Here is the release summary:
A massive data security breach takes place. Investigators point fingers at state-sponsored perpetrators from either China or North Korea. Flurry of accusations and the resultant denials ensue. Before the aura surrounding a breach fades, another is reported, often eclipsing the one before. Enterprises pay fines after completion of investigation. Things move on.
Efficient risk assessment has always represented a type of challenge that businesses are seldom comfortable admitting it. Surprisingly, the denials permeate corporate boardrooms and management meetings in mid-tier organizations, while young businesses are too often happy to deem themselves out of any such purview. These could just be considered as individual examples of a much larger issue. And consequences have manifested in more ways than enterprises would have ever anticipated.
Information security challenges combined with rapidly rising related regulatory concerns have made large corporations constantly realign their business strategies, backed by substantive resources with management guidelines often tweaked to suit their needs. The result? Well, not too convincing. Small and medium enterprises (SMEs) on the other hand, despite being at distinct disadvantage of scant resources and lack of well-defined guidelines, are expected to overcome information security challenges with the same efficiency and at no lesser scale as penalties – financial or reputational.
The emergence of the cloud has revolutionized the IT industry and has allowed businesses to reap sizeable benefits. Enterprises are switching faster than ever from owning hardware to applications and services delivered through the Internet, to the extent of reducing earnings projections for traditional technology heavyweights like SAP and IBM. These have been called “the latest ripple effects of a major disruptive shift from onsite hardware-based implementations to cloud-based solutions, amid improving technology and bigger bandwidth to support it.” Frankly, it is a fascinating evolution in cloud technology that is flipping the paradigm around.
With the advancement of information and communications technology, cloud computing has evolved as one of the most significant trends. Offering ‘borderless’ access to customer data or computer capacity for data processing, the cloud has created opportunities for enterprises to achieve improved IT flexibility, cost efficiency, and value from their data. While businesses have achieved economies of scale and reduced capital costs by leveraging the cloud, the end user has unrestrained access to limitless information, documents, spreadsheets, presentations and photographs.
As opposed to popular belief, the intricacies of information security involved in running small and medium-sized enterprises (SMEs) are often tricky. For one, formulation of information security management practices, which are primarily developed for bigger enterprises, has not traditionally included SMEs. Further, the unique nature of the ways in which these businesses operate warrant customized approaches.
As cybercriminals search for another ‘bebe’ this holiday shopping season, it is likely that your credit card information system will become an easy ‘target’. Persistence and sophistication of hackers seem to be winning against the intentions and strategies of businesses to prevent credit card information security. The fraudsters’ success list is becoming embarrassingly long with the latest being BeBe Stores Inc., a chain of 200 women’s fashion apparel stores in the US, after million dollar credit card data thefts involving Target, Neiman Marcus, Home Depot, Staples, UPS, Michaels, P.F. Chang’s, LaCie and many more.
The risk of Ebola was brewing silently and found perfect communities in remote villages of Guinea, before spreading to Liberia and Sierra Leone – countries that truly portray dysfunctional health care infrastructure. Gradually increasing human death toll since December 2013 and the threat of the Ebola virus disease (EVD) spreading to other West African countries made the World Health Organization (WHO) declare the deadly outbreak as a “public health emergency of international concern”. The official death count has crossed the 5000 mark while reported suspected cases stand at the menacingly massive 14,000 levels – numbers that are widely and truly believed to be under-reported.
The earth’s lifespan has likely seen thousands of volcanoes while recorded eruptions stand roughly at 550, of which 50 to 70 erupt each year. Recently, new activity has been noticed in 6 volcanoes while ongoing activity has been recorded at 12 volcanoes. Notable among these include Etna in Italy, Kilauea in Hawaii, Bardarbunga in Iceland, Sinabung in Indonesia, Poas in Costa Rica and Mount Ontake volcano in southern Japan. Just as types of volcanoes vary due to their inherent scientific reasons, so do their consequences, based on locations, proximity to business establishments and population, and their longevity.
The PCI (Payment Card Industry) DSS (Data Security Standard) mandates are growing larger, encompassing more and more organizations – small and large alike. While adhering to the requirements ensures the prevention of card security breach, non-compliance invites hefty fines from authorities in addition to damaging the business reputation. Despite PCI DSS providing guidance to become secure by raising awareness about payment card security breaches, organizations fail to meet PCI's mandates, exposing themselves to cybercriminal attacks.
Risk Management Studio version 4.7, which includes the PCI DSS 3.0 integration and control mapping, has been released on our new website. The updates include several minor bug fixes and general cosmetic adjustments, along with the embedding of the PCI DSS 3.0 for immediate deployment. RM Studio is designed to optimize the work efficiency for compliance of the PCI DSS 3.0 and the ISO/IEC 27001:2013 Standards.
We are living at a distinguished time of internet history when businesses are bringing products and services to consumers’ fingertips at a staggering pace. While with technological advancements capabilities for such offerings are only going to increase, it is a sore reality that businesses are losing the all important consumer trust due to the way online personal data is handled and processed. It is no exaggeration to state that consumers’ trust was never as low as it is now.
Despite the sure knowledge of operational risk being integrally linked to business performance, organizations prefer not to face operational risk at all. But as in so many aspects of business activity, non-preferences can seldom be chased away. It is truer in the case of operational risk as this type of risk arises because organizations function and the way they function. Therefore, operational risk can‘t be entirely prevented or avoided, but can be actively managed by allocating the same prominence as afforded to credit and market risk.
Emerging technologies enabling diverse forms of data creation and their integration with traditional data is generating voluminous information for organizations. Businesses – large and small alike – endeavor to derive valuable insights by processing and analyzing the big data. Efficient application of big data and analytics benefits organizations by enhanced assessment of emerging risks. Using big data strategy improves institutions’ risk profiles and paves the way to approach risk in a profitable manner.
However, despite enterprises’ efforts to gain competitive advantage not too many have succeeded, while the majority has failed to convert data into valuable insights. According to IDC, only 22% of digital data was a candidate for analysis, while less than 5% was actually analyzed.
Adverse risk events since the turning of this century have forced organizations to make a fundamental shift in how they perceive risk management. Companies that earlier focused simply on avoiding monetary losses and achieving regulatory compliance are now focusing on risk management practices to achieve business goals. The emphasis on the processes is being supported by an efficient workforce and able technology. But while an increasing number of businesses are putting risk management into practice as a key factor for value creation, there are organizations that rely on reactive actions devoid of proactive planning.
In far too many instances of risk management, good intentions have been viewed as the destination in the journey of managing and mitigating risks. Good intentions have seldom translated into commitment, fulfilled by execution to reap the benefits of risk management. Analysis of organizations’ risk management commitment, or rather the lack of it, signals a two-pronged approach: First, commitment to risk management is not considered a core enterprise function; second, in cases where organizations devise a risk management framework, they do it without board level commitment and direct involvement.
Security of critical infrastructure plays a vital role in determining how an organization performs over a long period of time. In the business world a resilient infrastructure is closely knit to the national security of the country of operation, as large scale damage could have far-reaching consequences on the economy and public safety. Worldwide, governments and international bodies have defined standards and strategies to identify and prioritize key assets protection, identify threats, and devise effective prevention and mitigation strategies.
Ensuring the achievement of business performance goals drives corporations to succeed. However, the road to success is fraught with challenges that could stall growth while at the same time draining the fulfillment already achieved. The challenges and threats organizations regularly face are becoming more varied in nature, as risks are evolving. The enhancement of technologies is compounding today’s risks by multiple factors acting together. Therefore, it’s not surprising the sustainability of business performance is affected, when one or more factors that influence operational and financial risks are exposed. Broadly, risks can come from volatile economic and political realities, trade conflicts, natural calamities, product recalls, data breach, insider threat, business interruption, and changing regulatory environments. All of these dynamic factors have magnified the demand for transparency in the risk management process and amplified the effects of the results.
All too often organizations have considered risk assessment as a necessary evil for complying with authorities, rather than as a strategy that will contribute to the financial success. Unprecedented levels of business complexity, due to the constantly changing global socioeconomic landscape and regulatory requirements, are forcing firms to manage enterprise risk in a consistent and efficient manner. An effective Enterprise Risk Management (ERM) program significantly improves efficiency, resiliency, opportunities, business performance and stakeholder value.
Consultants who work with IT security audits often are a valuable resource regarding the general state of IT security. They work for a number of clients in various industries over a number of years and therefore get a perception of the general state of things such as IT security awareness. I’m one of those consultants and I believe I have some observations on this issue. While speaking of none of my clients in particular the need for IT security is mostly driven by external factors and specific incidents rather than management’s desire to leverage IT security for business objectives. For instance, new legislation and directives from the EU and the US have pushed the adoption of Information Security Standards such as ISO/IEC 27001 and PCI DSS. These increased expectations are forcing organizations to spend money and resources to implement the applicable standards, because of the new laws and directives. Given the choice, more often than not, organizations would choose to spend the investment elsewhere expecting a better return.
How much of an impact does human resources have on the risk management strategy in your organization?
Risk management in regards to human resources does not stop once background checks, references and education confirmation is completed. The human resource department and the risk management department must continue to collaborate together to ensure employee related risks are continuously identified and strategies established for mitigation of identified risks.
The latest revision of the Information Security Standard, ISO/IEC 27001:2013 has been available for over 6 months now. This revision of the 2005 version requires a certification to the new standard, rather than a re-certification. Although the transition period is two years, many organizations have begun the process of the transition to the new standard and the implementation of the revised Security Controls of Annex A (ISO/IEC 27002:2013). The transition appears easy on the surface, but overlooking the importance of doing it right the first time could potentially set your organization back and prevent the certification from the auditor.
This article is a look into IT audits as they pertain to information security risk management. One of our consultants has been doing a lot of IT audits as a beginning phase of the risk management process for our clients. He is a certified (CIA, CFSA, CISA) and highly experienced auditor and his perspectives provide insight into the requirements for successful preparation and execution of IT audits and risk management.
The newest revision of information security standard ISO/IEC 27001:2013 and accompanying ISO/IEC 27002:2013 (Code of practice for information security management controls) was released on the 3rd of October, 2013. Organizations operating under the previous version 27001:2005, must renew the certification by October 1st, 2015. If the renewal is due in October of 2014 or after, then you are obligated to use the revised standard for recertification.
Recently we have noticed a large number of our customers have been using our risk management software for both the ISO 27001 and PCI DSS standards. This trend started to pick up last summer and has dramatically increase at the beginning of this year, which makes sense, as both of the standards received a recent refresh. The ISO 27001:2013 revisions to the 2005 version was released in October last year and the PCI DSS 3.0 was released in November, but went into effect on January 1st, 2014.
Why do organizations want to comply with both standards?
By now nearly everyone in the industry knows about the ISO/IEC 27001:2013 Standard and the supporting Code of Practice document ISO/IEC 27002:2013. Both were developed through consensus of the international community with a membership of over 47 national standards bodies. ISO/IEC 27001 is one of the fastest growing management system standards used around the globe.
According to the International Organization for Standardization's ISO Survey 2012, at the end of 2012 the ISO/IEC 27001:2005 accredited certificates issued worldwide nearly reached 20,000 in total in 100 countries. Since 2006 the number of certificates issued has increase by double digits each year, with the 2009 jump of 40% over 2008 being the largest year over year increase.
This past holiday season proved to be very costly for several major retailers in the United States. The massive US retailer Target, it turns out, was not the only victim of the cybercrime warfare during the busy holiday shopping season. A recent article from Reuters stated that up to 6 attacks on US merchants have been ongoing for months.
The term „the Cloud“ is now used on a daily basis (many say the term is overused today) and everyone knows this is the next big thing in IT. What is cloud computing? The technical term cloud computing can take many forms and refer to many similar, yet different aspects of computing data outside the confines of the office.
Here are a few examples of cloud computing:
SaaS – Software as a Service: a single application accessed through a web browser by thousands of customers using a multitenant architecture.
The competition for internal financing in all organizations is as fierce as ever. Departments go head-to-head to get the biggest chunk of the annual budget and there always seems to be a dominant winner for those finite funds, the marketing department. Why shouldn’t they win year after year? It is their job to persuade people to spend their money on your company’s products and services. However, the other departments, namely the information security department, may see this as unfair and even a waste of internal resources. This article examines ways CISOs, CSOs, or any other information security officers can compete with the marketing department and provides insight on how to present your case to upper management to secure the funds you need to manage an effective and efficient ISMS.
We admit, here at RM Studio, when we started our risk management process towards ISO 27001 certification in 2002, we used in a very popular spreadsheet application. Through trial and many errors, we quickly realized that establishing formulas, double checking cell links and proper formatting and confidently believing human error is not applicable in our audit preparation was a risk in and of itself. The frustrating results became our inspiration to develop an efficient and simpler means of managing information security risk. Risk Management Studio (originally OutGuard) was created to offer a holistic solution to the risk management process and streamline our efforts ensuring sustainable success in risk mitigation and asset protection.
Common sense - everyone knows what this phrase means. Correct? It is used every day in the English speaking world and everyone from a 5 year old child to an adult has heard the phrase used in a conversation and is expected to understand its meaning. The definition according to the Oxford Dictionaries online is "good sense and sound judgment in practical matters". In our journey to and from the office each work day, we encounter risks which require us to use sound judgment and good sense to determine the best course of action to mitigate these risks.
A security manager’s toughest task is to help build a culture of awareness in regards to the risks threatening the organization. The term risk-aware culture is commonly discussed in organizations working to establish an information security management system. The International Standards for the ISO 31000 framework are very clear on the expectations of an organization‘s risk-aware culture and in order to pass the certification process for ISO 27001, the organization must establish a visible environment and culture that cultivates risk awareness.
What is a risk-aware culture?
Everybody‘s doing it these days, that is Bring Your Own Device to work (BYOD). The vast majority of business professionals working today have some type of smart phone, tablet, or laptop; many of us have and use all three on a daily basis.
Is this a question of if employers want to allow employees to use personal devices for work tasks or if employees are demanding the option based on convenience and personal preference?
Cloud computing and data storage technologies have increased in popularity over the past few years. This is due mainly to small- and medium-sized businesses 'flying into the cloud' solutions to improve business capabilities and backup critical data. The explosion of the web-based applications for mobile devices has also impacted the dramatic expansion of cloud computing vendors in the market. The belief that 'the cloud' is a safer and a more secure business solution, when compared to traditional storage devices, such as in-house servers or simple external HDDs, benefits the data solution centers as well. The cloud computing industry is expecting an even larger demand for its services from the data being created by the increasing quality of our video and image capture technologies, as well as the need to share our lives around the world.
We have seen it the movies, read about it in best selling novels, and heard about it in the news. The employee steals company data and uses it for unintended purposes, sometimes for good, sometimes for evil. From the movie Office Space, where a change in management brings a reduction of labor, which inspires three co-workers to upload a virus into the companies database. The purpose of the virus is to steal tiny fractions of cents left over from complex interest percentage calculations and send them to an anonymous bank account. To the idea of the movie Paycheck, where the main character is a reverse engineer specialist, who is hired by companies to steal a competitor‘s latest tech designs to copy and make a competing product.
In our previous two posts on this topic we discussed the threats to using VoIP. The following post discusses ways you can mitigating these threats.
If VoIP is to successfully replace PSTN some measures need to be taken in order to approach the reliability that PSTN offers. It’s somewhat unrealistic to demand PSTN’s 99,999% availability for VoIP, since IP based systems are exposed to larger threat pool than public switched ones, but there are actions available that can significantly reduce phishing and spoofing threats involved with VoIP.
Over the last decade VoIP has become increasingly popular, with service providers gaining millions of subscribers each year. However, VoIP is an inexperienced platform, which translates into millions of subscribers being exposed to new phishing and spoofing threats annually.
Are you exposed to these threats?
In this rapidly changing world, well-organized, precisely documented and secure information systems are vital for any successful operation. It is equally important to work within strictly defined frameworks while retaining the flexibility to deliver the level of security required by your organization.
Organizations can improve efficiency and strengthen their reputation by focusing on information security and quality management.
Demand for information security has increased in both the private and the public sector. The Financial Supervisory Authorities in various countries have recommended their fellow organizations to ensure information security in their sectors. The law regarding the protection of privacy (The Date Protection Authority) requires the persons who hold personal information to ensure their security appropriately.
ISO has in recent years issued several safety standards in the series ISO / IEC 2700x. These are all standards of management information and specific aspects such as risk assessment. The standards deal with the best practice of information security management and the certification standard ISO / IEC 27001 is the specification for information security management systems.
Recently, I stumbled upon the show Doomsday Preppers. The show highlights three or four groups of people who are preparing for a separate catastrophic event that will change the world as we know it. Though the event they are preparing for differs, the approach to planning their survival is often the same. As I watched, I started thinking "These folks have the concept of risk management and continuity figured out." This article focuses on the concepts of risk management and continuity planning and what doomsday preppers can teach us about these concepts.
Having written about risk for 12 years and having run my own business for a few decades, I've seen the same risk sins committed time and again by business owners. Some I've committed. Others I've watched play out from the sidelines.
If I've learned anything from owning my own business, it's how rampant risks are and how devastating they can be if ignored indefinitely. Many of my colleagues avoid buying even the most basic business insurance policy, but the greater risks lie well beyond what's spelled out in the coverage details.
Here are some of the more common oversights that threaten small businesses:
Often times, our clients we assist with establishing an ISMS are surprised to hear that the Audit Trail requirement is something that should be considered prior to the actual audit. The goal of an Audit Trail is to have all of the information regarding your ISMS audit organized and ready to be presented to the auditor. In this post we cover a common mistake in the preparation of an audit and a solution on how to ensure all your hard work is organized for an audit.
Riphah International University has been awarded a grant valued at $42,000 annually to utilize RM Studio with an objective of expanding the global awareness of Information Security and Risk Management and build the capacity of Riphah to impart quality education of international standards. Through the partnership RM Studio will be integrated in the undergraduate and postgraduate curricula of the university to supplement theoretical learning with hands-on practical skills. (The International News: Riphah signs MoU with Stiki)
Modern computing is increasingly becoming a shared resource. In the past, if an individual required access to an application, he or she would have to personally have it installed on the user's computer. Today, with the help of cloud computing, applications can be shared and accessed by various users from all around the world without requiring individual set-up.
Cloud computing is commonly defined as, "the provision of dynamically scalable and often virtualized resources as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers."
This post examines cloud computing and the security concerns that arise through its use. We address potential security concerns and provide you with the questions you should be asking cloud service providers.
The RM Studio: Assessment and Treatment Module guides you through the Risk Assessment, Gap Analysis, and Risk Treatment process for your organization as described in ISO 27001.
Establishing the Risk Management Context
Prior to starting the risk management steps, RM Studio guides you through the Business Entity, Asset, and Threat Identification process. RM Studio comes equipped with a Threat Library of nearly 150 unique Threats specific to information security risk management. Further, RM Studio automatically links Assets, Threats, and ISO 27001 Mitigating Controls through RM Studio's Category feature. This feature removes the guesswork and saves you time in the risk management process.
Physical security has been on our minds recently here at RM Studio. We have found that there is often disconnect between information security and the role physical security plays. In assisting our clients we have found that there are times when clients want to close physical security gaps by adding large cost to the organization. This post focuses on finding the gaps in physical security and addressing them at minimal cost while still protecting and securing information.
For whatever reason, there is generally someone who is not happy with their current job, their place of employment, or job title. When unhappy with their current employment situation, risks are introduced to the organization form this unsatisfied employee. It is important that risk managers and organizational leaders recognize these threats, and similar to all threats implement, mitigating controls and objectives to prevent the risk from becoming actual threats. This post examines example risks that are raised and suggest ways to prevent the unhappy employee from damaging an organization.
When managing risk, we must consider all risk from all sources. A majority of the time identifying risk is trusted to a few individuals, although determining which risks are the highest priority is done in a collaborative environment, with managers, teams and groups of colleagues discussing the issues at hand. In this setting, it is important that the risk manager (the one whose job depends on the risk management results) recognizes and prevents any instances of groupthink.
Groupthink occurs when groups make decisions, and are willing (or unknown to the group) to take more risk than an individual would themselves. This post provides a general overview of causes and symptoms of groupthink, as well as measures that can be taken to avoid groupthink.
*Updated January 2014*
Mobile devices such as smartphones and tablets have found their way into everyday task for professionals. More and more software is available in mobile application form, and organizations are utilizing the convenience offered by having their staff always connected. Though there are many benefits associated with having said connectability, new threats are introduced into the enterprise environment. The following post highlights threats that exist and steps you can take to secure your mobile devices.
The ISO 27001 information security standard recommends the development of a formal policy that introduce appropriate security measure to protect against threats related to mobile devices. The Standard suggests implementing a policy that addresses physical protection, access controls, cryptographic techniques, back-ups, and virus protection.
Organizations manage risk by nature, whether it is through a formal enterprise risk management (ERM) process or in an informal manner. Every time your organization's board of directors or top management determines a strategy or makes a decision regarding business objectives, it is implementing the principles of ERM. This article examines informal decision making processes and how they naturally follow the principles of ERM. The article suggests that in order to protect stakeholders, formalized ERM process should be put in place.