quality management

The newest revision of information security standard ISO/IEC 27001:2013 and accompanying ISO/IEC 27002:2013 (Code of practice for information security management controls) was released on the 3rd of October, 2013. Organizations operating under the previous version 27001:2005, must renew the certification by October 1st, 2015. If the renewal is due in October of 2014 or after, then you are obligated to use the revised standard for recertification.

This past holiday season proved to be very costly for several major retailers in the United States. The massive US retailer Target, it turns out, was not the only victim of the cybercrime warfare during the busy holiday shopping season. A recent article from Reuters stated that up to 6 attacks on US merchants have been ongoing for months.

The term „the Cloud“ is now used on a daily basis (many say the term is overused today) and everyone knows this is the next big thing in IT. What is cloud computing? The technical term cloud computing can take many forms and refer to many similar, yet different aspects of computing data outside the confines of the office.

Here are a few examples of cloud computing:

SaaS – Software as a Service: a single application accessed through a web browser by thousands of customers using a multitenant architecture.

The competition for internal financing in all organizations is as fierce as ever. Departments go head-to-head to get the biggest chunk of the annual budget and there always seems to be a dominant winner for those finite funds, the marketing department. Why shouldn’t they win year after year? It is their job to persuade people to spend their money on your company’s products and services. However, the other departments, namely the information security department, may see this as unfair and even a waste of internal resources. This article examines ways CISOs, CSOs, or any other information security officers can compete with the marketing department and provides insight on how to present your case to upper management to secure the funds you need to manage an effective and efficient ISMS.

We admit, here at RM Studio, when we started our risk management process towards ISO 27001 certification in 2002, we used in a very popular spreadsheet application. Through trial and many errors, we quickly realized that establishing formulas, double checking cell links and proper formatting and confidently believing human error is not applicable in our audit preparation was a risk in and of itself. The frustrating results became our inspiration to develop an efficient and simpler means of managing information security risk. Risk Management Studio (originally OutGuard) was created to offer a holistic solution to the risk management process and streamline our efforts ensuring sustainable success in risk mitigation and asset protection.

Common sense - everyone knows what this phrase means. Correct? It is used every day in the English speaking world and everyone from a 5 year old child to an adult has heard the phrase used in a conversation and is expected to understand its meaning. The definition according to the Oxford Dictionaries online is "good sense and sound judgment in practical matters". In our journey to and from the office each work day, we encounter risks which require us to use sound judgment and good sense to determine the best course of action to mitigate these risks.

Everybody‘s doing it these days, that is Bring Your Own Device to work (BYOD). The vast majority of business professionals working today have some type of smart phone, tablet, or laptop; many of us have and use all three on a daily basis.

Is this a question of if employers want to allow employees to use personal devices for work tasks or if employees are demanding the option based on convenience and personal preference?

We have seen it the movies, read about it in best selling novels, and heard about it in the news. The employee steals company data and uses it for unintended purposes, sometimes for good, sometimes for evil. From the movie Office Space, where a change in management brings a reduction of labor, which inspires three co-workers to upload a virus into the companies database. The purpose of the virus is to steal tiny fractions of cents left over from complex interest percentage calculations and send them to an anonymous bank account. To the idea of the movie Paycheck, where the main character is a reverse engineer specialist, who is hired by companies to steal a competitor‘s latest tech designs to copy and make a competing product.

Countermeasures and Penetration Testing

In our previous two posts on this topic we discussed the threats to using VoIP. The following post discusses ways you can mitigating these threats.

If VoIP is to successfully replace PSTN some measures need to be taken in order to approach the reliability that PSTN offers. It’s somewhat unrealistic to demand PSTN’s 99,999% availability for VoIP, since IP based systems are exposed to larger threat pool than public switched ones, but there are actions available that can significantly reduce phishing and spoofing threats involved with VoIP. 

Over the last decade VoIP has become increasingly popular, with service providers gaining millions of subscribers each year. However, VoIP is an inexperienced platform, which translates into millions of subscribers being exposed to new phishing and spoofing threats annually.

Are you exposed to these threats?

Recently, I stumbled upon the show Doomsday Preppers. The show highlights three or four groups of people who are preparing for a separate catastrophic event that will change the world as we know it. Though the event they are preparing for differs, the approach to planning their survival is often the same. As I watched, I started thinking "These folks have the concept of risk management and continuity figured out." This article focuses on the concepts of risk management and continuity planning and what doomsday preppers can teach us about these concepts.

Having written about risk for 12 years and having run my own business for a few decades, I've seen the same risk sins committed time and again by business owners. Some I've committed. Others I've watched play out from the sidelines.

If I've learned anything from owning my own business, it's how rampant risks are and how devastating they can be if ignored indefinitely. Many of my colleagues avoid buying even the most basic business insurance policy, but the greater risks lie well beyond what's spelled out in the coverage details.

Here are some of the more common oversights that threaten small businesses:

Often times, our clients we assist with establishing an ISMS are surprised to hear that the Audit Trail requirement is something that should be considered prior to the actual audit. The goal of an Audit Trail is to have all of the information regarding your ISMS audit organized and ready to be presented to the auditor. In this post we cover a common mistake in the preparation of an audit and a solution on how to ensure all your hard work is organized for an audit.

What is an Audit Trail?

Riphah International University has been awarded a grant valued at $42,000 annually to utilize RM Studio with an objective of expanding the global awareness of Information Security and Risk Management and build the capacity of Riphah to impart quality education of international standards. Through the partnership RM Studio will be integrated in the undergraduate and postgraduate curricula of the university to supplement theoretical learning with hands-on practical skills. (The International News: Riphah signs MoU with Stiki)

Modern computing is increasingly becoming a shared resource. In the past, if an individual required access to an application, he or she would have to personally have it installed on the user's computer. Today, with the help of cloud computing, applications can be shared and accessed by various users from all around the world without requiring individual set-up.

Cloud computing is commonly defined as, "the provision of dynamically scalable and often virtualized resources as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers."

This post examines cloud computing and the security concerns that arise through its use. We address potential security concerns and provide you with the questions you should be asking cloud service providers.

Physical security has been on our minds recently here at RM Studio. We have found that there is often disconnect between information security and the role physical security plays. In assisting our clients we have found that there are times when clients want to close physical security gaps by adding large cost to the organization. This post focuses on finding the gaps in physical security and addressing them at minimal cost while still protecting and securing information.