Search in ISMS Guides

Google
 

Friday, August 31, 2007

Implementing an Information Security Management System in an Internal Web Development Environment (Ebook)

Implementing an Information Security Management System in an Internal Web Development Environment

GIAC ISO-17799 Certification (G7799)
Practical Assignment –Version 1.1
SANS 2004 (Orlando, FL)

Joseph McComb
October 28th, 2004

File Type : PDF
Page : 88 Page
Source : http://www.giac.org/certified_professionals/practicals/g7799/0019.php

Table of Contents

Abstract ..................................................................................................................................................3
I. The System Defined .............................................................................................................................3
The Company .....................................................................................................................................3
The Origin of the Environment ..............................................................................................................6
The Current Environment .....................................................................................................................7
Current Web Applications and Sites in the Environment .....................................................................10
Current State of Security ....................................................................................................................12
Scope of Information Security Management System (ISMS) ...............................................................15
II. Planning the Implementation of the Information Security Management System (ISMS).......................15
Management Structure .......................................................................................................................15
The Asset Inventory ...........................................................................................................................18
Policies .............................................................................................................................................21
Risk Identification and Analysis Process.............................................................................................23
Plans for Risk Management................................................................................................................24
III. Implementation (the “Do” phase).......................................................................................................33
Correcting the Problems Identified in the Risk Management Plan .......................................................33
Statements Of Applicability.................................................................................................................43
IV. Check –System Auditing..................................................................................................................44
V. Continuous Improvement (“Act” Phase).............................................................................................51
Improving the System Through Lessons Learned from Incident Handling ...........................................51
Improving the System through Auditing ..............................................................................................51
Bibliography..........................................................................................................................................52
Appendix A –Extended Asset Classification ..........................................................................................53
Appendix B –Policies...........................................................................................................................62
Policy –System and Application Access Control (section 9.1 of the ISO 17799 standard)...................62
Policy –Business Continuity Planning (section 11.1 of the ISO 17799 standard) ................................63
Policy –Security Engineering in the Systems Development Life Cycle (section 10.1 of the ISO 17799
standard)...........................................................................................................................................64
Appendix C –Fault Tree Analysis ..........................................................................................................65
Appendix D –Flagged System Events .................................................................................................657
Appendix E –High Level Plan for Risk Management ..............................................................................81
Appendix F –Extended Audit Checklist..................................................................................................82
Table of Figures
Figure 1. Overview of the Drug Development Stages ...............................................................................5
Figure 2. Diagram of the Web Server Environment...................................................................................8
Figure 3. Overview of the Systems Development Life Cycle...................................................................10
Figure 4. Information Flow in the Data Center Environment ....................................................................11
Figure 5. Information Flow in the Development Environment ..................................................................12
Table of Tables
Table 1. Plan for Risk Management .......................................................................................................26
Table 2. Documentation of System Problems. ........................................................................................33
Table 3. Audit Checklist for User Access Management...........................................................................45

Understanding HIPAA Security Implications Of a Wireless LAN Subsystem Using the ISO/IEC 17799 ISMS Standard (Ebook)

Understanding HIPAA Security Implications Of a Wireless LAN Subsystem Using the ISO/IEC 17799 ISMS Standard
By: Frederick Hawkes

File Type : Pdf

Page : 49 Page
Read This Ebook :
http://www.giac.org/certified_professionals/practicals/g7799/0012.php


Table of Contents
Define the System ....................................................................................................................4
Project Summary ....................................................................................................................4
Organization ...........................................................................................................................4
System Description.................................................................................................................6
Current Security Structure.......................................................................................................8
Plan-Do-Check-Act (PDCA) Process ......................................................................................9
ISMS Project Plan (PDCA … Plan)...............................................................................10
Project Scope .......................................................................................................................10
Project Timeline....................................................................................................................11
Organizational Structure and Responsibilities .......................................................................12
Policies, Guidelines, Standards or Procedures Requirements ..............................................14
Risk Identification Process ....................................................................................................16
Risks to the System..............................................................................................................19
Plans for Addressing the Risks .............................................................................................20
Selected ISO17799 Controls.................................................................................................21
ISMS Implementation Plan (PDCA … Do).....................................................................23
Overview..............................................................................................................................23
Creation and Staffing of the Security Management Team.....................................................23
Identification and Processing of Applicable Legislation .........................................................24
Data Protection and Privacy of Personal Information ............................................................25
Information Security Policy Document ..................................................................................25
Information Security Education and Training.........................................................................26
WLAN Access Control ..........................................................................................................27
Statements of Applicability....................................................................................................27
ISO 17799 Section 12.1.4 … Data Protection and Privacy of Personal Information..............28
ISO 17799 Section 12.1.2 … Intellectual Property Rights.....................................................28
ISMS Audit Plan (PDCA … Check)...............................................................................29
ISO 17799 Section 4.1.1 … Management Information Security Forum.................................29
ISO 17799 Section 12.1.1 … Identification of Applicable Legislation.....................................30
ISO 17799 Section 12.1.4 … Data Protection and Privacy of Personal Information..............31
ISO17799 Section 9.4.3 … User Authentication for External Connections............................32
ISO 17799 Section 3.1.1 … Information Security Policy Document.......................................34

Thursday, August 30, 2007

ISO 27001 CERTIFICATION CONSULTANCY

BS7799 / ISO 27001 CERTIFICATION CONSULTANCY

The British Institute has suggested the Plan Do Check Act methodology for implementation of the ISO 27001 standard. INFOAMN has developed a unique methodology for implementation of ISO 27001 controls by breaking down the entire PDCA cycle in 5 distinct phases. Starting with Security Profiling which identifies the gaps in security vis-à-vis BS 7799/ISO 27001 standard, followed by Security Prescription which suggest the security measures; Security Treatment, where the security measures are implemented; Security Vigil, where the implementation is monitored to ensure that the security measures are effective in mitigating the risks and ensuring security of the information assets. Successful implementation of these phases leads to the final phase of Security Certification.

INFORMATION SECURITY GAP ANALYSIS

ISO 27001, the Code of Practice for Information Security Management describes a management framework within which an organization can examine and improve its security health. ‘End-to-End’ security is required and the controls must reflect this. Under each domain, there are defined objectives and related controls. Infoamn’s role is to understand the applicable controls based on the risk assessment and formulate policies and procedures. ISO 27001 contains a comprehensive set of security controls to improve the level of security within any organization. Even if formal certification is not a strategic objective, efforts to comply with the principles of ISO 27001 bring many tangible benefits such as reduced exposure to wide range of threats, creation of more secure operational environment, assurance that security practice is in line with the industry best practice, improvement in user security awareness and prioritizing security needs. An Information Security GAP Analysis as per ISO 27001 Standard helps organizations to know their state of security and thereby deciding the future roadmap.

MANAGED SECURITY SERVICES

Outsourcing selected managed security services (MSS) by forming a partnership with a MSS provider is often a good solution for transferring information security responsibilities and operations. Contracting a MSS provider allows it to share risk management and mitigation approaches. INFOAMN manages the information security issues so that the organization can concentrate on its key performing areas.

APPLICATION SECURITY TESTING

Application Security Testing involves analyzing a custom application for vulnerabilities. This can be done either by way of 'black box' i.e. without access to the source code, or 'white box' i.e. with access to the source code. An application security test ensures that any customized application being used is secure and doing exactly what it is supposed to do.

TECHNICAL SECURITY AUDIT

The technical security audit modules broadly consist of auditing the perimeter devices, network devices, desktop PCs, Servers and the applications and databases. The overall network security architecture is also reviewed keeping in view the business requirements and goals, its connectivity with the trading partners, its connectivity to the Internet etc. Also adequate security solutions & technical controls are recommended to mitigate the risks.

VULNERABILITY ASSESSMENT & PENETRATION TESTING

Penetration testing and Vulnerability assessment are two different and complimentary pro-active approaches to assess the security posture of the information systems networks. Penetration testing is the testing of the security posture from the hacker's perspective, whereas the Vulnerability Assessment is done to test the security posture of the Information Systems as an internal attacker. Comprehensive methodology is recommended to fix the identified vulnerabilities. INFOAMN has a proven track record of finding known and new threats.

CONTENT SECURITY SOLUTIONG

Leakage of critical data through emails and loss of productive time and bandwidth are major concerns for the organization. Spam emails are increasing by the day. INFOAMN offers MIME sweeper content filtering & antispam solution helps organizations in protecting critical data by enforcing security policies that also increase overall productivity.

WIRELESS SECURITY AUDIT

With the increased popularity of remote working in recent years, wireless networks have become more common. However, when many of the Wireless networks were deployed, not a lot was known about the security risks. A Wireless LAN needs to be audited like the internal network. The systems available through cordless devices are more vulnerable to attack if not monitored and properly secured.

ASSESSMENT OF NETWORK SECURITY ARCHITECTURE

Inherent weaknesses and design flaws in the network architecture from security perspective are detected, which can lead to compromise of confidentiality, integrity or availability of the system. The mitigation strategy is suggested. The proposed network architecture is designed and delivered. Network architecture is backbone of any secure information systems network. INFOAMN follows a structured approach to network security design often within the client's existing infrastructure or by recommending additional best-of-the-breed security components.

DESKTOP SECURITY AUDIT

Securing desktop workstations and laptops is a significant part of your network and information-security strategy because of the sensitive information often stored on workstations and their connection to the networked world. Many security problems can be avoided if the workstations and network are appropriately configured. Default hardware and software configurations, however, are set by vendors who tend to emphasize features and functions more than security. Since vendors are not aware of your security needs, the workstations should be configured to as per the security policy of the organization.

Source : www.infoamn.com

Infoamn Consulting is the Iran's leading provider of services and solutions for information security, business continuity and risk management. We offer a complete, end-to-end portfolio encompassing: Consultancy, Testing, Implementation, Training, Managed services Infoamn Consulting is the first Iranian Company who has applied for BS 7799/ISO 27001 certificaiotn

Wednesday, August 29, 2007

Steps for implementing the ISO 17799 standard

Initiation of the Project
Ensure the commitment of upper management;
Select and train members of the initial project team.

Definition of the ISMS
(Information Security Management System)
Identifying the scope and limits of the information security management framework is crucial to the success of the project.

Risk Assessment
Identify and evaluate threats and vulnerabilities;
Calculate the value of associated risks;
Diagnose the level of compliance with ISO 17799;
Inventory and evaluate the assets to protect.

Risk Treatment
Find out how selecting and implementing the right controls can enable an organization to reduce risk to an acceptable level.

Training and Awareness
Employees may be the weakest link in your organization’s information security.

Audit Preparation
Learn how to validate your management framework and what must be done before you bring in an external auditor for BS 7799-2 certification.

Audit
Learn more about the steps performed by external auditors and about certification agencies accredited for BS 7799-2.

Greg Tilley
Infotech Enterprises America

ISO 17799 Benefits

- Compliance with governance rules for risk management.

- Better protection of the company’s confidential information.

- Reduced risk of hacker attacks.

- Faster and easier recovery from attack.

- Structured security methodology that has gained international recognition.

- Increased mutual confidence between partners.

- Potentially lower premiums for computer risk insurance.

- Improved privacy practices and compliance with privacy laws.

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the non-profit International Information Systems Security Certification Consortium (commonly known as (ISC)²). The (ISC)² has certified over 49,000 information security professionals in more than 120 countries.[1] CISSP was the first certification to earn the ANSI accreditation to ISO/IEC Standard 17024:2003, a global benchmark for assessing and certifying personnel. It is formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories.[2] The certification is also endorsed by the U.S. National Security Agency (NSA) as the benchmark for information security[3]

Common Body of Knowledge domains

The CISSP curriculum covers a wide range of subject matter in a variety of Information Security topics. The CISSP examination is based on ten domains which comprise the (ISC)² Common Body of Knowledge® (CBK), which are generally accepted as a compendium of industry best practices for information security, including:

* Access Control
* Application security
* Business Continuity and Disaster Recovery Planning
* Cryptography
* Information Security and Risk Management
* Legal, Regulations, Compliance and Investigations
* Operations Security
* Physical (Environmental) Security
* Security Architecture and Design
* Telecommunications and Network Security

Requirements

Candidates for the CISSP must meet several requirements.

* They must have a minimum of four years of professional experience in information security. One year may be waived for having either a four-year college degree or a Master's degree in Information Security. Another year may be waived for possessing one of a number of other certifications from other organizations[4].

* They must attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.[5].
* They must attest to lack of criminal history and related background.[5]

* They must pass the CISSP exam with a scaled score of 700 points or greater. The exam consists of 250 questions to be answered over a period of six hours[6].

* They must have their qualifications endorsed by another CISSP or other qualified professional. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.[6]

Specialized concentrations

Highly experienced information security professionals with an (ISC)² credential in good standing, can progress to meet requirements for (ISC)² Concentrations to demonstrate their acquired rigorous knowledge of select CBK® domains. Passing a concentration examination demonstrates proven capabilities and subject-matter expertise beyond that required for the CISSP or SSCP credentials.

Current concentrations for CISSPs include the:

* ISSAP, Concentration in Architecture
* ISSEP, Concentration in Engineering
* ISSMP, Concentration in Management

Ongoing certification

The CISSP credential is valid for only three years, after which it must be renewed. The credential can be renewed by re-taking the exam, however the more common method is to report at least 120 Continuing Professional Education (CPE) credits since the previous renewal. CPEs can be earned through several paths, including taking classes, attending conferences and seminars, teaching others, undertaking volunteer work, professional writing, etc., all in areas covered by the CBK. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs[7].

Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP®, or SSCP® exam to have their qualifications endorsed by another (ISC)² credential holder. These changes will not affect those who sit for an examination on or before 30 September 2007. For more information, please refer to the Experience Requirement Change FAQs.

Desirability

IT professionals with the CISSP credential are in high demand. In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation and found the following.

“For the first time, the Salary Survey’s top five certification programs all reported average salaries of more than $100,000. Two programs from the International Information Systems Security Certification Consortium (ISC)2 led the list, with the Certified Information Systems Security Management Professional (CISSP-ISSMP) program drawing $116,970 annually and the Certified Information Systems Security Architecture Professional (CISSP-ISSAP) earning $111,870.”[8]

[edit] Criticisms of the CISSP examination

Some critics have raised the issues below concerning the CISSP examination, its contents, and its processes.

* The CISSP exam questions are difficult and unfair. The fact that there is so much knowledge crammed in a 250 question test makes the exam extremely difficult to pass in the time allotted, especially the questions and cases are not always straight forward enough to understand.
* Critics say questions assume too much technical knowledge, requiring extensive knowledge of formulas, focus on obscure facts, or involve complex calculations.
* Critics say the CISSP exam covers information security topics "a mile wide, and an inch deep"[9] meaning the test has insufficient depth.
* The exam sometimes includes outdated information. Critics say that although organizations still use legacy technology, the exam should focus only on current technologies.
* Some questions on CISSP tests and information in the CBK® may be technically inaccurate or incomplete.
* The exam questions are US / Canada centric and even unique American sources like the Orange Book are included. ISC have a policy of not employing non-USA staff which doesn't help.[citation needed]
* The CISSP test is formulated so that candidates are asked to choose the best answer from among a group of correct answers. Some feel these are "trick" questions that unnecessarily distract capable candidates.

References

  1. ^ Member Counts (2007-04-11). Retrieved on 2007-06-04.
  2. ^ U.S. Government, DoD 8570.01-M. Retrieved March 23, 2007.
  3. ^ NSA PARTNERS WITH (ISC)² TO CREATE NEW INFOSEC CERTIFICATION (2003-02-27). Retrieved on 2007-06-04.
  4. ^ CISSP® Professional Experience Requirement. ISC2. Retrieved on 2007-04-27.
  5. ^ a b CISSP® Applicant Requirements. ISC2. Retrieved on 2007-04-27.
  6. ^ a b How To Certify. ISC2. Retrieved on 2007-04-27.
  7. ^ CPE Credit Requirements. (ISC)2. Retrieved on 2007-04-27.
  8. ^ Sosbe, Tim; Emily Hollis, Brian Summerfield, Cari McLean (December 2005). "CertMag’s 2005 Salary Survey: Monitoring Your Net Worth". Retrieved on 2007-04-27.
  9. ^ Harris, Shon (2002). Mike Meyers' CISSP(R) Certification Passport, Mike Meyers' Certification Passports. McGraw-Hill, xxi. ISBN 0072225785.
Article Source : http://en.wikipedia.org/wiki/CISSP

Information Security Policies Address Top Federal Information Risks

A July 2007 report from The Identity Theft Task Force, commissioned by the Office of Management and Budget (OMB) and Department of Homeland Security (DHS), outlined ten "Common Risks Impeding the Adequate Protection of Government Information."

While most organizations are not subject to the same data protection laws as the Federal government (FISMA), many do require the same level of protection on sensitive information to comply with regulations such as HIPAA, GLBA and Sarbanes-Oxley. So this report can serve as a reminder for all organizations that must maintain an information security program.

Written information security policies are critical for compliance with any regulations. Even within FISMA, "Level 1" compliance for a given area of risk includes written security policies. In the next section we outline how our library of information security policies addresses each of the high-level risk areas identified in the report.

Addressing Common Risks

  1. Security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of various personnel.

    ISPME contains pre-written information security policies that require formalized information security awareness and training, including policies to incorporate security requirements into job roles and department mission statements.

  2. Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.

    ISPME provides over 40 written policies that address security requirements in outsourcing contracts, including policies that require the ongoing monitoring of third-party security posture.

  3. Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.

    ISPME contains over 20 written policies describing data classification and labeling, including three and four-category classification schemes.

  4. Information is not appropriately scheduled, archived, or destroyed.

    ISPME contains over 50 written policies covering data classification, archival, de-classification and destruction.

  5. Suspicious activities and incidents are not identified and reported in a timely manner.

    ISPME contains 20 pre-written policies describing the proper reporting and handling of security incidents, including software malfunctions.

  6. Audit trails documenting how information is processed are not appropriately created or reviewed.

    ISPME contains over 100 written policies covering the proper auditing of systems security events, including policies to protect the audit logs.

  7. Inadequate physical security controls where information is collected, created, processed or maintained

    ISPME contains over 40 written policies covering the physical security of IT processing facilities, including equipment location, access controls, environmental controls, and personnel access.

  8. Information security controls are not adequate.

    ISPME contains over 1500 individual controls covering all aspects of ISO 17799/27001.

  9. Inadequate protection of information accessed or processed remotely.

    ISPME contains over 100 policies on remote working, including remote access to networks, systems and data.

  10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

    ISPME contains over 20 written policies covering the acquisition and approval of systems based on security and privacy requirements.

To find out more about developing an information security policy, please request a free sample from our library of information security policies and written information security job-descriptions.

References

Common Risks Impeding the Adequate Protection of Government Information, a July 2007 report from The Identity Theft Task Force.

OMB Memorandum M-06-15, "Safeguarding Personally Identifiable Information," instructed senior agency officials for privacy to conduct a review of policy and processes.

Information Security Policy Controls to Reduce the Risk of Home-based Employee Access

Attackers follow the weakest link

The never-ending battle to secure the corporate desktop against viruses, unauthorized software, and spyware now consumes significant resources for many companies. However, as organizations continue to adopt security best-practices to protect their networks, attackers are increasingly targeting the weakest link - the home internet user. Recent studies are now confirming that attacks against user's home computers present increasing risks to business.

Two "mega" trends are making it nearly impossible to ignore the home PC in the corporate security battle. First, the number and frequency of remote workers is growing rapidly. Second, rapidly-evolving threats against the users home PC and the prospect for large financial gain are creating new opportunities for hackers.

Attacks on home PCs on the rise

According Symantec's September 2006 Internet Security Threat Report, home users are the most targeted attack sector, accounting for 86 percent of all targeted attacks. Newer, more sophisticated attacks are using blends of adware, spyware and phishing attacks to lure users to download new malicious code that is becoming harder to detect. As attack vectors move from corporate networks to personal computers, newer attacks are exploiting vulnerabilities in end-user applications such as web browsers and desktop applications, rather than servers and firewalls.

Most compromised home PC become part of an increasing army of "botnets". According to the Symantec report, in the first half of 2006 the company identified more than 4.6 million distinct, active bot network computers and observed an average of 57,717 active bot network computers per day during this period.

As the internet crime business has moved from simple bragging rights to big business, the second largest target are financial services businesses. For example, in October 2006 both the U.S. Securities and Exchange Commission (SEC) and Canada's Investment Dealers Association noted a drastic increase in on-line stocking trading fraud over the last few months. On-line brokerage accounts are being compromised at an alarming rate by keyloggers and other spyware. According to one report, ETrade Financil suffered more than $18 million in losses from fraudulent online trades within a 90 day period.

A home user's PC that is compromised provides several avenues of attack against businesses, including compromised logon credentials, exposure of confidential information (via file-sharing or uploading), and coordinated SPAM and DDOS attacks using botnets. With these attacks escalating, businesses must now consider how the security of a remote PC or laptop may pose a threat to their business.

Security Policy Considerations

So what types of information security policy controls can an organization put in place to help reduce the risk of corporate data being exposed in a home based attack? Let's look at the most common areas of risk and examine some possible security policies.

Password Controls - Networks and systems are still vulnerable to weak passwords and compromised login accounts. Having strong password controls, especially for any accounts with remote access to the network, is critical for protecting the network. An increasing number of breaches are occurring where attackers are gaining access to legitimate login information from third party business partners, and then using these credentials to steal information. Password complexity requirements, password histories, and password expirations are all critical controls to be put in the password policies.

A related password security policy is to prohibit users from using their corporate userids and passwords on public web sites that they may access from home. While sharing passwords between web sites is common for users who must remember a number of different passwords, a compromised on-line brokerage account can lead to a compromised network account if login credentials are shared.

Restricting Data Transfer - Organizations should restrict users from taking sensitive information out of the corporate network and making copies of the data to use at home or one the road. Using flash drives and other portable devices, it is easy for users to make copies of sensitive data and move them to laptops or home PCs. In 2006 alone, there have been over 50 different reported cases of stolen laptops that contained sensitive corporate data.

Organizations can help restrict the flow of sensitive information by auditing or restricting access to USB drives or CD-ROM backup drives. Only certain privileged users should be allowed to remove sensitive information from the company network or physical locations. When sensitive data is removed, it should always be password protected and stored in encrypted format.

Requiring basic PC protection - Organizations should consider updating their Acceptable Use policies to require that users accessing corporate networks from home employ basic security measures on their PC including, at the minimum, Anti-virus and spyware detection. While this type of policy is very difficult to enforce using today's technology, organizations can start by requiring users to sign an agreement that they have these controls in place as part of a provisioning process for remote access. Organizations can aid users by providing access to pre-approved software that has been shown to be effective in the home environment.

User Education and Awareness - Of course, educating users is still one of the most effective controls for reducing the risk of home-based security incidents. Many organizations with a large base of users are including education on protecting the home PC as part of their standard corporate security awareness. Not only does this type of education help reduce corporate risk, is gives the end-user a reason to be motivated to learn about information security principles.

Some organizations now require their users to pass a basic security awareness quiz before being allowed access to corporate resources. It would be appropriate to add the knowledge of how to protect home-based PCs and laptops as part of a standard body of knowledge required for remote access to company information.

Resources

Information Security Policies Made Easy, Version 10 - A complete library of information security policies, including policies for personnel security.

Information Security Roles & Responsibilities Made Easy, Version 2 - An extensive library of documented information security requirements for various organizational roles.

Privacy Management Toolkit, Version 1 - A complete resource for managing customer and employee privacy based on OECD Fair Information Principles.

Other Security Policy and Data Privacy Whitepapers

Security Policy and Responsibility

By David Lineman

Last month we discussed the security policy problems revealed within the department of Veteran's Affairs (VA) in the wake of the highly public data breach, including the firing of two employees responsible for information security. Over the last month, employees at both AOL and Ohio University were terminated or resigned in the aftermath of data privacy breaches. All of these cases point to some interesting security policy questions for all organizations to consider.

Security Scapegoats?

While termination seems to be an obvious step to attempt to restore customer confidence, in both cases serious questions were raised about the overall security and privacy practices of the entire organization. In the wake of very damaging or embarrassing data breaches, some organizations seem to focus the blame on individuals, rather than on weaknesses of internal policies and procedures.

In the past, similar incidents have resulted in lawsuits for improper termination, since many organizations failed to clearly communicate their data security and privacy policies to all employees. In the case of Ohio University, lawyers have already made statements for the fired employees indicating that they were improperly targeted. Similar statements were made by ex-employees of the VA.

Security Policy Lessons

These incidents and their public fall-out raise some important questions for organizations concerned with policy creation, education and enforcement:

Question: Do your information security policies cover sanctions against employees? Is the language in the policies specific to violation of existing corporate policies?

In neither of these cases did the public statements mention that employees were violating any specific policy, but instead seemed to indicate that the employees should have "known better." AOL CEO Jon Miller in an internal memo stated that "This incident took place because some employees did not exercise good judgment or review their proposal with our privacy team. We are taking appropriate action with the employees who were responsible."

The fundamental question here is whether or not an employee should be fired for making mistakes, especially in areas where there is very little official guidance on how employees can operate safely with sensitive data. While we are not attempting to judge the legality of such actions, evidence suggests that terminating employees without proper cause or documentation will create problems.

During a risk-assessment or policy update phase, organizations would do well to consider what would happen in their own organization if an individual makes a mistake that causes an information security and privacy breach. What should be done if the organizational policies only address violation of stated policy?

Question: Does your organization clearly communicate information security and privacy policies to users based on their role in the organization?

Organizations that wish to terminate employees for violation for company policy should take great care to have their information security and privacy policies clearly documented and communicated.

In the case of AOL, it is not clear if there was a corporate privacy policy that prohibited researchers from using data without consulting the privacy group. But other data casts some doubt. Public statements by AOL suggest that they are now taking a serious look at their internal policies. Public response to the AOL incident included allegations that sensitive search data should be destroyed as part of a regular data destruction policy.

In a separate statement, Ohio University announced a 20-point plan to improve information security at the school, which has about 16,640 undergraduate students and 862 full-time faculty members on its Athens campus.

Question: Are information security and privacy responsibilities clearly documented in job responsibilities?

In the case of the VA and Ohio University, the terminated employees had direct responsibility for information security. Even so, statements from the attorneys of fired employees seem to raise some questions as to which systems the individuals were responsible for.

In the case of AOL, the employees were doing research on web searches. Company statements indicate that there were no official procedures in place for protecting customer privacy, but that the employees "were to consult the privacy team" before posting their research.

While we can only extrapolate from these public statements, the common thread is all of these cases is a poor documentation of information security responsibilities. While have information security policies is critical, they are much more effective when they are tied to specific responsibilities of various job roles. Organizations that take this more structured approach will not only have better security, but will be better prepared for any sanctions.

Resources

Information Security Policies Made Easy, Version 10 - A complete library of information security policies, including policies for personnel security.

Information Security Roles & Responsibilities Made Easy, Version 2 - An extensive library of documented information security requirements for various organizational roles.

Privacy Management Toolkit, Version 1 - A complete resource for managing customer and employee privacy based on OECD Fair Information Principles.

Question:

We are a financial institution that would like to start the process of being compliant with ISO17799 Information Security Management System ISMS. What would be the proper initial steps recommended for such process in terms of training, preparation, building security policies, etc.?

Response from Rebecca Herold:

It is first of all important to understand that there is currently no certification or registration under ISO 17799. There is formal registration under BS 7799, the forerunner of ISO 17799. ISO 17799 is the Information Technology Code of Practice for Information Security Management. It establishes 127 controls under what was just recently (this June) updated to 11 headings. BS 7799-2:2002 is the Information Security Management Systems Specification With Guidance For Use. It provides for the implementation of ISO 17799. BS 7799-2:2002 is currently the only internationally recognized security standard under which your ISMS can be formally registered. An organization can have an ISMS that conforms to BS 7799 as demonstrated by an internal or external analysis that is less formal than that required for registration. However, ISMS registration under BS 7799 is governed by international standards and requires a formal audit process.

Creating a BS 7799-confomant ISMS is a good thing for not only information security, but for business as well. A few of the information security benefits include:

  • Establishes a holistic, quality management-based security and privacy program that also provides verifiable evidence
  • BS 7799 registration is quickly recognized worldwide as a security and privacy differentiator
  • When implemented properly and successfully, an ISMS will significantly limit security and privacy breaches that can cost millions (e.g., lost information, fines/penalties, downtime, internal/external threats, consumer driven litigation, and so on)
  • Provides a documented and repeatable process for information security and privacy corporate governance
  • Ensures that security and privacy is built into all levels of an organization and that all employees are educated on security and privacy as they relate to the business
  • Reduces operational risk by mitigating vulnerabilities

The business impacts are also significant:

  • Brings organizations more confidently and demonstrably into conformance with legal, regulatory, and statutory requirements, such as HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley, California SB1386, 21 CFR Part 11, the EU Data Protection Directive, Canada's PIPEDA, as well as many other laws, regulations and industry best practices
  • Provides an organization with market differentiation resulting from a more positive company image and external goodwill parameters, and could very well positively affect the asset or share value of the organization
  • Demonstrates credibility for, and trust in how, the organization protects information, leading to increased satisfaction and confidence of stakeholders, partners, and customers
  • Reduces liability risk and demonstrates due diligence. Can also lower business insurance premiums.
  • Improves business continuity by minimizing internal and external risks
  • Demonstrates management support for internationally accepted security and privacy principles and practices

Here at a very high level are the initial recommended steps to build an ISMS that conforms to BS7799/ISO17799:

    1. Become familiar with ISO 17799 and BS7799. A new version of ISO 17799 was just released at the beginning of June.
    2. Determine the scope for which you want to base your ISMS. Many organizations try to cover the entire organization, but quickly find the scope is far too large to realistically handle. Identify the key areas you want to cover, address them, and then you can always expand your ISMS out to include other areas.
    3. Determine your information security and privacy regulatory, legal, industry, and self-imposed policy requirements.
    4. Select and validate the controls you need for your program. Evaluate your security and privacy policies, procedures, standards, guidelines, and plans. Evaluate your existing security and privacy activities, systems and tools.
    5. Perform a high-level gap analysis to see where your greatest weaknesses exist.
    6. Create a high-level ISMS compliance road map to close the gaps.
    7. Create a detailed ISMS design and implementation plan to support the road map.
    8. Determine resources for performing the implementation steps and identify where you will need outside help, if applicable.
    9. Launch training and awareness throughout the organization for the ISMS. This will be an ongoing process as training and awareness requirements change as the ISMS matures.

There are different approaches to BS 7799 conformance. The one that you choose will depend upon your goals. In order to claim that your ISMS conforms to BS 7799, you must rely on an audit process. This audit process may be formal or informal. The goal of a formal audit is to register your ISMS under BS 7799. This is called a Registration Audit.

  • You may choose to use internal resources to demonstrate that your ISMS conforms to BS7799. In the international standards world of quality management, this is known as a 1st Party Audit since you are auditing with your own personnel.
  • You may choose to have a qualified, independent third party show that your ISMS conforms to BS 7799. In the international standards world of quality management, this is called a 3rd Party Audit since the auditor is not part of your organization. A goal of a 3rd Party Audit can be formal registration under BS 7799. Of course, you might choose to use an independent, outside consultant to check to see if your ISMS conforms to BS 7799. However, it is a Certificate of Registration that results from a formal Registration Audit that has the weight of the international standard.
  • You may also choose to have qualified personnel audit part or all of your supply chain. In the international standards world of quality management, this is called a 2nd Party Audit since you are auditing second parties (your suppliers.) This is a vehicle by which business partners can show that they have appropriate and required controls on the information with which you've trusted them. They objectively demonstrate that their ISMS's conform to BS7799. Of course, you may retain the services of independent, third party auditors for this purpose.

Keep in mind many security incidents have actually been the result of mistakes and poor practices by third party vendors who were performing information activities for other companies; it was the primary company (e.g., Bank of America, Time-Warner and so on) that actually made the headlines, and whose business was most impacted. Accordingly, requiring business partners to conform to BS7799 helps to protect your organization from the business partner security and privacy inadequacies.

Each country has a limited number of organizations that register conformance with international standards such as BS7799. For example, Bureau Veritas Quality International (BVQi) and the British Standards Institute (BSI) are two organizations that operate in the US and internationally to register ISMS's. These registrars can provide you with lists of consultants who are qualified to assist organizations with their ISMS activities. It is important to use qualified auditors.

It is important to note that bringing an ISMS into registered and certified conformance with BS7799 is no small activity; it is a rigorous process. You cannot simply use BS7799 as a checklist. After familiarization with the standard, the most important step is to identify the scope of the ISMS that you want to register. There are some good guidance documents for estimating times for performing such a conformance certification based upon scope at the BVQi and BSI websites.

From : www.informationshield.com

Tuesday, August 28, 2007

BS7799 How it Works

Overview

The standard effectively comes in two parts:

  • ISO/IEC 17799:2000 (Part 1) is the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do.
  • BS7799-2:1999 (Part 2) is a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

Part 1: The Code of Practice

ISO/IEC 17799:2000 defines 127 security controls structured under 10 major headings to enable readers to identify the particular safeguards that are appropriate to their particular business or specific area of responsibility. These security controls contain further detailed controls bringing the overall number somewhere in the region of 500+ controls and elements of best practice.

The standard stresses the importance of risk management and makes it clear that you do not have to implement every single guideline; only those that are relevant. The scope of the standard covers all forms of information, including voice and graphics, and media such as mobile phones and fax machines. The new standard recognises new ways of doing business, such as e-commerce, the Internet, outsourcing, tele-working and mobile computing.

Part 2: The Management Standard

BS7799-2:1999 instructs you how to apply ISO/IEC 17799 and how to build an ISMS. It defines a six step process, see Figure 1.

Information Policy

It invites you to stand back and think about all of your information assets and their value to your organisation. You ought then to devise a policy that identifies what information is important and why. From a practical point of view, it is only that information with a some significant value that should be of concern.

Scope

Excluding low value information allows you to define the scope of your management concerns. You may discover that your concerns pervade your organisation as a whole. In this case you will need to regard all of your information systems and their external interfaces -IT and electronic forms of communication, filing cabinets, telephone conversations, public relations and so on, as being in scope. Alternatively, your concerns may focus onto a particular customer-facing system. For example, an interesting extreme is the application of BS7799-2:1999 to the development, manufacture and delivery of a security product.

BS7799 is applied in 6 steps.  Please download to see

Figure 1 - The major steps towards BS7799-2 compliance

Risk assessment

Now you know what information is in scope and what its value is, your next move should be to determine the risk of losing that value.

Remember to consider everything. At one extreme you need to consider the complexities of technology; at the other you need to consider business forces in terms of advancing technology and enterprise, as well as the ugly side of industrial espionage and information warfare.

Risk management

You then need to decide how to manage that risk. Your forces certainly include technology, but don't forget people, administrative procedures and physical things like doors and locks and even CCTV. Don't forget insurance. If you can't prevent something from happening, maybe you can discover if it does happen and do something to contain it or otherwise reduce the danger. In the end, you will of course, need an effective continuity plan.

Choose your safeguards

You will then need to choose your "safeguards", i.e. the ways you have selected to manage the risk. BS7799-2:1999 lists a wide variety of such measures, but the list is not exhaustive and you are free to identify additional measures as you please. The list is drawn 1:1 from ISO/IEC 17799:2000.

Statement of applicability

You are required to identify all of your chosen security controls and justify why you feel they are appropriate, and show why those BS7799 controls that have not been chosen are not relevant. Clearly you could decline every BS7799 offering and invent your own. This is not a problem - it is allowed. However, you need to justify it - as much for your own benefit as anyone else's.

The Information Security Management System (ISMS)

The standard requires you to set up an Information Security Management System (ISMS) to make this happen. You should really, of course, set this up in the first place, but standards don't tell you how to do things, merely what you should achieve. Click here [offsite link] for our ideas.

Certification schemes

Certification schemes are being established in many parts of the world. It is therefore useful to reveal who the players are and what is going on. Have a look at Figure 2.

The European co-operation for Accreditation document EA7/03 provides guidance to National Accreditation Bodies for the accreditation of Certification Bodies wishing to assess ISMSs, e.g. against BS7799-2:1999. The various National Accreditation Bodies around the world operate a "mutual recognition" process that allows certificates awarded in one country to be accepted by the Accreditation Body of another.

Diagram showing the relationship between the BS7799 certification scheme players

Figure 2: Relationship between scheme players

In order to be awarded a certificate, your ISMS will be audited by a BS7799 assessor. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as BSI Assessment Services Limited and Det Norske Veritas).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Other Useful Documentation

BSI has published a useful set of supporting documentation to help apply ISO/IEC 17799:2000 and BS7799-2:1999. They are:

  • Information Security Management: An Introduction (PD3000)
  • Preparing for BS7799 Certification (PD3001)
  • Guide to BS7799 Risk Assessment and Risk Management (PD3002)
  • Are you ready for a BS7799 Audit? (PD3003)
  • Guide to BS7799 Auditing (PD3004).
  • Selecting BS7799 Controls (PD3005).

PD3000 provides an overview of the scheme for accredited certification and forms a useful a preface to other guidance documents in the scheme.

PD3001 provides guidance to users of BS7799 and gives detailed information in readiness for assessment against the Accredited Certification Scheme It offers industry accepted best practice methods for providing and demonstrating the evidence required by an assessment auditor.

The guide to BS7799 Risk Assessment and Risk Management (PD3002) describes the underlying concepts behind BS7799 risk assessment and risk management, including the terminology and the overall process of assessing and managing risks. It is based on the ISO/IEC Guidelines for the Management of IT Security (GMITS).

Are you ready for a BS7799 Audit? (PD3003) is a pre-certification assessment workbook for organisations to assess and record the extent of their compliance with the control requirements in BS7799: Part 2 and to aid in their preparations for a certification audit. This is a useful starting point for anyone considering BS7799 for the first time. Merely complete the workbook, answering “Yes”, “No” or “Partly”, and explain why. The completed workbook can also serve as your Statement of Applicability.

The guide to BS7799 Auditing (PD3004) provides general information and guidance on auditing ISMSs. It was effectively the BS7799 “audit methodology” for BS7799:1995. Although recently updated for BS7799:1999 Part 1, it probably has the wrong focus now, as it should perhaps concentrate on the management of the ISMS which it does not.

In order to buy a copy of the standard, please contact the British Standards Institute. That will give you the address, phone numbers, e-mail for ordering etc.

For further information visit our pages on risk management.[offsite link]
Source : http://www.gammassl.co.uk/

ISO 27001: ISMS Highlights

Clarifies and improves existing PDCA process requirements
ISMS scope (inc. details & justification for any exclusions)
Approach to risk assessment (to produce comparable & reproducible results)
Selection of controls (criteria for accepting risks)
Statement of Applicability (currently implemented)
Reviewing risks
Management commitment
ISMS internal audits
Results of effectiveness and measurements
(summarised statement on ‘measures of effectiveness’)
Update risk treatment plans, procedures and controls

Succession Planning - A Bigger Solution Than You Might Think

by Martin Haworth


Many companies make it a policy to "hire from within," which is a way of saying that a person can start out on the ground floor of a company and eventually work his or her way up and possibly someday become the company's CEO.

One way of keeping this process possible is by a method called "Succession Planning." Succession Planning is the way a company both promotes its employees and makes sure that it is never caught in the lurch, with a gaping hole in the system.

Succession Planning Benefits

Holes in the hierarchy can create disastrous effects in a company's productivity. This is why it's a good idea to hire from within, so that the only sudden openings are in the lower positions that are easily filled.

One of the aspects of succession planning, involves looking over each position periodically and evaluating the person who holds it and the person who is "next in line" - and making sure that everything is running smoothly that both the person currently holding the position is working well and that the person poised to take over could transition smoothly and minimize disruption.

This is a process that typically takes place in the higher levels of management and is important because the time and effort that goes in to training and grooming a successor can take years.

Senior Management Succession Planning

Examples of Succession Planning include the replacement of Jack Welch, the former Chief Executive Officer of General Electric. Prior to his retirement the Board of Directors at General Electric went through a lengthy process of evaluating possible successors.

Succession planning often involves recruiting people and then working with them to develop their skills and making sure that they are ready to advance.

It also involves making sure that the recruit knows what the company's goals are, and involves active planning to keep that recruit happy. A happy recruit is not likely to leave the company suddenly.

Succession Planning Maintains Strategic Direction

Another aspect of succession planning is making sure that the higher powered executives within the company know what the goals and ambitions of the company are, and making sure that everyone is up to date on hiring practices and market trends in their industry.

By keeping the company competitive, the executives won't have to worry about whether or not they are still relevant.

Succession Planning is important to the overall health of an organization and care should be taken in the hiring process to make sure that all employees hired or recruited can be groomed and trained to move up within the company's ranks.

By hiring from within, the company gives people an incentive to want to work there. It also ensures that the company's public reputation stays uniform and competitive.

A competitive company is much more likely to be successful than one that doesn't make an effort to compete at all.

About the Author

(c) 2007 Succession Planning Toolkit. Want a free e-course? Then sign up with a blank e-mail to sptcourse@aweber.com. For more on developing and build an easy to run business, you need to develop your people well. You can find out how, right here, on Martin Haworth's fascinating website at http://www.SuccessionPlanningToolkit.com

Article Source : www.goarticles.com

Management Performance

by Paul Abbey


It's important to monitor your management performance, keeping on top of this can really increase your productivity and create an excellent working atmosphere. Management performance needs to be strong, and by consistently knowing how your team is doing will ensure that everything is going to be right on schedule.

You want to make sure that your team leader needs to fit into specific guidelines. You want them to have excellent networking skills, good control of emotion, and excellent people management skills. It's crucial that they are able to create a good working environment. If you select someone with these important attributes then there is an excellent chance that everything will run smoothly. But this doesn't mean that you shouldn't constantly monitor their performance. It's hard to find good employees, and there are other alternatives to paying a high salary to someone when you can purchase a single piece of software that can complete this job for free. So implementing a good management performance software into your company is an excellent way to know who is working to the best of their ability and who is not.

Here are some things that a good management performance software can do for you. And the best part of it is that you can monitor everything right from the comfort of your own desk.

It will help you to delegate certain employees to designated tasks. And it will give them certain requirements, and as they complete each stage they will log check it within the software and you will easily be able to check on them by checking the program. This is a great way to track their progress and quickly see who is not working up to their requirements.

This simple to use piece of software is one of those you things that you thought you could live without, that is until you use it. Project managing software is a very valuable asset to any company. It can save you money in many different ways. And if you understand the value of great management performance then you will understand the value of using this type of software in your business no matter what type of business that you may have.

I highly suggest that you begin learning more about how to improve your management performance and you will discover that this is going to be the answer to your prays.

About the Author

P Abbey owns and operates http://www.managementperformanceadvice.com/managingperformances.html Management Performance

Article Source : www.goarticles.com

Wednesday, August 22, 2007

The MIC has compiled the Information Security Management Guidelines for Telecommunications as a contribution to the establishment of information security management in the telecommunications business.

Background

Nowadays, with the increase in information security threats such as viruses, cyber-attacks and information leaks, organizations are being required to put in place information security management. With regard to this point, the Study Group on Next Generation IP-based Infrastructure (chaired by SAITO Tadao, Professor Emeritus, the University of Tokyo) stated in its second report (announced on July 7, 2005) that there was a need to establish and promote the guidelines for information security management for telecommunications business.

The MIC set up the Task Force on ISMS-T* (chaired by NAKAO Koji, General Manager, Information Security Department, KDDI Corporation) in February 2005. The group considered topics that should be taken into account in line with the implementation of information security management for telecommunications organizations. These have now been compiled as the Information Security Management Guidelines for Telecommunications (referred to below as "the guidelines").

* Information Security Management System for Telecommunications

Outline of the guidelines

The guidelines comprise control, implementation guidance, etc, in 11 areas of information security management, to establish information security management within telecommunications organizations.

Future plans

The MIC will work in cooperation with telecommunications carriers and relevant industry organizations to implement the guidelines, and will propose these guidelines to the ITU (International Telecommunication Union) as a contribution to considering the information security management guidelines for telecommunications.


Background of Investigation

Background of Investigation



Comparison of Control in International Standards

Comparison of Control in International Standards



Information Security Management Guideline for Telecommunications

Information Security Management Guideline for Telecommunications



Organization of the Guidelines

Organization of the Guidelines


"FY2005 Competition Review in the Telecommunications Field"
-- Release of "Market Definition of Fixed Telephone Segment"

Upon implementation of the "FY2005 Competition Review in the Telecommunications Field," MIC invited public comments and held the open conference on the "Market Definition of Fixed Telephone Segment" for defining objective markets.

Background

During the period from February 22 through March 15, 2006, MIC invited public comments on the "FY2005 Competition Review in the Telecommunications Field 'Market Definition of Fixed Telephone Segment (draft).'" During said period, MIC received nine comments.

In addition, on March 22, 2006, MIC held the open conference on the "Market Definition of Fixed Telephone Segment" for exchanging opinions with stakeholders, including telecommunications carriers and specialists. Based upon those results, MIC defined the objective markets for review.

Future plans

Based upon the "Basic Approach of Competition Review in the Telecommunications Field" and the "FY2005 Details for Implementation of Competition Review in the Telecommunications Field," MIC will analyze the markets as defined for review. In summer of 2006, MIC will publicize the "FY2005 Competition Review in the Telecommunications Field."

In FY2005, MIC will analyze mainly the fixed telephone segment, in parallel with such segments as the mobile communications and the Internet access.

Main points of "Market Definition of Fixed Telephone Segment"

The FY2005 Competition Review targets the fixed telephone segment carries out a new analysis, the main points governing ideas on the market definition are as follows. Concerning the segments such as "Internet access" and "mobile communications," the results of market definition for FY 2003 and 2004 are adopted.

Settling the market structure of fixed telephones
- "Access" and "Call" will not be differentiated, both being taken together in making up the market.
- "Access" can be selected from (1) NTT East/West telephony service, (2) Direct access telephony service, (3) Cable telephony service or (4) OABJ (geographical number) type IP telephony service.
- "Call" can be selected from (5) PSTN call service, (6) 050 (location free number) type IP telephony service or (7) Internet telephony service. In the case of (1) "Call" is unbundled from "Access" and call service carriers can be selected freely. But in the case of (2) to (4), "Call" is bundled to "Access" and call service carriers are limited.

Market definition of fixed telephone segment (service market)
- The range of the market has been defined as (1) NTT East/West telephony service, (2) Direct access telephony service, (3) Cable telephony service and (4) OABJ type IP telephony service.
[Reason] (1) to (4) options offer a high level of demand-side substitution little difference in functions, and comparable with each other when contracting, etc).

Handling of NTT East/West telephony service
- The (1) NTT East/West telephony service will be handled as a sub-market, and in addition to analyzing the demand structure of the service, we will also analyze the state of competition in (5) PSTN call service and (6) 050 type IP telephony service.
[Reason] NTT East/West telephony service have a high level of independence "Access" and "Call" are structurally separated, and there exists much switching cost when changing the service, etc.)
We did not define the market for (7) Internet telephony service, for the demand for the service has not taken off yet. So analysis will be conducted where data is available.

Definition of geographical market
- The administrative division into prefectures is the smallest unit for analysis.
- Taking the state of competition into account, geographical markets have been set into 2 areas of eastern and western Japan according to the service areas of NTT East/West, or for 10 regional blocks nationwide according to the service areas of the electric power companies.
[Reason] In terms of the possibility of obtaining data, the division is the minimum unit. Since we define the geographical market based on the state of competition, it is necessary to analyze the market divided into 2 areas according to the service areas of NTT East/West or the market divided into 10 areas according to the service areas of the electric power companies.

Handling of 050 type IP telephony service (relationship with Internet access market)
- With regard to 050 type IP telephony service, we analyze from many aspects such as a sub-market of the Internet access market and also as a part of the IP telephony (050 type and 0ABJ type IP telephony) market, in addition to the analysis as a part of the fixed telephone market.
[Reason] 050 type IP telephony service substitute the functions of PSTN call service, but many users consider the service as an additional service to Internet access. In addition, they can hardly distinguish the service from the OABJ type IP telephony service, and see both as the IP telephony service.

Relationship with mobile communications market
- Fixed telephone market and mobile communications market are separate markets (observe the leverage from the other market and the trend in FMC services).
[Reason] Although there is a definite substitution between fixed and mobile, there is also a complementarity as they are used together. So it is unsuitable for them to be considered as the same market.

Preparatory Meeting Held for the Establishment of Hotline Center

The Internet Association Japan held a preparatory meeting to put together standards from experts and related people from industry organizations and the like, in order to make the preparations necessary for the establishment of "Hotline Center" (provisional name).

Aims

Illegal materials on the Internet, such as child pornography and information on covert sale of drugs and the like, as well as sites that are not immediately seen as illegal, such as suicide sites and those showing the manufacturing process for explosive devices, and harmful information regarding contracts murders and other illegal acts have been circulating on the Internet and have become a major societal problem.

Taking these circumstances into consideration, and in order to promote effective measures against illegal activity and harmful information on the Internet, information provided by Internet users concerning illegal and harmful information will be collected and classified according to predetermined standards. The police will be informed concerning illegal information and requests will be made to the administrators of the providers or electronic notice boards asking that measures be taken to block the transmissions.

A preparatory meeting for the establishment of hotline center was held so that providers can fulfill their responsibility in the face of harmful information by taking action and making the preparations necessary to set up "Hotline Center" (provisional name).

Outline

Date and Time: April 4, 2006 (Tuesday) 2-3pm
Place: Shinbashi Internet Association Japan, Shinbashi Frontier Bldg. 6th floor, 3-4-5, Minato-ku, Tokyo
Organizer: Internet Center Japan
Proceedings:
- Preparatory meeting for the establishment of hotline centers
- Invitation to comment on the range of illegal and harmful information handled by the hot lines and procedure for determining this

Outline of "Hotline Center" (provisional name)

Background of establishment

At present, the circulation of child pornography on the Internet, information on restricted drugs and the like, as well as sites that are not immediately seen as illegal, such as suicide sites and those showing the manufacturing process for explosive devices, and harmful information regarding contracts for illegal activities such as murders, have become a major societal problem.

Countermeasures to deal with this illegal and harmful information on the Internet, such as arrests by the police and requests to administrators of providers and electronic notice board operators to voluntarily take measures to stop these transmissions, have been taken. But since vast amounts of new information circulate on the Internet every day, it is clear that there are limits to such countermeasures.

Against such a background, and in order to promote effective and efficient measures against illegal and harmful information on the Internet, the Study Group to Address Illegal and Harmful Information on the Internet also stated in its interim report (announced on January 26, 2006) that an investigation should be carried out on policies to support and promote effective measures by providers and electronic notice board operators to stop such transmissions.

In addition, the National Police Agency, in its fiscal year 2005 General Security Countermeasures Conference, stated that it receives a large number of notices from users concerning illegal and harmful information on the Internet, and proposed that decisions concerning the information received should be made based on predetermined standards, and that there was a need to request of administrators at providers and electronic notice board operators for "hotlines" and a framework for their operation in response to the information.

At present, operation guidelines are being investigated at "Hotline Center" (provisional name) which will be the implementation bodies for these hotlines.

Responsibilities

"Hotline Center" (provisional name) will receive information concerning illegal and harmful information on the Internet from Internet users and will categorize them according to predetermined standards that consider the balance between fundamental human rights such as freedom of expression and public welfare. A decision will be made based on predetermined standards, followed by a notice to the police and a request to administrators at providers and electronic notice board operators to erase the information.

[Reference]
Meeting of the Study Group to Address Illegal and Harmful Information on the Internet
http://www.soumu.go.jp/s-news/2005/050728_5.html
Midterm report of the Study Group to Address Illegal and Harmful Information on the Internet
http://www.soumu.go.jp/s-news/2006/060126_1.html

Operation form

The Center will be operated by a private entity and it is planned that a certain number of experts provide the hotline services, after installing service bases and preparing necessary reference material and equipment.


From : Mic Communications News Vol.17 No.2

ISO/IEC 27000 Information Security Standards Family Adopts a New Member

(July 17, 2007)-- ISO/IEC has formally announced the incorporation of the popular Code of Practice for Information Security Management, formerly known as ISO/IEC 17799:2005 and originally BS 7799, into the ISO/IEC 27000-series. The standard is now known as ISO/IEC 27002:2005.

The announcement is more significant than merely a change of name. The growing family of ISO/IEC 27000 series information security standards is increasingly recognised by information security professionals worldwide as an embodiment of good information security practices. Well over 3,500 large and small organizations have been formally certified compliant with ISO/IEC 27001, with many thousands more using the standards internally to structure their approach to information security management and drive continuous security improvements.

First released in 1995, British Standard BS 7799 comprised three parts. Part 1 became ISO/IEC 27002. Part 2 became ISO/IEC 27001. Part 3 is anticipated to become ISO/IEC 27005 in due course.

ISO (the International Organization for Standardization) and IEC (the International Electrical Committee) released ISO/IEC 17799 in 2000 and revised in 2005. Apart from the name , ISO/IEC 27002:2005 is identical to ISO 17799:2005. Its full English title is: "International Standard ISO/IEC 27002:2005. Information technology - Security techniques - Code of practice for information security management".

The ISO/IEC 27000 family is evolving rapidly but at present comprises the following issued or proposed standards:

* ISO/IEC 27000 - will contain the vocabulary and definitions i.e. the specialist terminology used by all of the ISO27k standards.

* ISO/IEC 27001:2005 - is the Information Security Management System requirements standard (specification) against which organizations are formally certified compliant. Published.

* ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a menu of generally accepted good practice controls. Published.

* ISO/IEC 27003 - will be an implementation guide for these standards.

* ISO/IEC 27004 - will be an information security management measurement (metrics) standard to improve the effectiveness of your ISMS.

* ISO/IEC 27005 - will be an information security risk management standard (replacing BS 7799 Part 3).

* ISO/IEC 27006:2007 - is a guide to the certification or registration process for accredited ISMS certification or registration bodies. Published.


* ISO/IEC 27007 - will be a guideline for auditing Information Security Management Systems.

* ISO/IEC 27031 will be a business continuity standard.

* ISO/IEC 27032 will be guidelines for cybersecurity

* ISO/IEC 27034 will be guidelines for application security.

* ISO/IEC 27799 - will be health sector-specific implementation guidance for ISO/IEC 27002. Other sector-specific implementation guides are planned for industries such as lotteries and (in conjunction with the ITU) telecomms.


From : www.compliancehome.com

ISO/IEC 27031 Information technology

ISO/IEC 27031 Information technology -- Security techniques -- ICT readiness for business continuity (draft, title uncertain)

This new business continuity standard may be based on a Singaporean BC/DR standard SS507 (see below) and may incorporate parts of British Standard BS25999. Published July 18, updated Aug 16 If you are interested, Part 2 of BS25999 is currently freely available in draft for comments prior to its formal publication but hurry - comments were due at the end of July 2007 and final release must be imminent.

SS507 - Singapore Standards for Business Continuity/Disaster Recovery (BC/DR) Service Providers

SS507:2004 “Provides a basis to certify and differentiate the BC/DR service providers, helps the end-user organisations in selecting the best-fit service providers and provides quality assurance. Also establishes industry best practices to mitigate outsourcing risks.”

“Singapore [was] the first country in the world to introduce a Standard and Certification programme for BC/DR service providers. Developed by the Infocomm Development Authority of Singapore and the IT Standards Committee (ITSC), the Standard specifies the stringent requirements for BC/DR service providers. These requirements benchmark against the top practices in the region and stipulate the operating, monitoring and up-keeping of BC/DR services offered. ... By engaging a certified BC/DR service provider, assurance is provided to the end-user and frees the company to focus on its core competencies. This enhances the company’s competitive advantage as it is able to achieve stringent Recovery Time Objective, minimise business and data loss; and enjoy uninterrupted services. The certification also serves as a quality mark to inspire service providers to upgrade themselves to provide better services.”

Read a press release about SS507 and purchase a copy here.

0. Introduction

The ICT DR Services Model or Framework - showing the foundation layer to define supporting infrastructure from which services are derived, such as policies, processes, programme, performance measurement, people and products.

1. Scope

Describes the purpose of this standard, assumptions made when using this standard and what is excluded. Introduces subsequent clauses and explains their interpretation

2. Definitions

Defines terms used within the standard to establish a common understanding by the readers.

3. General Guidelines

Basic guidelines for the ICT DR services provision:

3.1 Environmental stability

3.2 Asset management

3.3 Proximity of services

3.4 Subscription (contention) ratio for shared services

3.5 Third party vendor management

3.6 Outsourcing arrangements

3.7 Privacy and confidentiality

3.8 Activation of subscribed services

4. Disaster Recovery Facilities

Specific guidelines for the ICT DR services provision to provide a secure physical operating environment to facilitate recovery:

4.1 Physical access control

4.2 Physical facilities and security

4.3 Environmental controls

4.4 Telecommunications

4.5 Power supply

4.6 Cable management

4.7 Fire protection

4.8 Location of recovery site

4.9 Emergency operations centre

4.10 Restricted facilities

4.11 Physical facilities and equipment lifecycle

4.12 Non recovery amenities

4.13 Testing

4.14 Training and education

5. Recovery Services Capability

Specific guidelines for the ICT DR services provision to develop service delivery capability supporting recovery. Besides qualified staffing, other minimum capabilities include capacity to support simultaneous invocation of disasters:

5.1 Expertise

5.2 Logical access controls

5.3 Equipment and operation readiness

5.4 Simultaneous recovery support

5.5 Levels of service

5.6 Types of service

5.7 Client testing

5.8 Changes in capability

5.9 Emergency response plan

5.10 Self-assessment

5.11 Disaster recovery training and education

6. Guidelines for Selection of Recovery Sites

Provides guidelines on the factors to consider when selecting recovery sites, such as:

6.1 Infrastructure

6.2 Skilled manpower and support

6.3 Critical mass of vendors and suppliers

6.4 Local service providers’ track records

6.5 Proactive local support

7. Additional Guidelines for the Professional ICT DR Service Provider

Additional guidelines for professional service providers in the provision of ICT DR services.

From : iso27001security.com