Search in ISMS Guides

Google
 

Thursday, August 16, 2007

A CISO's lessons in building a security plan

By Paul Gillin, Contributor
16 Jan 2006 | SearchSecurity.com

You know you've got a security problem but you don't have the budget to engage a consulting firm for a comprehensive security audit. What's an IT security pro to do?

In the case of Hanover Insurance Group, a $3 billion property and casualty insurer, the answer was to get creative. Jeff Bardin, newly hired as CISO at Hanover in late 2004, went to the library of publicly available assessment tools and used the RFP process creatively to assemble a comprehensive list of vulnerabilities. His team then used that data to alert top management to the risks and to attack holes methodically, beginning with the low-cost/high-benefit options and working down.

Bardin, a former CIO, faced numerous security shortcomings when he arrived on the scene. Encryption use was spotty, peer-to-peer software use was potentially exposing proprietary data to outsiders and one employee was even buying and selling guns over the company's Internet connection.

Bardin and his team kicked off a top-to-bottom assessment of the security landscape using proven and freely available tools. The IT staff filled out a National Institute of Standards 800-26 Assessment questionnaire that had been downloaded and modified with terms borrowed from the Capability Maturity Model (CMM), a widely used software best practices benchmark. "I knew the IT staff would understand the questions because Hanover was already a CMM Level 3 shop," Bardin said. The results helped identify deficiencies in IT practices and processes.

The IT organization evaluated itself against the IT Infrastructure Library (ITIL) and Information Technology Service Management standards for service level performance. And Bardin started teaching mini-sessions on the ISO 17799 security standard. The objective was to attack the problem of data leakage. "I knew that if you have strong IT operating standards your security is going to be much better," Bardin said.

While the best practices education we going on, Hanover's seven-person security staff conducted a comprehensive audit. "We turned over everything, scanned everything, did physical walkthroughs, even sat in CEO's chair at night," Bardin told an audience of IT managers at the Babson College Center for Information Management Studies recently.

The results of the surveys were rolled up into a series of easily understandable tables and charts showing how Hanover measured up against the standards in key security areas. At the same time, the team was creatively leveraging the RFP process to gather more data.

Bardin invited vendors to come in and demonstrate their intrusion detection and prevention products but to do it in Hanover's production environment. The result showed that while Hanover's inner network hadn't been penetrated, the exterior was under assault.

The tests hit home with corporate management. "It showed that we may be in Worcester, Mass., but we're under constant attack from all over the world," Bardin said. "It raised awareness." He cautioned that IT pros should be up front with vendors if they plan to use evaluation data in this way.

The security team compared the vulnerability assessment against a list of the biggest risks to Hanover's business. The results were mapped into four quadrants on a cost/risk chart. That set the priorities and the team immediately set about tackling the best opportunities.

The presentation to company management had a few more bells and whistles. Bardin sought out data on which security projects other insurance companies were attacking. He also found a Gartner chart showing that security investments were likely to decline over time after the initial holes were filled. That made for a compelling argument for a stepped-up investment in security. And while Bardin said he'd always like to have more money for security, the company's awareness of the issue has improved from the top down.


Hanover still hasn't reached its goals of a "zero-incident culture," but as a result of the comprehensive assessment, it has its plans in place and 97% of the employees have taken compliance training. "We know where we stand relative to most of our vulnerabilities," Bardin said. "We have a real good idea of where the gaps are and what we still have to fill."

Paul Gillin is a technology writer and consultant and former editor-in-chief of TechTarget. His Web site is www.gillin.com.


Helpful hints

The key to raising awareness of information security in an organization is to communicate up, said Jeff Bardin, CISO at Hanover Insurance Group. Here are a few of his tips.


  • Seek out a trusted sponsor who knows how key managers will react to your message
  • Align your security priorities with business objectives so you tackle the big payoff problems first
  • Make sure you know how much the project will cost
  • Know top management's priorities and make them your priorities
  • Share data beforehand so there are no surprises
  • Know what the competition is doing and don't attack projects that are too far out of line with the market's thinking
  • Competing regulations clog road to compliance

    By Michael S. Mimoso, Senior Editor
    20 Oct 2005 | SearchSecurity.com

    NEW YORK -- Dennis Murray may be in the world's busiest city, but traffic in the Big Apple is nothing like the dangerous intersection of compliance demands he deals with each day as a security analyst for Blue Cross and Blue Shield Association.

    And his plight isn't unlike other security managers attending this week's Information Security Decisions conference, namely managing the multitude of regulations enterprises are commanded to comply with.

    "The harmonization of it all is difficult," Murray said Wednesday, noting that guidelines provided by the Health Insurance Portability and Accountability Act, the Sabarnes-Oxley Act (SOX) and the National Institute of Standards and Technology often seem to pull companies in different directions. "All this plethora of compliance makes it hard to set a level to it and match the standards and regulations and meet their requirements."

    Competing regulations make it difficult for companies to set priorities, make purchasing decisions and execute policy. One strategy to combat this is to build upon one of the popular security frameworks, creating a living document that evolves along with regulations.

    Diana Kelley, an analyst for Midvale, Utah-based Burton Group, said these internal frameworks often use established baselines like CoBIT, COSO or ISO 17799, which are then customized according to a particular business unit's needs. Kelly said that set of policies, processes and tools normalizes an enterprise's tactics toward compliance.

    "This helps prepare your organization for the next regulation coming down the line," Kelley said. Enterprises that create these internal frameworks can benefit from the consistency of a policy-based approach to compliance, centralized control and better reporting capabilities.

    Standards like ISO 17799, however, are not prescriptive. Instead, they're open-ended documents that explain what your organization should be doing, Murray said, but not how.

    "What we're trying to do is make sense of this rash of standards," Murray said. "We're constantly being audited from all sides. We do our best to set priorities. The message, though, is that ROI has nothing to do with perceived value of assets. It's about protecting assets and maintaining consumer confidence."

    Once an organization establishes an internal framework, the next challenge is the tools that help solidify internal controls and meet regulatory requirements. Despite what many vendors would have you believe, compliance does not come in a box. There are no silver bullets for compliance. In fact, the inherent complexity of enterprise systems is in a constant tug-of-war with compliance efforts.

    "The compliance products you bring in may touch a lot of moving parts in the enterprise, including devices you may not own," Kelley cautioned. "You may have to negotiate politically about why you need to implement this in a particular business unit." Normalization and correlation tools are likely the first step down the compliance road, and oftentimes, these tools may already be present in your organization.

    Some financial applications, such as those from Oracle Corp. or SAP AG, are being enhanced with features that help organizations comply with certain aspects of SOX 404. Document management systems, present in most financial departments, could help with demonstrating to an auditor a company has established a flow chart of internal controls and has written policies around these controls.

    Additinally, network management systems, like Hewlett-Packard Co.'s OpenView or IBM's Tivoli, manage network components, Kelley said, and could be used to demonstrate continuity of service and service levels established in regulatory control objectives.

    Information Security Decisions is produced by TechTarget, publisher of SearchSecurity.com.

    ISO 17799: A methodical approach to partner and service provider security management

    Richard Mackey
    06.20.2007

    This tip is part of Ensuring compliance across the extended enterprise, a lesson in SearchSecurity.com's Compliance School. Visit the Ensuring compliance across the extended enterprise lesson page for additional learning resources.

    These days, it is fairly common for a company to outsource customer-facing services or allow another organization to handle data processing and even security monitoring and management. Outsourcing allows companies to provide a wider range of services, reduce cost and focus on other tasks that will strengthen the business.

    Every time an organization trusts another business entity to handle sensitive information or manage critical infrastructure, however, there are risks. Worse yet, many companies do not realize that failing to closely examine their prospective partners' security practices can lead to compromise. Organizations that are bound by regulations like HIPAA, Gramm-Leach-Bliley (GLBA) and Sarbanes-Oxley (SOX) may pay an even steeper price, as these regulations explicitly require organizations to manage the risk associated with service providers.

    Fortunately, enterprises can curtail partner or service provider security issues by taking a methodical approach to assessing and managing the risks. That means coming to terms with the risks and the costs of creating and maintaining these partnerships. One such approach is a partner management program based on the ISO 17799 standard.

    A standards-based methodology
    By definition, ISO 17799 is a "code of practice for security information management." In other words, it is a laundry list of best security practices that apply to a broad range of business environments. The standard covers areas including risk assessment, security policy, governance, access control, information classification, operations management and business continuity.

    A partner management program based on the ISO standard consists of three phases:

    • Inherent risk assessment – A review of how much damage could be done to a partner if information or services were compromised and there were no security controls. In other words, how bad would it be if the partner was compromised? A partner, for example, may hold critical and sensitive customer information, like credit card numbers or social security numbers. If such data is compromised, a company's reputation could be ruined. That would constitute a critical inherent risk and call for a deeper evaluation.
    • Partner practice assessment – An examination of the partner to a depth commensurate with the inherent risk. For critical partnerships that demand an in-depth review, many organizations use ISO 17799. The assessment consists of a walk-through of the standard, where the partner's practices are compared to those described in ISO 17799's 133 subsections. Each of ISO 17799's major areas (including risk assessment, security policy, access control, communications and operations, physical security, and business continuity) has subsections which review best management practices.

      When addressing communications and operations management, for example, the assessment walks through the administrative practices for the service provider's production environment, covering the distribution of responsibilities, the documentation of procedures, and critical control components like change control and patch management. While such an evaluation may sound straightforward, each one of the sections requires managers to carefully consider how the standard should be applied to their given business, organizational, and technical contexts. A reasonable practice for a small company where every employee knows each other, for example, may be less acceptable in large multinational organizations, and decisions must be made accordingly.

      The ISO standard can also be useful in reviewing partners that provide less critical services. The standard can be used to construct a questionnaire that gathers data and assesses how well an organization and its many departments can manage the security of another company's information. Some questions that would likely appear in a questionnaire are:
      • Does your organization utilize network controls to segregate the corporate and production networks?
      • What mechanisms are used to ensure that only authorized application users are allowed access to data managed by the service?
      • How often are backups of the service data executed?
      • Has a documented incident response plan been put in place? How often does the production staff practice the plan?
      • Has your organization had a security incident?

    • Remediation, monitoring and periodic assessments – After a partnership is established, the work is just beginning. Any important weaknesses that are discovered should be remediated according to an agreed-upon timeline. Furthermore, the initial assessment should be used as a baseline against which future analyses can be compared. Service providers should be revisited at least once a year to determine whether anything about their environments, designs or practices has changed for the worse. Using an ISO 17799-based report card makes it possible to compare a partner's progress with the results and assessments of other partners. The accumulation of information can help establish minimum requirements for all service providers.

    ISO 17799 as a common framework
    While most service providers bristle at the idea of yet another security review, particularly one that goes to the depth that an ISO 17799 review calls for, most can appreciate the fact that the ISO standard provides a set list of requirements.

    One of the most problematic aspects of partner reviews is their ad hoc nature. Service providers are essentially asked to play by a different set of rules for each review they face. By agreeing on ISO 17799, service providers and consumers can substantially reduce the cost of preparations and make reviews much more efficient. The result is better communication, better documentation and faster consummation of service agreements.

    About the author:
    Dick Mackey is regarded as one of the industry's foremost authorities on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, virtual private networks, enterprise-wide authentication, and intrusion detection and analysis. He also has unmatched expertise in the OSF Distributed Computing Environment. Prior to joining SystemExperts, Mr. Mackey was the director of collaborative development for The Open Group (the merger of the Open Software Foundation and X/Open) where he was responsible for the integration of Microsoft's ActiveX Core with DCE and DCE Release 1.2. Mr. Mackey is an original member of the DCE Request For Technology technical evaluation team and was responsible for the architecture and defining the contents of DCE Releases 1.1 and 1.2. He has been a frequent speaker at major conferences and has taught numerous tutorials on developing secure distributed applications.

    Is 27001 for you ?

    In order to help you find out whether ISO/IEC 27001 applies to your organisation, we have constructed this simple questionnaire. To use it, answer the questions and submit. We will then tell you how interested in ISO/IEC 27001 you ought to be and the likely scope of certification you require.

    The questions are written from a supplier's point of view. You can try to answer them as a customer to determine what the scope of certification your suppliers should have, if any.

    Remember, ISO/IEC 27001 concerns information security, not just IT, so don't forget to include media such as paper, video telephones, faxes and other forms of electronics as well as personnel, procedures and physical aspects when you answer these questions.

    Read More

    The standard effectively comes in two parts

    Overview
    The standard effectively comes in two parts:
    • ISO/IEC 27001:2005 is a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements. It forms part of an organisation's internal control system.

    Click here to go to out page of the Fast Track implementation approach

    Interested in obtaining certification quickly? Click the graphic to read our white paper on Fast Track certification

    • ISO/IEC 27002:2005 is a standard code of practice and can be regarded as a comprehensive catalogue of good security things to do.

    A Technical Corrigendum was published by ISO on 1 July 2007 renaming ISO/IEC 17799:2005as ISO/IEC 27002:2005.

    The Management Standard

    ISO/IEC 27001:2005 instructs you how to apply ISO/IEC 27002 and how to build, operate, maintain and improve an ISMS.

    The major components of an ISMS are summarised in Figure 1. The activities continually cycle around the PLAN-DO-CHECK-ACT cycle.

    diagram of the PLAN-DO-CHECK-ACT cycle.

    Figure 1 - The major steps towards ISMS compliance. Click here to see the detail.

    PLAN

    Scope

    The first step is to define the scope of the ISMS. It could be the whole of your organisation. It could be a particular site. It could be just a particular service - Internet banking for example. The choice is yours.

    ISMS Policy

    Why is information security important to you? Is there a particular threat, or other worries that concern you? What do you want to achieve, for example in terms of confidentiality, integrity and availability? What do you believe is an acceptable level of risk? Are there any constraints, such as laws and regulations, or particular ways in which you wish to do things? Document your answers in a policy document. Note that it covers the whole of the ISMS, not just the security controls . It is therefore far more extensive than the "information security policy", referred to in the Code of Practice. It should be a relatively short document (1-3 pages) and signed off by the CEO. Security, as with all other internal controls flows down from the top of the organisation.

    Risk assessment

    Now you know what you are trying to protect and what is an acceptable level of risk, what is your actual risk? Choose a method that is appropriate to your organisation and the scope of your ISMS. What are the risks? Determine these by a consideration of the impacts that would occur if some threat exploits a weakness in your defences to compromise the security of an asset, and how likely is the impact to occur.

    Evaluate the risks. If you plot the likelihood of the impact occurring against the magnitude of the impact you may consider that there are risks that of not of any great concern because:
    • even if they would have a major impact they are extremely unlikely or

    • even if they occurred all the time they would have an insignificant impact.


    diagram showing that applicable risk includes high impact-low likelihood events, low impact-high likelihood events and high impact-high likelihood events.

    The Institute of Chartered Accountants in England and Wales refers to the remaining risks as the applicable risks. These are the risks that you need to control. You will either have controls in place that reduce the risk to an acceptable level, or you will need to introduce them. Make sure that you have controls in place that will tell you if a non-applicable risk turns into an applicable risk.




    Risk treatment plan

    After completing your assessment of risk, ISO/IEC 27001 asks you to treat that risk. Are you just going to accept the risk and rely on your ability to promptly detect and respond to security incidents? (By the way, you will need such a procedure to comply with the standard.) Are you going to avoid the risk, transfer it to a third party (e.g. via insurance) or are you going to apply appropriate controls? This is your risk treatment plan. We have developed a methodology for doing this that does the risk assessment on the fly and avoids the usual gobbledegook associated with IT risk assessments - so easy, based on events and impacts expressed in business terms, senior business managers can do it.

    Select control objectives and controls

    ISO/IEC 27001:2005 presents a list of 133 candidate control objectives and controls, drawn one-to-one from ISO/IEC 27002. The list is not exhaustive and you are free to identify additional control objectives and controls as you please. Not all of those listed in ISO/IEC 27001:2005 may be relevant to your ISMS. In our methodology, selecting your controls also forms part of the risk treatment plan.

    Statement of Applicability (SOA)

    You are required to go through all 133 ISO/IEC 27001:2005 controls and justify which ones you have used and which you have not. You are required to relate the selection of the controls back to the risk assessment. In practice, you can also relate the selection of controls back to statements in your ISMS policy, the precedence for this being set by the Common Criteria (ISO/IEC 15408). This process acts as a safety net in case you inadvertently omitted something important in your risk assessment/risk treatment. In our approach to integrated management systems, we refer to this as an Alternative Ideas List.

    DO

    The DO part of the cycle requires you to operate the controls. You will need a procedure, as mentioned above, to ensure the prompt detection and response to incidents. You will also need to ensure that all staff are security aware, and are appropriately trained and are competent to carry out their respective security tasks. To ensure all of this is carried out you will need to manage the necessary resources.

    CHECK

    The purpose of the CHECK phase is to ensure that the controls are in place and are achieving their objectives. There are a variety of possible check activities, but only internal ISMS audit and management review are mandatory requirements

    A new requirement, not included in BS 7799-2:2002, is the measurement of the effectiveness of your controls. Our paper on measuring the effectiveness of an internal control system explains how this can be done.

    ACT

    The outcomes of the CHECK activity are actions. There are three varieties:

    • corrective action

    • preventive action

    • improvements.

    Further information

    There are particular requirements concerning documentation and records. These are very similar to those required by ISO 9001. Indeed there is a great deal of overlap making the creation of integrated management systems a real possibility.


    The Code of Practice

    ISO/IEC 27002:2005 defines 133 security controls structured under 11 major headings (see Figure 2) to enable readers to identify the particular safeguards that are appropriate to their particular business or specific area of responsibility. These security controls contain further detailed controls bringing the overall number somewhere in the region of 5000+ controls and elements of best practice.

    The standard stresses the importance of risk management and makes it clear that you do not have to implement every single guideline; only those that are relevant. The scope of the standard covers all forms of information, including voice and graphics, and media such as mobile phones and fax machines. The new standard recognises new ways of doing business, such as e-commerce, the Internet, outsourcing, tele-working and mobile computing.

    The code of practice covers: (1) security policy; (2) organising security; (3) asset management; (4) human resources security; (5) physical and environmental security; (6) communications and operations management; (7) access control; (8) acquisition, development and maintenance; (9) incident management; (10) business continuity management and (11) compliance

    Figure 2 - Coverage of ISO/IEC 27002


    Certification schemes

    Certification schemes are being established in many parts of the world. It is therefore useful to reveal who the players are and what is going on. Have a look at Figure 3.

    ISO/IEC 27006:2007 provides guidance to National Accreditation Bodies for the accreditation of Certification Bodies wishing to assess ISMSs, e.g. against ISO/IEC 27001:2005. The various National Accreditation Bodies around the world operate a "mutual recognition" process that allows certificates awarded in one country to be accepted by the Accreditation Body of another.

    Diagram showing the relationship between the certification scheme players

    Figure 3: Relationship between scheme players

    In order to be awarded a certificate, your ISMS will be audited by an ISMS assessor. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as BSI Assessment Services Limited and Det Norske Veritas).

    The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Click here to see the official list of published scope statements from around the world. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

    The assessor will return periodically to check that your ISMS is working as intended.

    Obtaining the Standards

    In order to buy a copy of the standards, please contact BSI Customer Services by telephone at (+44) 20 8996 7555 or electronically from https://eshop.bsi-global.com/.


    Gamma(ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company)

    Risk Assessment

    ISO/IEC 17799 and ISO/IEC27001 are predicated on risk assessment. You cannot escape this - it is one of the working documents required for certification. Moreover, the SOA is "based on the results and conclusions of the risk assessment and risk treatment process" and, thus, the risk assessment must be relevant to the SOA. It must also be relevant to your business, else the ISO/IEC 17799 controls that you adopt will not! Not sure how to start...

    Your response - ask Gamma to help you perform your risk assessment

    We will help you to perform your risk assessment and teach you how to do it at the same time, so that you can make the risk management decisions and maintain the risk assessment in the future. We will also ensure that we identify the significant business risks, particularly those concerned with the business applications and not just the usual risks concerned with IT platforms and networks. This is especially important from a corporate governance perspective.

    There are a variety of risk assessment tools that we can use (e.g. we have used CRAMM, Expert, RA and Riskwatch) or we can perform the assessment manually. Whichever way you feel more comfortable with, the basic steps will help you to:

    • identify your assets and who is ultimately responsible for their security
    • identify the threats to those assets and how they make go about attacking them
    • identify the security relevant events that concern you and the impacts to your business that might then arise
    • determine, for each possible event/impact pair within the context of existing controls the risk that the security of the associated assets might be compromised by the applicable threats

    You then determine whether that risk is acceptable to you or not. If it is it, we note that fact and move on to the next event/impact pair. If not, we will help you to identify how the risk is to be treated so that the residual risk is acceptable to you. We will document the risk assessment and risk treatment process in a form that is appropriate to your business so that you can maintain it in the future.

    Gamma(ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company)

    What is PTA ?

    Software technology and tools for performing Practical Threat Analysis

    PTA (Practical Threat Analysis) is a software technology and a suite of tools that enable users to find the most beneficial and cost-effective way to secure computerized systems and applications according to their specific functionality and environment.

    How does it work?

    The threat analysis process begins by describing the specific threats and vulnerabilities of the system. The threats are then associated with assets that might be damaged. The process continues by finding the exact countermeasures that will fit different threats. The risk level, potential damage and countermeasures required are all presented in real $ values. PTA automatically calculates the level of risk and the maximum available mitigation and advises on the most cost effective way to mitigate threats and reduce overall system risk.

    Who should use PTA?

    PTA was designed to assist the work of security consultants, software security engineers and information security officers.

    When should Practical Threat Analysis be done?

    The best time to use PTA is during system design phase. Potential losses and security countermeasures may be defined at the start and prevent future problems. For systems already in operation, PTA can identify areas of corrective actions. Since threats, vulnerabilities and countermeasures vary throughout a system’s life cycle, threat analysis should be a continuous task.

    What are the common problems arising during system threat analysis?

    1. Analyzing only a particular ‘environment’, for example networking, makes it difficult to thoroughly explore threats. This is especially true in complex applications with many interfaces.
    2. Analyzing a system only once during it's life cycle.
    3. There is no quantitative valuation of the severity of threats in real $ value.
    4. The outcome of the analysis does not include clear recommendations on the most efficient and cost-effective countermeasures required.
    5. Threat analysis models are not dynamic; changes in any parameter of the model will not be immediately reflected in the countermeasures recommended.

    Quickly build threat models, analyze risks and manage risk mitigation policies

    Using PTA, analysts can quickly build threat models, analyze risks and manage risk mitigation policies relevant to the application's domain. Inputs may be obtained from a variety of external sources e.g. vulnerability scanners, real-time network analyzers, security event repositories and security standards databases. The information can be entered manually as well as automatically.

    PTA will save you time and money. In addition to recommending the most cost effective countermeasures, PTA presents the current level of security of the monitored system. Once used, PTA enables dynamic changes in each of the defined threats, vulnerabilities, assets and countermeasures parameters. This allows an effective and continuous security management, throughout the application's life cycle without duplicating efforts and at minimal cost.

    Threat Analysis Methodology in-depth - Calculative Threat Analysis Software Tools
    Home Page

    Practical Threat Analysis of Complex Software

    Abstract

    This paper describes Practical Threat Analysis(PTA); a structured methodology implemented in a Windows application freeware that helps analysts and developers to assess system risks and build an most effective risk reduction program for their complex software system.

    Software appears simple but imbued with power to the casual observer. For the programmers, the code becomes obscure when viewed later and tests of correctness can be quite difficult to perform. With the steep rise in reported data breaches in recent years it is becoming apparent that basic software flaws are at the root of system vulnerabilities that enabled exploitation by hackers and trusted insiders.

    PTA helps the security, application development and deployment teams identify and prioritize remediation of flaws in a cost-effective manner.


    Read More

    Best Practice Management Controls

    Best practice controls for company data assets

    Abstract

    This article reviews the main areas for concern for protecting data assets from internal threats and vulnerabilities. It starts with an anecdote from an interview with a senior manager and concludes with a recommendation for implementing an approach to protect data directly (as opposed to commonly-used methods that attempt to protect the network and limit user permissions).

    Read More


    Automating ISO 27001 with PTA

    Abstract

    This article describes the PTA threat model library for the ISO 27001 risk assessment standard. The library has been used in several projects and was found to be very productive in shortening timetables of risk assessment and threat analysis projects.

    The PTA software is freeware that can be downloaded from the PTA Technologies Web site. The PTA ISO 27001:27005 library is available for free download and distribution, licensed from the Control Policy Group under the Creative Commons Attribution License.

    Feel free to download and introduce the PTA ISO 27001 library to your colleagues and promote it via postings to security forums and adding links to our web site . We wish to freely distribute the ISO 27001:27005 library to the security community and hope that its popularity and availability will contribute to your productivity and let you benefit from the experience of security colleagues world wide. Contact us at any time with questions or suggestions for improvement.

    Read More