Search in ISMS Guides


Tuesday, August 21, 2007

Information security

Security is everyones responsibility. Security awareness poster. U.S. Department of Commerce/Office of Security.

Information security is the go of guilty in sequence from unofficial access, use, disclosure, destruction, modification, or disruption. [1] The provisions information security , recipe dispensation unit self-confidence and in rank cool are habitually used interchangeably. These fields are unified and bit the unrestricted goals of guilty the confidentiality, integrity and availability of information; however, there are some restrained differences between them. These differences story primarily in the verge on to the subject, the methodologies used, and the areas of concentration. Information self-confidence is disturbed with the confidentiality, integrity and availability of in sequence regardless of the bring into being the in sequence may take: electronic, print, or other forms.

Heads of pomp and forces commanders have stretched tacit the consequence and inevitability of guilty in rank about their forces capabilities, digit of troops and troop movements. Such in rank declining into the hands of the opponent could be disastrous. Governments, military, economic institutions, hospitals, and cap underground businesses mass up a wonderful covenant of confidential in rank about their employees, customers, products, research, and economic status. Most of this in rank is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential in rank about a businesses customers or finances or new outcome stripe descend into the hands of a competitor, such a crack open of self-confidence could direct to missing business, commandment suits or even insolvency of the business. Protecting confidential in rank is a problem requirement, and in many cases, it is also a lawful requirement, and some would say that it is the right event to do . For the individual, in rank self-confidence has a hefty promote to on Privacy, which is viewed very in a different way in different cultures.

The branch of learning of in rank self-confidence has grown-up and evolved much in latest years. As a career diversity there are many behavior of in advance have a crack into the field. The branch of learning offers many areas for hobby together with Information Systems Auditing, Business Continuity Planning and Digital Forensics Science to name a few.

This condition presents a all-purpose overview of in rank self-confidence and its essential concepts.


  • 1 A brief occasion gone by of Information Security
  • 2 Basic philosophy of Information Security
    • 2.1 Confidentiality, integrity, availability
    • 2.2 Risk management
    • 2.3 Three types of controls
    • 2.4 Security classification for information
    • 2.5 Access control
    • 2.6 Cryptography
    • 2.7 Defense in depth
  • 3 Information self-confidence as a process
    • 3.1 Security planning
    • 3.2 Incident retort plans
    • 3.3 Change management
    • 3.4 Disaster recovery planning
  • 4 Laws and formula governing Information Security
  • 5 Sources of philosophy for Information Security
  • 6 Conclusion
  • 7 Notes and references
  • 8 Bibliography
  • 9 See also
  • 10 External links

A brief occasion gone by of Information Security

This condition will not try to present a widespread occasion gone by of the branch of learning of in rank security, rather it will be enough to communicate the innovative roots and vital developments of what is now known as in rank security.

Since the near the launch being of writing, heads of pomp and forces commanders tacit that it was necessary to present some method to tending for the confidentiality of on paper correspondence and to have some assets of detecting tampering. Persons desiring confident radio have used shine seals and other sealing diplomacy since the near the launch being of marks to mean the faithfulness of documents, avert tampering, and guarantee confidentiality of correspondence.

Julius Caesar is recognized with the opening out and use of the Caesar symbols c50 B.C. to avert his classified letters from being scan should a significance descend into the wicked hands.

World War II brought about many advancements in in rank self-confidence and may smudge the foundation of in rank self-confidence as a proficient field. WWII saw advancements in the rude shield of in rank with barricades and armed guards calculating right of have a crack into in rank centers. It also saw the preface of spokesperson classification of in sequence based upon the sensitivity of the in rank and who could have right of have a crack to the information. [2] During WWII credentials checks were also conducted before surrendering clearance to classified information. WWII also saw the opening out and use of natural ciphering machines, the German Enigma robot for example, to encode and decode classified communications.

The terminate of the 20th century and near the launch being of the 21st century saw fast advancements in telecommunications, computing hardware and software, and in sequence encryption. The availability of smaller, more potent and less posh computing gear prepared electronic in sequence dispensation within the achieve of miniature problem and the cap underground user. These computers fleetingly became unified through a sorority broadly called the Internet or World Wide Web.

The fast occurrence and eclectic achieve use of electronic in sequence dispensation and electronic problem conducted through the Internet, along with several occurrences of intercontinental terrorism, fueled the need for better methods of guilty these computers and the in rank they store, go and transmit. The speculative disciplines of recipe dispensation unit security, in rank self-confidence and in rank cool emerged along with several proficient organizations - all rift the unrestricted goals of insuring the self-confidence and reliability of in rank systems.

Basic philosophy of Information Security

Confidentiality, integrity, availability

For over twenty being in rank self-confidence has under arrest that three vital concepts bring into being the essential philosophy of in rank security: confidentiality, integrity and availability. These are known as the CIA Triad.


It is in promote to intolerable to get a drivers license, rent an apartment, find medicinal care, or take out a credit without disclosing a wonderful covenant of very own in rank about ourselves, such as our name, address, cause a buzz number, daylight of the week of birth, Social Security Number, marital status, digit of children, mother’s maiden name, income, rank of employment, medicinal history, etc. This is all very own and cap underground information, yet we are often mandatory to present such in rank in congregate to conclude business. We normally take it on trust that the person, business, or foundation to whom we reveal such own in rank have taken trial to cover that our in rank will be sheltered from unofficial discloser, either unintentional or intentional, and that our in rank will only be joint with other people, businesses or institutions who are strict to have right of have a crack to the in rank and who have a legitimate need to know the information.

CIA Triad.

Information that is careful to be confidential in temperament must only be accessed, used, copied, or disclosed by personnel who have been strict to access, use, copy, or reveal the information, and then only when there is a legitimate need to access, use, font or reveal the information. A crack open of confidentiality occurs when in rank that is careful to be confidential in temperament has been, or may have been, accessed, used, copied, or disclosed to, or by, someone who was not strict to have right of have a crack to the information.

For example: permitting someone to look over your shoulder at your recipe dispensation unit vet while you have confidential in sequence displayed on it would be a crack open of confidentiality if they were not strict to have the information. If a pc computer, which contains employment and help in rank about 100,000 employees, is stolen from a van (or is sold on eBay) could outcome in a crack open of confidentiality because the in rank is now in the hands of someone who is not strict to have it. Giving out confidential in rank over the cause a buzz is a crack open of confidentiality if the caller is not strict to have the information.

Confidentiality is a requisite for maintaining the privacy of the fill whose own in rank the congregate holds.


In in rank security, integrity assets that in sequence can not be created, changed, or deleted without authorization. It also assets that in sequence stored in one module of a row be an enthusiast of is in covenant with other allied in sequence stored in another module of the row be an enthusiast of (or another system). For example: a trouncing of integrity can come to go on when a row be an enthusiast of is not in the usual behavior go wager on dwelling for the compute down before maintenance is performed or the row ma?tre d’h?tel out of the blue loses electrical power. A trouncing of integrity occurs when an associate of staff accidentally, or with malicious intent, deletes crucial in sequence files. A trouncing of integrity can come to go on if a recipe dispensation unit virus is on the loose onto the computer. A trouncing of integrity occurs when an on-line punter is able to adjustment the estimate of the outcome they are purchasing.


The idea of availability assets that the information, the computing systems used to go the information, and the self-confidence gearshift used to tending for the in rank are all available and functioning in the usual behavior when the in rank is needed. The contrary of availability is rejection of overhaul (DOS). [3]

In 2002, Mr. Donn Parker upcoming an option outcome for the classic CIA musical tones that he called the six atomic essentials of information. His option outcome includes confidentiality, possession or control, integrity, authenticity, availability, and utility. The virtues of the Parkerian hexad are a branch of learning of contest amongst self-confidence professionals.

Risk management

A widespread dealing of the theme of hazard management is beyond the scope of this article. We will however, present a useful classification of hazard management, outline a regularly used go for hazard management, and communicate some essential terminology.

The CISA Review Manual 2006 provides the following classification of hazard management: “Risk management is the go of identifying vulnerabilities and threats to the in rank capital used by an congregate in achieving problem objectives, and deciding what countermeasures, if any, to take in sinking hazard to an sufficient level, based on the value of the in rank source to the organization.” [4]

There are two gear in this classification that may need some clarification. First, the process of hazard management is an ongoing iterative process. It must be repetitive indefinitely. The problem location is constantly varying and new threats and vulnerabilities emerge every day. Second, the diversity of countermeasures (controls) used to go risks must achieve a weighing scale between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.

Risk is the likelihood that something contrite will materialize that causes damage to an informational asset (or the trouncing of the asset). A vulnerability is a weakness that could be used to put in danger or cause damage to an informational asset. A threat is anything (man prepared or take steps of nature) that has the possibility to cause harm.

The likelihood that a menace will use a defenselessness to cause damage creates a risk. When a menace does use a defenselessness to inflict harm, it has an impact. In the situation of in rank security, the bang is a trouncing of availability, integrity, and confidentiality, and maybe other losses (lost income, trouncing of life, trouncing of sincere property). It should be barbed out that it is not possible to pinpoint all risks, nor is it possible to eliminate all risk. The lasting hazard is called residual risk .

A hazard assessment is agreed out by a players of fill who have culture of explicit areas of the business. Membership of the players may illustrate a discrepancy over stage as different parts of the problem are assessed. The assessment may use a subjective qualitative examination based on educated opinion, or where dependable dough statistics and chronological in rank is available, the examination may use quantitative analysis.

The ISO-17799:2005 Code of be an enthusiast of for in rank self-confidence management recommends the following be examined during a hazard assesment: security policy, congregate of in rank security, asset management, creature capital security, rude and environmental security, radio and operations management, right of have a crack control, in rank systems acquisition, opening out and maintenance, in rank self-confidence event management, problem continuity management, and rigid compliance.

In broad provisions the hazard management go consists of:

  1. Identification of assets and estimating their value. Include: people, buildings, hardware, software, in sequence (electronic, print, other), supplies.
  2. Conduct a menace assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from in or outside the organization.
  3. Conduct a defenselessness assessment, and for each vulnerability, gauge the probability that it will be exploited. Evaluate policies, procedures, standards, training, rude security, condition control, industrial security.
  4. Calculate the bang that each menace would have on each asset. Use qualitative examination or quantitative analysis.
  5. Identify, cap underground and apply appropriate controls. Provide a proportional response. Consider productivity, asking estimate effectiveness, and value of the asset.
  6. Evaluate the effectiveness of the charge measures. Insure the gearshift present the mandatory asking estimate sincere shield without discernable trouncing of productivity.

For any given risk, Executive Management can take to accept the risk based upon the qualified at a dwindling smooth value of the asset, the qualified at a dwindling smooth frequency of occurrence, and the qualified at a dwindling smooth bang on the business. Or, leadership may take to mitigate the risk by selecting and implementing appropriate charge trial to cut the risk. In some cases, the hazard can be transferred to another problem by selling reassurance or out-sourcing to another business. The veracity of some risks may be disputed. In such bags leadership may take to deny the risk . This is itself a possibility risk. [3]

Three types of controls

When Management chooses to dull a risk, they will do so by implementing one or more of three different types of controls.

Administrative gearshift are comprised of agreed on paper policies, procedures, philosophy and guidelines. Administrative gearshift bring into being the framework for dealing out the problem and in succession people. They update fill on how the problem is to be persist and how compute to compute operations are to be conducted. Laws and formula shaped by management bodies are also a variety of administrative charge because they update the business. Some trade sectors have policies, procedures, philosophy and guidelines that must be followed - the Payment Card Industry (PCI) Data Security Standard mandatory by Visa and Master Card is such an example. Other examples of administrative gearshift embrace the corporate self-confidence policy, password policy, hiring policies, and disciplinary policies.

Administrative gearshift bring into being the root for the range and implementation of sensible and rude controls. Logical and rude gearshift are manifestations of administrative controls. Administrative gearshift are of chief importance.

Logical gearshift (also called industrial controls) use software and in sequence to overseer and charge right of have a crack to in rank and computing systems. For example: passwords, sorority and multitude based firewalls, sorority interruption detection systems, right of have a crack charge lists, and in sequence encryption are sensible controls.

An crucial sensible charge that is habitually overlooked is the principle of least privilege . The belief of least privilege requires that an individual, course or be an enthusiast of go is not usual any more right of have a crack privileges than are necessary to achieve the task. A blatant example of the catastrophe to adhere to the belief of least privilege is sorting into Windows as addict Administrator to scan Email and breakers the Web. Violations of this belief can also come to go on when an own collects further right of have a crack privileges over time. This happens when employees’ commission duties change, or they are promoted to a new position, or they relocate to another department. The right of have a crack privileges mandatory by their new duties are habitually new onto their already obtainable right of have a crack privileges which may no longer be necessary or appropriate.

Physical gearshift overseer and charge the location of the come off rank and computing facilities. They also overseer and charge right of have a crack to and from such facilities. For example: doors, locks, heating and vent conditioning, smoke and throw out alarms, throw out suppression systems, cameras, barricades, fencing, self-confidence guards, cable locks, etc. Separating the sorority and come off rank into functional areas are also rude controls.

An crucial rude charge that is habitually overlooked is the separation of duties . Separation of duties insures that an own can not achieve a decisive commission by himself. For example: an associate of staff who submits a ask for for settlement should not also be able to empower payment or font the check. An applications programmer should not also be the ma?tre d’h?tel spokesperson or the row spokesperson - these roles and responsibilities must be separated from one another. [3]

Security classification for information

An crucial condition of in rank self-confidence and hazard management is recognizing the value of in rank and middle appropriate procedures and shield food for the information. Not all in rank is be imitation with and so not all in rank requires the same rate of protection. This requires in rank to be assigned a self-confidence classification.

The first action in in rank classification is to pinpoint a organ of chief management as the title-holder of the particular in rank to be classified. Next, outcome a classification policy. The decide should communicate the different classification labels, communicate the criteria for in rank to be assigned a particular label, and promote to a catalog the mandatory self-confidence gearshift for each classification.

Some factors that sway which classification in rank should be assigned embrace how much value that in rank has to the organization, how old the in rank is and whether or not the in rank has become obsolete. Laws and other rigid food are also crucial considerations when classifying information.

Common in rank self-confidence classification labels used by the problem sector are: public, sensitive, private, confidential . Common in rank self-confidence classification labels used by management are: unclassified, receptive but unclassified, confidential, secret, perk up on secret .

All employees in the organization, as well as problem partners, must be qualified on the classification graph and value the mandatory self-confidence gearshift and in succession procedures for each classification. The classification a particular in rank asset has been assigned should be reviewed periodically to cover the classification is still appropriate for the in rank and to cover the self-confidence gearshift mandatory by the classification are in place. [3]

Access control

Access to sheltered in rank must be constrained to fill who are strict to right of have a crack the information. The recipe dispensation unit programs, and in many bags the computers that go the information, must also be authorized. This requires that mechanisms be in rank to charge the right of have a crack to sheltered information. The urbanity of the right of have a crack charge mechanisms should be in parity with the value of the in rank being sheltered - the more receptive or beneficial the in rank the stronger the charge mechanisms need to be. The foundation on which right of have a crack charge mechanisms are built foundation with identification and authentication.

Identification is an assertion of who someone is or what something is. If a individuality makes the testimony “Hello, my name is John Doe.” they are construction a have a collection of of who they are. However, their have a collection of may or may not be true. Before John Doe can be usual right of have a crack to sheltered in rank it will be necessary to verify that the individuality claiming to be John Doe really is John Doe.

Authentication is the take steps of verifying a have a collection of of identity. When John Doe goes into a save to put up a withdrawal, he tells the save cashier he is John Doe (a have a collection of of identity). The save cashier asks to see a photo ID, so he hands the cashier his drivers license. The save cashier checks the privilege to put up sure it has John Doe in font on it and compares the photograph on the privilege against the individuality claiming to be John Doe. If the photo and name go with the person, then the cashier has honest that John Doe is who he claimed to be.

There are three different types of in rank that can be used for authentication: something you know, something you have, or something you are. Examples of something you know embrace such gear as a PIN number, a password, or your mothers maiden name. Examples of something you have embrace a drivers privilege or a alluring put up off with card. Something you are refers to biometrics. Examples of biometrics embrace palm prints, classify prints, supremacy of speech prints and retina (eye) scans. Strong legalization requires if in rank from two of the three different types of legalization information. For example, something you know plus something you have. This is called two entity authentication.

On recipe dispensation unit systems in use today, the Username is the most unrestricted bring into being of identification and the Password is the most unrestricted bring into being of authentication. Usernames and passwords have served their object but in our highly industrial humankind they are no longer adequate. Usernames and passwords are at a snail’s pace being replaced with more veteran legalization mechanisms.

After a person, course or recipe dispensation unit has effectively been identified and honest then it must be firm what informational capital they are allowable to right of have a crack and what trial they will be permissible to achieve (run, view, create, delete, or change). This is called authorization .

Authorization to right of have a crack in rank and other computing look coerce begins with administrative polices and procedures. The polices prescribe what in rank and computing look coerce can be accessed, by whom, and under what conditions. The right of have a crack charge mechanisms are then configured to enforce these policies.

Different computing systems are equipped with different kinds of right of have a crack charge mechanisms, some may propose a diversity of different right of have a crack charge mechanisms. The right of have a crack charge method a be an enthusiast of offers will be based upon one of three approaches to right of have a crack charge or it may be consequential from a arrangement of the three approaches.

The non-discretionary verge on consolidates all right of have a crack charge under a middle administration. The right of have a crack to in rank and other capital is usually based on the folks lane (role) in the congregate or the errands the own must perform. The unrestricted verge on gives the designer or title-holder of the in rank source the knack to charge right of have a crack to those resources. In the Mandatory right of have a crack charge approach, right of have a crack is usual or denied bases upon the self-confidence classification assigned to the in rank resource.

Examples of unrestricted right of have a crack charge mechanisms in use nowadays embrace Role-based right of have a crack charge available in many highly industrial Database Management Systems, undemanding row permissions provided in the UNIX and Windows in commission systems, Group Policy Objects provided in Windows sorority systems, Kerberos, RADIUS, TACACS, and the undemanding right of have a crack lists used in many firewalls and routers.

To be effective, policies and other self-confidence gearshift must be enforceable and upheld. Effective policies cover that fill are under arrest accountable for their actions. All abortive and lucrative legalization attempts must be logged, and all right of have a crack to in rank must avoid some variety of appraisal trail. [3]


Information self-confidence uses cryptography to transform usable in rank into a bring into being that renders it unusable by anyone other than an strict user; this go is communicate encryption. Information that has been encrypted (rendered unusable) can be transformed toward the ago into its innovative usable bring into being by an strict user, who possesses the cryptographic key, through the go of decryption. Cryptography is used in in rank self-confidence to tending for in rank from unofficial or unintentional discloser while the in rank is in transit (either electronically or physically) and while in rank is in storage.

Cryptography provides in rank self-confidence with other useful applications as well together with superior legalization methods, significance digests, digital signatures, non-repudiation, and encrypted sorority communications. Older less confident object such as telnet and ftp are at a snail’s pace being replaced with more confident applications such as SSH that use encrypted sorority communications. Wireless radio can be encrypted using the WPA protocol. Software applications such as GNUPG or PGP can be used to encrypt in sequence have a collection of and Email.

Cryptography can present self-confidence troubles when it is not implemented correctly. Cryptographic solutions need to be implemented using trade customary solutions that have undergone rigorous peer assess by unconnected experts in cryptography. The chunk and intensity of the encryption vital is also an crucial consideration. A vital that is weak or too passing will engender weak encryption. The keys used for encryption and decryption must be sheltered with the same rate of notice as any other confidential information. They must be sheltered from unofficial admission and destruction and they must be available when needed. PKI solutions lecture to many of the troubles that surround vital management.

Defense in depth

Information self-confidence must tending for in rank through out the sparkle span of the information, from the preliminary fabrication of the in rank on through to the irrevocable disposal of the information. The in rank must be sheltered while in beckon and while at rest. During its sparkle time, in rank may go by through many different in rank dispensation systems and through many different parts of in rank dispensation systems. There are many different behavior the in rank and in rank systems can be threatened. To wholly tending for the in rank during its lifetime, each module of the in rank dispensation be an enthusiast of must have its own shield mechanisms. The shape up, layering on and overlapping of self-confidence trial is called apology in depth. The intensity of any be an enthusiast of is no better than its weakest link. Using a apology in supremacy strategy, should one guilty quantify neglect there are other guilty trial in rank that pick up again to present protection.

Recall the formerly chat about administrative controls, sensible controls, and rude controls. The three types of gearshift can be used to bring into being the bases upon which to foster a apology in supremacy strategy. With this approach, apology in supremacy can be conceptualized as three distinctive layers or planes laid one on perk up on of the other. Additional insight into apology in supremacy can be gained by belief of it as forming the layers of an onion, with in sequence at the essential of the onion, fill as the surface layer of the onion, and sorority security, multitude based self-confidence and applications self-confidence forming the inner layers of the onion. Both perspectives are just as justifiable and each provides beneficial insight into the implementation of a dependable apology in supremacy strategy.

Information self-confidence as a process

The provisions reasonable and sensible person , due care and due diligence have been used in the fields of Finance, Securities, and Law for many, many years. In latest being these provisions have bring into being their way into the fields of computing and in rank security. U.S.A. Federal Sentencing Guidelines now put up it possible to cleave to corporate officers predisposed for worsening to problem looked-for be disturbed and looked-for thoroughness in the management of their in rank systems.

In the problem world, stockholders, customers, problem partners and governments have the expectation that corporate officers will persist the problem in accordance with customary problem practices and in diminishing in contour with laws and other rigid requirements. This is often described as the “reasonable and sensible person” rule. A sensible individuality takes looked-for be disturbed to cover that everything necessary is done to lane the problem by positive problem philosophy and in a lawful ethical manner. A sensible individuality is also conscientious (mindful, attentive, and ongoing) in their looked-for be disturbed of the business.

In the branch of learning of Information Security, Harris [5] offers the following definitions of due care and due diligence :

“Due be disturbed are steps that are taken to parade that a guests has taken blame for the dealings that take rank within the corporation and has taken the necessary steps to help tending for the company, its resources, and employees.” And, [Due thoroughness are the] “continual dealings that put up sure the shield mechanisms are persistently maintained and operational.”

Attention should be prepared to two crucial points in these definitions. First, in looked-for care, steps are taken to show - this assets that the steps can be verified, measured, or even engender perceptible artifacts. Second, in looked-for diligence, there are continual activities - this assets that fill are actually doing gear to overseer and sustain the shield mechanisms, and these dealings are ongoing.

Security planning

1 to 3 paragraphs (non technical) that discuss:

  • The charter
  • Reporting structure
  • Strategic plan
  • Project management
  • Review applicable laws and the rigid environment
  • Risk assessment and hazard diminution plans
  • Budgeting and funding
  • Standards and Policies
  • Training is not elective - preparation is a requirement
  • Monitoring and auditing plans

Incident retort plans

1 to 3 paragraphs (non technical) that discuss:

  • Selecting players members
  • Define roles, responsibilities and outline of authority
  • Define a self-confidence incident
  • Define a reportable incident
  • Training
  • Detection
  • Classification
  • Escalation
  • Containment
  • Eradication
  • Documentation

Change management

Change management is a decorous go for directing and calculating alterations prepared to the in rank dispensation environment. This includes alterations to desktop computers, the network, servers and software. The objectives of adjustment management are to cut the risks posed by changes to the in rank dispensation location and perk up the stability and reliability of the dispensation location as changes are made. It is not the objective of adjustment management to avert or delay necessary changes from being implemented.

Any adjustment to the in rank dispensation location introduces an facet of risk. Even rumor has it that undemanding changes can have unexpected affects. One of Managements many responsibilities is the management of risk. Change management is a tool for in succession the risks introduced by changes to the in rank dispensation environment. Part of the adjustment management go insures that changes are not implemented at mistimed period when they may disrupt decisive problem processes or interfere with other changes being implemented.

Not every adjustment needs to be managed. Some kinds of changes are a module of the everyday custom of in rank dispensation and adhere to a predefined procedure, which reduces the overall next to of hazard to the dispensation environment. Creating a new addict savings explanation or deploying a new desktop recipe dispensation unit are examples of changes that do not normally expect adjustment management. However, relocating addict row shares, or upgrading the Email ma?tre d’h?tel pose a much upper next to of hazard to the dispensation location and are not a regular everyday activity.

Change management is usually overseen by a Change Review Board comprised of regime from vital problem areas, security, networking, systems administrators, Database administration, applications development, desktop foundation and the help desk. The errands of the Change Review Board can be facilitated with the use of automated come off up to daylight of the week application. The blame of the Change Review Board is to cover the organizations recognized adjustment management procedures are followed. The adjustment management go is as follows:

Requested: Anyone can ask for a change. The individuality construction the adjustment ask for may or may not be the same individuality that performs the examination or gear the change. When a ask for for adjustment is received, it may undergo a preliminary assess to govern if the requested adjustment is similar in temperament with the organizations problem outcome and practices, and to govern the sum of capital painstaking necessary to apply the change.

Approved: Management runs the problem and gearshift the allocation of capital therefore, Management must agree needs for changes and assign a priority for every change. Management might take to rebuff a adjustment ask for if the adjustment is not similar in temperament with the problem model, trade philosophy or best practices. Management might also take to rebuff a adjustment ask for if the adjustment requires more capital than can be allocated for the change.

Planned Planning a adjustment involves discovering the scope and bang of the upcoming change; analyzing the difficulty of the change; allocation of capital and, developing, difficult and documenting an implementation plan.

Tested: Every adjustment must be veteran in a anodyne ordeal environment, which directly reflects the definite invention environment, before the adjustment is functional to the invention environment.

Scheduled: Part of the adjustment assess board’s blame is to assist in the scheduling of changes by reviewing the upcoming implementation daylight of the week for possibility conflicts with other scheduled changes or decisive problem activities.

Communicated: Once a adjustment has been scheduled it must be communicated. The contact is to furnish others the opening to take you wager on the adjustment assess plank about other changes or decisive problem dealings that might have been overlooked when scheduling the change. The contact also serves to put up the Help Desk and users perceptive that a adjustment is about to occur. Another blame of the adjustment assess plank is to cover that scheduled changes have been in the usual behavior communicated to those who will be artificial by the adjustment or otherwise have an hobby in the change.

Implemented: At the appointed daylight of the week and time, the changes must be implemented. Part of the preparation go was to outcome an implementation plan, difficult chart and, a toward the ago out plan. If the implementation of the adjustment should neglect or, the column implementation difficult fails or, other “drop dead” criteria have been met, the toward the ago out chart should be implemented.

Documented: All changes must be documented. The minutes includes the preliminary ask for for change, its approval, the priority assigned to it, the implementation, difficult and toward the ago out plans, the outcome of the adjustment assess plank critique, the date/time the adjustment was implemented, who implemented it, and whether the adjustment was implemented successfully, abortive or postponed.

Post adjustment review: The adjustment assess plank should cleave to a column implementation assess of changes. It is particularly crucial to assess abortive and backed out changes. The assess plank should try to value the troubles that were encountered, and look for areas for improvement.

Change management procedures that are undemanding to be a fan of and cool to use can importantly cut the overall risks shaped when changes are prepared to the in rank dispensation environment. Good adjustment management procedures perk up the over all condition and triumph of changes as they are implemented. This is accomplished through planning, peer review, minutes and communication.

The ISO-20000, Visible Ops and Information Technology Infrastructure Library all present beneficial guidance on implementing an cost-effective and sincere adjustment management program.

Disaster recovery planning

2 or 3 paragraphs (non technical) that discuss:

  • What is Disaster Recovery Planning
  • How are DRP and BCP different
  • How are DRP and BCP related
  • Project leader
  • Identify vital stake holders
  • Identify vital assets
  • Prioritize vital problem functions and vital asset
  • Review up to daylight of the week class for adequacy
  • Make a plan

Laws and formula governing Information Security

Below is a partial item of European, United Kingdom, and USA lawmaking laws and formula that have, or will have, a hefty promote to on in sequence dispensation and in rank security. Important trade sector formula have also been integrated when they have a hefty bang on in rank security.

UK Data Protection Act 1998 makes new provisions for the directive of the dispensation of in rank linking to individuals, together with the obtaining, holding, use or admission of such information. The European Union Data Protection Directive (EUDPD) requires that all EU organ must take up pomp formula to regiment the shield of in sequence privacy for citizens throughout the EU.

EU Data Retention laws requires Internet overhaul providers and handset companies to keep in sequence on every electronic significance sent and handset communicate prepared for between six months and two years.

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232 g; 34 CFR Part 99) is a USA Federal commandment that protects the privacy of apprentice culture records. The commandment applies to all schools that meet proceeds under an applicable course of the U.S. Department of Education. Generally, schools must have on paper consent from the worry for or eligible apprentice in congregate to discharge any in rank from a student’s culture record.

Health Insurance Portability and Accountability Act (HIPAA) requires the adoption of pomp philosophy for electronic unrefined condition be disturbed transactions and pomp identifiers for providers, unrefined condition reassurance plans, and employers. And, it requires unrefined condition be disturbed providers, reassurance providers and employers to safeguard the self-confidence and privacy of unrefined condition data.

Gramm-Leach-Bliley Act of 1999(GLBA), also know as the Financial Services Modernization Act of 1999, protects the privacy and self-confidence of cap underground economic in rank that economic institutions collect, hold, and process.

Sarbanes-Oxley Act of 2002 (SOX). Section 404 of the take steps requires visibly traded companies to assess the effectiveness of their interior gearshift for economic healing in yearly news they hand in at the terminate of each economic year. Chief in rank officers are to blame for the security, truth and the reliability of the systems that go and story the economic data. The take steps also requires visibly traded companies to engage unconnected auditors who must testify to, and story on, the weight of their assessments.

Payment Card Industry Data Security Standard (PCI DSS) establishes widespread food for enhancing payment savings explanation in sequence security. It was residential by the founding payment brands of the PCI Security Standards Council, together with American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of in harmony in sequence self-confidence trial on a broad basis. The PCI DSS is a intricate self-confidence banner that includes food for self-confidence management, policies, procedures, sorority architecture, software conceive and other decisive defending measures.

State Security Breach Notification Laws (California and many others) expect businesses, nonprofits, and pomp institutions to acquaint trade when unencrypted “personal information” may have been compromised, lost, or stolen.

Sources of philosophy for Information Security

International Organization for Standardization (ISO) is a conglomerate of pomp philosophy institutes from 157 countries with a Central Secretariat in Geneva Switzerland that coordinates the system. The ISO is the world’s prevalent developer of standards. The ISO-15443: “Information expertise - Security techniques - A framework for IT self-confidence assurance”, ISO-17799: “Information expertise - Security techniques - Code of be an enthusiast of for in rank self-confidence management”, ISO-20000: “Information expertise - Service management”, and ISO-27001: “Information expertise - Security techniques - Information self-confidence management systems” are of particular hobby to in rank self-confidence professionals.

The USA National Institute of Standards and Technology (NIST) is a non-regulatory middle bureau within the U.S. Commerce Department’s Technology Administration. The NIST Computer Security Division develops standards, metrics, tests and confirmation programs as well as publishes philosophy and guidelines to proliferation confident IT planning, implementation, management and operation. NIST is also the curator of the USA Federal Information Processing Standards Publications (FIPS).

The Internet Society (ISOC) is a proficient memory the all-purpose unrestricted with more than 100 congregate and over 20,000 own members in over 180 countries. It provides leadership in addressing issues that confront the upcoming of the Internet, and is the congregate cap underground for the groups to blame for Internet infrastructure standards, together with the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). The ISOC hosts the Requests for Comments (RFCs) which includes the Official Internet Protocol Standards and the RFC-2196 Site Security Handbook.


Information self-confidence is the ongoing go of exercising looked-for be disturbed and looked-for thoroughness to tending for information, and in rank systems, from unofficial access, use, disclosure, destruction, modification, or disruption. The never finish go of in rank self-confidence involves ongoing training, assessment, protection, monitoring & detection, event retort & repair, documentation, and review.

The speculative disciplines of recipe dispensation unit security, in rank self-confidence and in rank cool emerged along with several proficient organizations during the later being of the 20th century and near the launch being of the 21st century. Entry into the branch of learning can be accomplished through self-study, academe or academe teaching in the field, or through week stretched all ears preparation camps. Many colleges, universities and preparation companies propose many of their programs on- line. The GIAC-GSEC and Security+ certifications are both respected have a crack next to self-confidence certifications. The Certified Information Systems Security Professional (CISSP) is a well respected mid- to senior-level in rank self-confidence certification.

The profession of in rank self-confidence has seen an augmented inquire for self-confidence professionals who are skilled in sorority self-confidence auditing, dispersion testing, and digital forensics investigation.

Notes and references

  1. ^ 44 U.S.C 3542 (b)(1) (2006)
  2. ^ Quist, Arvin S. (2002). ” Security Classification of Information ” (HTML). Volume 1. Introduction, History, and Adverse Impacts. Oak Ridge Classification Associates, LLC. Retrieved on 2007-01-11.
  3. ^ a b c d e See Bibliography.
  4. ^ ISACA (2006). CISA Review Manual 2006 . Information Systems Audit and Control Association, p. 85. ISBN 1-933284-15-3.
  5. ^ Harris, Shon (2003). All-in-one CISSP Certification Exam Guide , 2nd Ed., Emeryville, CA: McGraw-Hill/Osborne. 0-07-222966-7.


Allen, Julia H. (2001). The CERT Guide to System and Network Security Practices . Boston, MA: Addison-Wesley. 0-201-73723-X.

Krutz, Ronald L.; Russell Dean Vines (2003). The CISSP Prep Guide , Gold Edition, Indianapolis, IN: Wiley. 0-471-26802-X.

Layton, Timothy P. (2007). Information Security: Design, Implementation, Measurement, and Compliance . Boca Raton, FL: Auerbach publications. 978-0-8493-7087-8.

McNab, Chris (2004). Network Security Assessment . Sebastopol, CA: O’Reilly. 0-596-00611-X.

Peltier, Thomas R. (2001). Information Security Risk Analysis . Boca Raton, FL: Auerbach publications. 0-8493-0880-1.

Peltier, Thomas R. (2002). Information Security Policies, Procedures, and Standards: guidelines for sincere in rank self-confidence management . Boca Raton, FL: Auerbach publications. 0-8493-1137-3.

White, Gregory (2003). All-in-one Security+ Certification Exam Guide . Emeryville, CA: McGraw-Hill/Osborne. 0-07-222633-1.

See also

  • Computer security
  • Computer insecurity

External links

  • Security Management: Guide to CISSP, Information Security Certification
  • OlympoS Information Security Portal (Turkish)

Information Assurance For The Enterprise: A Roadmap To (Paperback) (

McGraw-Hill College
Author: Schou, Corey/ Shoemaker, Dan. Number of Pages: 480. Published On: 2006/09/15. Language: ENGLISH

The Information Systems Security Officer S Guide: Establishing And Managing An Information Protection Program (Paperback) (

Author: Kovacich, Gerald L. Number of Pages: 361. Published On: 2003/08/01. Language: ENGLISH

Related searches: , , , ,
Tags: , , , ,
related posts:
  • Microsoft Encyclopedia
  • Microsoft Encarta 98 Encyclopedia NR US $0.99 (0 Bid) End Date: Monday Apr-23-2007 15:26:15 PDT Bid now | Add to watch list Microsoft Encarta 2006 Encyclopedia US $4.99
  • Chapin Information Services
  • Related Articles about chapin information services General Information Services Inc. Opens New Network Operations Center; Security and Communications Upgrades Will Enhance Data Protection...... From Business Wire on 05/11/2006 CHAPIN, S.C. -- General Information Services Inc. (GIS) has moved its HP EVA 5000 (Enterpriseregulatory
  • Voting Information
  • Related Articles about voting information Information asymmetries and simultaneous versus sequential voting . From American Political Science Review on 03/01/1999 minutes of instruction. Information Assumptions, Simultaneous Voting, and Sequential VotingAnalysis of Sequential Voting under Incomplete Information Information Revelationthat is, can group A voting reveal
  • Online Translation
  • Is Online Arabic Translation Really Accurate? There are many online dictionaries and rendition tools that are able to take a utterance in English and decipher it into Arabic. But are these online rendition navy always accurate? How are labyrinth companies that manipulate these websites ensuring quality? It is a
  • Information Management
  • Information management This appraisal may oblige attack to touch Wikipedia's class standards. Please thrash out this give out on the rumor side or supplant this tag with a more exact message. This appraisal has been tagged since

    This entry was posted on at and is filed under Encyclopedias. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    Comments are closed.

    ISO 17799 — Compliance

    Compliance has become one of the most talked about security issues in American business. Banks and financial institutes have had government oversight for decades. New compliance requirements have been imposed upon many organizations.

    Recent financial reporting irregularities prompted Congressional action in which public companies must comply to the financial and accounting disclosure of information act known as Sarbannes-Oxley (SOX). Recent trends with identity theft and fraud, any business — small or large — that accepts credit cards, require businesses to abide by the industry’s Payment Card Industry’s Data Security Standard (PCI DSS). For the healthcare industry, organizations must adhere to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

    The ISO 17799 section on compliance has as its objective to help organizations avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. This section marries IT, legal, accounting and security.

    Intellectual Property Rights

    This is all about patents, trademarks, copyrights including software, and trade secrets. Some recommendations on what an organization can do to help safeguard their IP include: know what you’ve got, prioritize it, label it, lock it, educate employees, know your tools, think holistically, and apply a counter-intelligence mindset. IP protection responsibilities spans the entire organization from the IT systems and facilities to the users, owners and management.

    Safeguarding of Organizational Records

    Organizational records — hard or soft copies — should be protected from loss, destruction and falsification. Whether these records are accounting, database, transaction and audit logs or operational procedures, all are stored on various paper, microfiche, magnetic, optical media and must adhere to some retention period. Records are useful for business (financial status with respect to shareholders, partners and auditors) as well as precaution required by statutory or regulatory rules, and defense against potential civil or criminal action.

    Data Protection and Privacy of Personal Information

    Identity theft is only going to get worse. Penalties for organizations that fail to use due diligence at collecting,
    processing, disseminating and storing personal information will become more frequent and sever. Large companies will appoint a data protection officer. Smaller organizations need to assign someone to oversee this protection requrieemnt — defining it, creating policies for it, and enforcing it.

    Prevention of Misuse of Information Processing Facilities

    Management must ensure that business, network and computer equipment and facilities re only used for authorized business purposes. Too many people use their employer’s resources for their personal use. The policies must clearly state was is permitted — everything else is denied — and properly enforced.

    Regulation of Cryptographic Controls

    Over the past few years, restrictions on commercially available cryptographic technologies have been minimizes. But do not assume that all countries you require secure communications with will allow your chosen cryptographic solutions.

    Collection of Evidence

    In the unlikely event you need to support an action; i.e., legal, against a person or organization, it is essential your methods of collecting and safeguarding materials follow proper processes and procedures. There are rules for evidence; i.e., the chain of evidence, related documentation and media. Making sure that the evidence is admissibility will be a huge factor in the outcome of your case.

    Like most ISO 17799 areas, compliance belongs under the organization’s security policy. Regular reviews and audits of compliance policies will help enforce the policies and provide a means for an active closed-loop corrective action program.

    Author : Jeff Hayes

    Regulatory Compliance and ISO 27001

    n this excerpt from Chapter 10 of The Case for ISO 27001, author Alan Calder explains how using ISO 27001 can help information security professionals deal with the challenges of complying with complex and overlapping regulatory requirements.

    Today's regulatory environment is increasingly complex, the penalties for failure unattractive and the route to effective compliance not clear. ISO 27001 provides a best-practice solution to a range of regulatory issues faced by directors.

    The Regulatory conundrum
    Organizations have traditionally responded to regulatory compliance requirements on a law-by-law, or department-by-department basis. That was, last century, a perfectly adequate response. There were relatively few laws, compliance requirements were generally firmly established and well-understood, and the jurisdictions within which businesses operated were well-defined.

    Over the last decade, all that has changed. Rapid globalisation, increasingly pervasive information technology, the evolving business risk and threat environment, and today's governance expectations have, between them, created a fast-growing and complex body of laws and regulations – such as Data Protection and privacy legislation (e HIPAA, GLBA, DPA) and governance requirements (eg SOX and Turnbull) - that all impact the organization's IT systems. While global companies are in the forefront of finding effective compliance solutions, every organization, however small, and in whatever industry, is faced with the same broad range of regulatory requirements.

    These regulatory requirements focus on the confidentiality, integrity and availability of electronically-held information, and primarily – but not exclusively – on personal data. Many of the new laws appear to overlap and, not only is there very little established legal guidance as to what constitutes compliance, new laws and regulatory requirements continue to emerge. Increasingly, these laws have a geographic reach that extends to organizations based and operating outside the apparent jurisdiction of the legislative or regulatory body that originated them.

    Regulatory requirements in all these areas concentrate on preserving the confidentiality, integrity and availability of electronic data held by organizations operating within the sector. Regulations, which are technology-neutral, describe what must be done, but not how. Organizations are left to establish, for themselves, how to meet these requirements.

    In most instances, there is not yet a body of tested case law and proven compliance methodologies to which organizations can turn in order to calibrate their efforts. There are no technology products which, of themselves, can render an organization compliant with any of the data security regulations, because all data security controls consist of a combination of technology, procedure and human behaviour. In other words, installing a firewall will not protect an organization if there are no procedures for correctly configuring and maintaining it, and if users habitually bypass it (through, for instance, Instant Messaging, Internet browsing or the deployment of rogue wireless access points).

    In the face of new, blended, complex and evolving threats to their data, organizations have business and regulatory obligations to protect, maintain and make that data available when it is required. They have to do this in an uncertain compliance environment where the rewards for success don't grab headlines, but the penalties for failure do. Fines, reputation and brand damage and, in some circumstances, jail time for directors are outcomes that every business wants to avoid, and wants to avoid as systematically and cost-effectively as possible.

    The adoption of an externally-validated, best-practice approach to information security – one that provides a single, coherent framework that enables simultaneous compliance with multiple regulatory requirements - is, therefore, a solution to which organizations are increasingly turning.

    ISO 27001
    ISO 27001 provides just such a solution. It focuses on the confidentiality, availability and integrity of data and its key precepts and requirements all occur in the regulatory requirements. Implementation of an ISO 27001 framework enables an organization to comply, at one step (and subject to specific documentation and working practices tailored for each individual regulation), with all the core requirements of information related regulation anywhere in the world.

    Download this excerpt

    From :

    ISO 17799: A methodical approach to partner and service provider security management

    This tip is part of Ensuring compliance across the extended enterprise, a lesson in's Compliance School. Visit the Ensuring compliance across the extended enterprise lesson page for additional learning resources.

    These days, it is fairly common for a company to outsource customer-facing services or allow another organization to handle data processing and even security monitoring and management. Outsourcing allows companies to provide a wider range of services, reduce cost and focus on other tasks that will strengthen the business.

    Every time an organization trusts another business entity to handle sensitive information or manage critical infrastructure, however, there are risks. Worse yet, many companies do not realize that failing to closely examine their prospective partners' security practices can lead to compromise. Organizations that are bound by regulations like HIPAA, Gramm-Leach-Bliley (GLBA) and Sarbanes-Oxley (SOX) may pay an even steeper price, as these regulations explicitly require organizations to manage the risk associated with service providers.

    Fortunately, enterprises can curtail partner or service provider security issues by taking a methodical approach to assessing and managing the risks. That means coming to terms with the risks and the costs of creating and maintaining these partnerships. One such approach is a partner management program based on the ISO 17799 standard.

    A standards-based methodology
    By definition, ISO 17799 is a "code of practice for security information management." In other words, it is a laundry list of best security practices that apply to a broad range of business environments. The standard covers areas including risk assessment, security policy, governance, access control, information classification, operations management and business continuity.

    A partner management program based on the ISO standard consists of three phases:

    Inherent risk assessment – A review of how much damage could be done to a partner if information or services were compromised and there were no security controls. In other words, how bad would it be if the partner was compromised? A partner, for example, may hold critical and sensitive customer information, like credit card numbers or social security numbers. If such data is compromised, a company's reputation could be ruined. That would constitute a critical inherent risk and call for a deeper evaluation.

    Partner practice assessment – An examination of the partner to a depth commensurate with the inherent risk. For critical partnerships that demand an in-depth review, many organizations use ISO 17799. The assessment consists of a walk-through of the standard, where the partner's practices are compared to those described in ISO 17799's 133 subsections. Each of ISO 17799's major areas (including risk assessment, security policy, access control, communications and operations, physical security, and business continuity) has subsections which review best management practices.

    When addressing communications and operations management, for example, the assessment walks through the administrative practices for the service provider's production environment, covering the distribution of responsibilities, the documentation of procedures, and critical control components like change control and patch management. While such an evaluation may sound straightforward, each one of the sections requires managers to carefully consider how the standard should be applied to their given business, organizational, and technical contexts. A reasonable practice for a small company where every employee knows each other, for example, may be less acceptable in large multinational organizations, and decisions must be made accordingly.

    The ISO standard can also be useful in reviewing partners that provide less critical services. The standard can be used to construct a questionnaire that gathers data and assesses how well an organization and its many departments can manage the security of another company's information. Some questions that would likely appear in a questionnaire are:
    o Does your organization utilize network controls to segregate the corporate and production networks?
    o What mechanisms are used to ensure that only authorized application users are allowed access to data managed by the service?
    o How often are backups of the service data executed?
    o Has a documented incident response plan been put in place? How often does the production staff practice the plan?
    o Has your organization had a security incident?

    * Remediation, monitoring and periodic assessments – After a partnership is established, the work is just beginning. Any important weaknesses that are discovered should be remediated according to an agreed-upon timeline. Furthermore, the initial assessment should be used as a baseline against which future analyses can be compared. Service providers should be revisited at least once a year to determine whether anything about their environments, designs or practices has changed for the worse. Using an ISO 17799-based report card makes it possible to compare a partner's progress with the results and assessments of other partners. The accumulation of information can help establish minimum requirements for all service providers.

    ISO 17799 as a common framework
    While most service providers bristle at the idea of yet another security review, particularly one that goes to the depth that an ISO 17799 review calls for, most can appreciate the fact that the ISO standard provides a set list of requirements.

    One of the most problematic aspects of partner reviews is their ad hoc nature. Service providers are essentially asked to play by a different set of rules for each review they face. By agreeing on ISO 17799, service providers and consumers can substantially reduce the cost of preparations and make reviews much more efficient. The result is better communication, better documentation and faster consummation of service agreements.

    About the author:
    Dick Mackey is regarded as one of the industry's foremost authorities on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, virtual private networks, enterprise-wide authentication, and intrusion detection and analysis. He also has unmatched expertise in the OSF Distributed Computing Environment. Prior to joining SystemExperts, Mr. Mackey was the director of collaborative development for The Open Group (the merger of the Open Software Foundation and X/Open) where he was responsible for the integration of Microsoft's ActiveX Core with DCE and DCE Release 1.2. Mr. Mackey is an original member of the DCE Request For Technology technical evaluation team and was responsible for the architecture and defining the contents of DCE Releases 1.1 and 1.2. He has been a frequent speaker at major conferences and has taught numerous tutorials on developing secure distributed applications.

    From :

    Data Recovery - What Can and Cannot be Recovered

    1. The first method is to do it yourself. You turn on your computer and discover that the photographs you took on your holiday have been lost. It’s about time to think logically – either they have been overwritten or there has been surface contamination. In other cases, natural or man-made disasters like floods and fires may destroy important data. If you are an inexperienced computer user, then it is always advisable not to use your limited knowledge and try to reboot your computer to retrieve your data. But, on the other hand if you do boast of considerable computer expertise, you can retrieve your data using any data recovery tool available on your computer desktop. This involves:

    • Install the data recovery tool

    • Disconnect your computer

    • Install a new drive to save the retrieved data

    • Have a licence to run the data recovery tool

    2. The second most common method is to call in the data recovery specialists. This is usually the case when you are unsure as to the cause of data loss. Data recovery agencies can recover 90% of your lost data, provided the loss is due to:

    • Accidental deletion of the data

    • Overwriting

    • Disk corruption

    • Reformatted, deleted volume or disk partition containing data

    • Partially damaged disk with bad spots caused by exposure to natural elements such as heat, light, water and dust

    Data can be recovered from digital media files, memory sticks, ZIP files, hard drives, floppy diskettes and flashcards. Usually data recovery specialists can retrieve data by using two methods:

    1. Physical Data Recovery which means retrieving the raw data from a damaged disk caused by a virus attack, operator system error or a natural disaster such as fire which may lead to surface contamination.

    2. Logical Data Retrieval which refers to the rebuilding of lost data files. This type of data recovery becomes necessary when there is disk overwriting, reformatting and virus corruption.

    According to data recovery agency, Disklabs, usually photographs and pictures including graphic material can be retrieved using physical data recovery methods. Usually nine out of every 10 photos are recovered in their original format. However, when database files are lost, retrieval is impossible. The experts at Disklabs claim that only 1% of database files are retrievable. In case of total data loss owing to natural disasters of fire and floods, experts recommend the installation of a backup drive away from the place of everyday use. Disklabs further argues that many universities and multinational corporations document vital information reducing sole dependency on digital media.

    Other data recovery firms advocate the installation of a data recovery tool called Scavenger version 3. The advantage of using this tool lies in its function to scan an entire hard drive looking for corrupt and defunct volumes, partitions and spots. In this regard this tool is extremely good for novice users as it enables them not to lose new data while scanning the hard drive retrieving lost data. It is better than the computer desktop utility of CHECKDISK. But this data recovery tool cannot retrieve data entangled in the mesh of magnetised layers on the hard drive. Here, it becomes important to be aware of the time frame and cost of retrieving such data. Usually, experts using data recovery tools of Easy Recovery, Data Recovery and Data Advisor, state that it takes more than a working week to retrieve a mere .5% of the actual data. A prime example of data recovery can be seen at company Hewlett Packard which used its own technicians to retrieve a database file of employee records. In contrast, technicians at InfoUSA failed to retrieve vital editing material. In addition, they were unable to stop new data from being lost. As a result, an entire database file was lost.

    It is very important to note that full data recovery is not possible. However, more than 95% of raw data can be recovered provided necessary steps to ensure recovery are undertaken in time. It simply does not do to wait for a few days before contacting a data recovery specialist agency. If you can’t do it, call them right away.

    About the Author:

    James Walsh is a freelance writer and copy editor. For more information on Data Recovery see

    Article Source:

    The Art of Data Recovery

    You studied fine art, design, advertising, or perhaps you majored in business. Your computer is your productivity tool just as your grandparents regarded a pen and a pad of paper. But when something goes amiss with your “productivity tool”, your immediate concern is “Did I lose what I was working on? Can it be recovered?”

    Have you ever found yourself in one of these predicaments?

    * You were working on the client's ad campaign in your home studio revising creative on your personal Mac when suddenly the power went off. You waited a few moments in the dark. You started feeling stressed, so you lit up a smoke. Then the lights came back on but your computer did not. You lit up another smoke.

    * You visited a site the boys at the pub were talking about the night before and downloaded some audio files. Now you can't access your spreadsheets containing this quarter's bookings and projected sales for the next fiscal year. To add insult to injury, you were scheduled to present the forecast to senior management in New York on Monday and had not backed up your system. You don’t even have a hardcopy of your number crunching.

    * You and your companion laptop had occupied the spare office so you could work in solitude to put the finishing touches on your presentation to be delivered to the new client. Your co-worker then entered the room, slammed the door and bumped the table. You said goodbye to your coffee as well as your speaking notes and presentation. Or did you?

    When the unthinkable happens and your data goes missing, it’s human nature to panic.

    Unless you majored in computer science, you are probably not aware of the inner complexity of a hard disk drive that stores data. You simply regard your files—those customer records, spreadsheets, invoices, presentations, online storyboards, photographs, and more—-as your bread and butter, but to a data recovery expert they are “0’s” and “1’s” organized on your computer’s hard disk drive. If your hard drive is defective, the operating system on your computer infected or damaged by a virus, or files are deleted accidentally, access to the data is prevented.

    If you take recovery measures into your own hands, care and caution should be exercised or your missing data could result in actual lost data. You could do more harm than good to your computer and data, if you attempt to perform a recovery on your own. It is your choice, but the consequences could result in unforeseen circumstances.

    Yes, technology has come along way. However, there are several best practices that you can follow to significantly reduce the probability of losing your data:

    * Regularly backup your data and test your backup

    * Keep your computer in a dry, controlled environment free from dust and smoke

    * Use anti-virus software and update it frequently to scan and screen all incoming data

    * Turn off your computer if it or the hard drive makes an unusual noise.

    * If you work for a small organization or work from a home office, play it safe. Use power surge protectors in the event your environment experiences a power outage.

    * If your organization is large, ensure your backup and redundant storage systems are maintained offsite in a controlled environment

    * Do not delay in taking appropriate action, if you cannot access your data. Ask and you shall receive help.

    Data recovery is not an area in which computer science majors currently specialize and data loss is one of the computer industry’s most misunderstood concepts. That’s why it’s critical computer users avoid panic and attempts at misguided recovery efforts which can transform missing data into permanent lost data.

    If you find yourself in such a predicament, get help.

    If you require the assistance of a data recovery expert, don’t settle for second best. Sure, data recovery is about retrieving those “0’s” and “1’s”, but most importantly data recovery is about the quality of customer service you receive. From the time you place your panic-stricken telephone call seeking help until you have successfully downloaded your “missing” data, the communication between you and the data recovery firm is the catalyst for a successful data recovery. Deal with a data recovery organization where all employees—from the friendly receptionist who takes your initial call to the lab technician who is responsible for the recovery of your data--are empathetic to your needs. For here lies the true art of data recovery.

    About the Author:

    Bill Margeson, President and CEO of CBL Data Recovery Technologies.
    Founded in 1993 and headquartered in Markham, Ontario, CBL Data Recovery Technologies Inc. is a leading international provider of data recovery services. CBL offers services worldwide through its network of data recovery laboratories, offices and authorized partners in Australia, Barbados, Brazil, Canada, China, Germany, Japan, Singapore, United Kingdom, and the United States.

    Article Source:

    Are you Still not Backing Up your Data? - Microsoft

    You should know this by now: Computers can and do fail. And nasty viruses can take down your system by creeping through your anti virus software and firewall.
    The problem is that you usually get no warning before it's too late.
    This has happened to many. In extreme cases, it has put companies out of business. And the worst part is this: It's completely avoidable. By backing up your data, you can retrieve all or most of what you lose.
    Yes, there is a hassle involved. But you owe it to yourself — and your business — to take stock of your backup plan (or lack thereof) by reviewing these tips.

    Most Important: Back up Your Customer Databases and Payroll Records

    What's the heart and soul of your company? People have different opinions, but certainly your customer or client database has to rank high.

    Inside one or two data files are all the nitty-gritty details including what they buy, when they buy, how they pay and so forth. Contact lists also are databases, and you might have yours combined with your customer list.
    So, where would you be if you lost your database? How would you feel if you attempted to open your database and it wasn't there? Not good, I'll bet. So you should be backing up.
    Also mission-critical for backups are your employee payroll records. You don't want to lose the information that you have to report to the tax department. Your employees don't want problems with them either. And they certainly don't want to be paid late.

    Protect Your Registry Settings

    You should be backing up all of your data. But if you don't, a third item you should have high on your priority list for regular backups is your Windows Registry. This is the huge database that tells your computer how to run. Without it, you have an expensive paperweight.
    Most backup programs allow you to back up the Registry automatically. If not, you can easily do it manually. Here's how:
    • Click Start > Run.

    • In the box, enter "regedit" (without the quotes). Click OK.
    • In the Registry, click File > Export (or Registry > Export Registry File in Windows 98). Navigate to your backup medium. It will probably be drive E:.
    • Name the file and click Save.
    You don't need to back up Windows or your applications, such as Microsoft Word. If the worst happens, you can always re-install them. But information you create must be protected.

    Store Your Backups Off-Site

    To really be safe, the backup medium (tape, CD or DVD, etc.) should be removed from your site. If you are backing up to tape, for instance, and you leave the tape cartridge in the machine, you'll be protected if the hard drive fails. But if the equipment is stolen, or the office burns to the ground, the backup will be lost.

    The safest procedure is to use a different tape or disk each day. Keep all but the current day's backups off-site — at your home, perhaps.

    Forget About Doing Backups with Floppies

    The earliest backup medium was the floppy. These are no longer practical. They hold hardly any data, so a large collection would be needed for a backup. You would have to sit at the computer for hours, swapping the floppies in and out. Don't even think about it.
    Tape has been the medium of choice for a number of years. Tapes are relatively slow, but the process can be automated. You can schedule the backup for when you're sleeping.
    Tape drives and the tapes to go with them are relatively expensive, too. And the small business software can be difficult. Tape is a great backup medium, once you understand it. It has its drawbacks in terms of the time and work involved. But once you get a system running, it can go smoothly.
    Here are some other options:
    • Back up to a burner — a CD or DVD drive. Neither holds nearly as much data as a tape. If you decide to go this route, be sure your software allows automated backups. A CD or DVD will work well if your data is not voluminous. CDs will hold up to 700 MB; most DVDs will hold 4.7 GB.

    • Use a Zip or Jaz drive. These are made by Iomega. Zips hold 250 MB of data; Jaz holds 2 GB.
    • Use an external hard drive. These hold a vast amount of data. They attach to the computer via high-speed connections such as USB 2.0 or FireWire. Hard drives are fast, so the backup wouldn't take much time. But an external hard drive is relatively bulky, so you would get tired of taking it home.

    Another Option to Consider: Backing up on an Internal Hard Drive

    You could use a second internal hard drive, although that would mean leaving the backup in the office. Windows automatically accommodates multiple hard drives. You could simply copy your data from the master hard drive to the second one, known as a slave.
    If having two hard drives appeals to you, consider a RAID system. RAID stands for Redundant Array of Inexpensive Disks. These systems can be complicated but a two-disk system is simple; you set it up as a mirror.
    When you save something, it automatically saves to both drives. The second drive looks just like the first. So if one fails, you have a perfect copy. And RAID will automatically switch you over to the working drive.
    Some motherboards have RAID capability built in. If yours doesn't, a RAID card can be added to the computer.
    However, a RAID system would leave your backup inside the computer. That leaves you vulnerable to fire or theft.
    Need More Security? Consider an Online Backup Service

    If you're especially concerned about safety, you might want to consider an Internet backup. There are many firms on the web that will store your data for you, for a monthly fee. You can run the backup automatically.
    Don't consider this route unless you have a high-speed internet connection. Backups by dial-up modem could tie up your phone lines for hours at a time.
    Also, Microsoft SharePoint offers the ability to store copies of your most-vital business documents in a secure area that you can access through the Internet. SharePoint is available as part of Windows Server 2003.

    About the Author:

    Kim Komando writes about workplace technology and security issues. She's the host of the nation's largest talk-radio show about computers and the Internet, and writes a syndicated column for more than 100 Gannett newspapers and for USA Today.

    Article Source:

    Use ISO 17799 to Improve Security and Minimize Risks

    Most organizations are dependent upon their information and business systems, leaving them exposed to critical loss in the aftermath of a security breach. Fortunately, by implementing an information security management system ("ISMS"), as outlined in the only internationally accepted standard/code to address information security, a business can significantly reduce the risk of a security breach.

    ISO/IEC 17799:2005 ("ISO 17799"), known as the Code of practice for information security management, was developed by an IT Security Subcommittee of the International Organization for Standardization and was published in June 2005. ISO 17799 is superior to other security standards because it is globally accepted and comprehensive. ISO 17799 has been cleverly crafted to work well across industries and geographies. Also, the International Organization for Standardization has consciously made this standard consistent with most other existing information security audit and control standards, such as those developed by the NIST (National Institute of Standards and Technology). Therefore, ISO 17799 can be the common framework that links to all other standards, regulatory requirements and corporate governance initiatives.

    ISO 17799 provides practical guidelines for developing organizational security controls and effective security management practices. An ISO 17799 evaluation results in a snapshot of the company's security infrastructure, in that it provides a high-level view of how well (or how badly) a company implements information security. This standard is a great tool for companies whether establishing or improving information security within their organization.

    The information security process traditionally has been based on sound best practices and guidelines, with the goals of preventing, detecting and containing security breaches, as well as restoration of the affected data to its previous state. While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations. ISO 17799 offers an achievable benchmark against which to build organizational information security.

    Control Selection based on Risks Identified

    ISO 17799 consists of 39 security controls, which can be used as a basis for a security risk assessment. The controls encompass all forms and types of information, whether they are electronic files, paper documents or various forms of communications such as email, fax and spoken conversations. The standard sets out a variety of hardware and software considerations, policies, procedures and organizational structures that protect a company's information assets from a broad range of modern security threats and vulnerabilities. How organizations shape their information security programs will depend on the unique requirements and risks they face. An organization should only deploy controls that relate to, and are in proportion to, the actual risks it faces.

    Controls can also more simply be described as the countermeasures for risks. Apart from knowingly accepting risks considered acceptable, or transferring those risks (through insurance) to others, there are essentially four types of control:

    1. Deterrent controls reduce the likelihood of a deliberate attack.
    2. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact.
    3. Corrective controls reduce the effect of an attack.
    4. Detective controls discover attacks and trigger preventative or corrective controls.

    It is essential that any controls that are implemented are cost-effective. The cost of implementing and maintaining a control should be no greater than the identified and quantified cost of the impact of the identified threat (or threats). It is not possible to provide total security against every single risk; the trade-off involves providing effective security against most risks. No board should sign off on any ISMS proposal that seeks to remove all risk from the business - the business does, after all, exist within a risk framework and, since it is impossible to exist risk-free, there is little point in proposing to eliminate every risk.

    No organization should invest in information security technology (hardware or software) or implement information security management processes and procedures without having carried out an appropriate risk and control assessment that assures them that:

    - The proposed investment (the total cost of the control) is the same as, or less than, the cost of the identified impact;
    - The risk classification, which takes into account its probability, is appropriate for the proposed investment; and
    - Mitigating the risk is a priority - i.e. all the risks with higher prioritization have already been adequately controlled and, therefore, it is appropriate now to be investing in controlling this one.

    Once information security needs and requirements are identified, a suitable set of controls from ISO 17799 can be established, implemented, monitored, reviewed and improved upon in order to ensure that the specific security objectives of the organization are met.

    ISO 17799 is a comprehensive information security code of practice that provides enterprises an internationally recognized and structured methodology for information security. In addition to ISO 17799, the International Organization for Standardization also published ISO 27001, which specifies a number of requirements for establishing, implementing, maintaining and improving an ISMS using the controls outlined in ISO 17799.

    ISO 27001 is the formal standard against which an organization may seek independent certification of their ISMS. While certification is entirely optional, as of January 2007, over 3000 organizations world-wide were ISO 27001 certified, demonstrating their commitment to information security. Organizations may be certified compliant with ISO 27001 by a number of accredited certification bodies worldwide. ISO 27001 certification generally involves a two stage audit process, with a "table top" review of key documentation at the first stage and a more in-depth audit of the ISMS at the second stage. The certified organization would need to be re-assessed periodically by the certification body.

    In summary, organizations face threats to their information assets on a daily basis. At the same time, they are becoming increasingly dependent on these assets. Technical solutions are only one portion of a holistic approach to information security. Establishing broad information security requirements in the framework of the organization's own unique risk environment is essential.

    About the Author:

    Fazila Nurani is the President and Founder of PrivaTech Consulting (, based in Toronto, Canada. Visit Fazila Nurani's bio. Nurani advises organizations on compliance with global privacy laws and managing information security risks. She may be reached at +1.905.886.0751 or

    Article Source: