Encryption and ISO27001
What is encryption?
Encryption is a method of scrambling a message or other data so that is cannot be read by an unauthorised person. Sadly it has become too easy to intercept messages and use them for illegal purposes. Encryption protects that data.
A simple encryption might be to use the alphabet In reverse:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| Z | Y | X | W | V | U | T | S | R | Q | P | O | N | M | L | K | J | I | H | G | F | E | D | C | B | A |
'Please reply to this message' becomes KOVZHV IVKOB GL NVHHZV
Unfortunately this code would be broken very easily. A more secure system would use the shift method where the table is used but each letter is shifted to the right by 3 boxes.
'Please reply to this message' Now becomes SOSWVS FSHLE DI DPOE KSEEWQS. This is better but relies on the person receiving the message knowing the key (what method was used). This type of encryption would be broken in second by an experienced cracker.
Modern computers rely on even more secure methods:
The first of these is the SYMMETRIC KEY where the sender and the receiver know the key and the message is decrypted. Anyone else will see a jumble of letters.
The second method is known as PUBLIC KEY, a typical system uses PGP (pretty good privacy) and relies on a public key which is available in the message and a private key which is know to only to the sender and the receiver. Again anyone else will see gibberish.
The third method is known as DIGITAL CERTIFICATE where the certificate acts as a middleman, checking the identity of both the sender and the receiver; if both are genuine the certificate allows the message to be decrypted.
Additionally financial transactions use a secure system know as SSL (Secure Sockets Layer) the user will notice that the usual http:// is replaced by https:// and a small padlock is normally present on the web-site to show that SSL is in use. Credit Card transactions use this very secure method of encryption.
The Information Security Standard ISO27001 recommends the user of encryption to protect data.
Labels: information security, ISO27001
Posted: Sunday, 9 March 2008
ISO27001 Information Security
Data security, or lack of it is in the news almost daily and the news is pretty alarming. Report after report reveals, the often casual way, the shortfalls in care of our data.
Every cloud has a silver lining however; we have seen a huge increase in enquiries for consultancy in setting up ISO27001 systems. It seems that industry and commerce are taking data security very seriously, unlike the Revenue.
ISO27001 sets up a number of steps that protect data and other information from unauthorised access and release. It also ensures compliance with the Data Protection Act and ensures that companies are protected from litigation concerning data.
Surely it cannot be long before the Information Commissioner takes action or failing that litigation against those who loose or act in a cavalier manner with data under their care.
Every organisation employing ISO27001 can claim that they have used best practice and have taken all reasonable steps to ensure that the elements of Data Security have been employed. This is a valid defence in a Court of Law (if it should go that far).
C. I. A. are the main requirements:
Confidentiality
Integrity
Availability
If we all carry this out then there is hope for us yet.
At the moment, I for one, am unwilling to trust my valuable data to any organisation not complying fully with ISO27001.
Every cloud has a silver lining however; we have seen a huge increase in enquiries for consultancy in setting up ISO27001 systems. It seems that industry and commerce are taking data security very seriously, unlike the Revenue.
ISO27001 sets up a number of steps that protect data and other information from unauthorised access and release. It also ensures compliance with the Data Protection Act and ensures that companies are protected from litigation concerning data.
Surely it cannot be long before the Information Commissioner takes action or failing that litigation against those who loose or act in a cavalier manner with data under their care.
Every organisation employing ISO27001 can claim that they have used best practice and have taken all reasonable steps to ensure that the elements of Data Security have been employed. This is a valid defence in a Court of Law (if it should go that far).
C. I. A. are the main requirements:
Confidentiality
- To ensure that data is not compromised or released
Integrity
- To ensure that data is protected from unauthorised alteration
Availability
- To ensure that data is available when and where required
If we all carry this out then there is hope for us yet.
At the moment, I for one, am unwilling to trust my valuable data to any organisation not complying fully with ISO27001.
Labels: information security management, ISO27001
Posted: Monday, 25 February 2008
Social Engineeering
Social engineering is the name given to attempts to gain secure information by gaining the trust of the person holding such information.
With Valentine's Day fast approaching, I recall methods used in the past to gain entry to some of London's most secure buildings.
Imagine the scene, a pretty girl with a teddy bear and a box of chocolates presents herself at reception, "It's a surprise for Jason Brown from his girlfriend and the bear, chocolates and message have to be delivered in person". The Receptionist says that security policies will not allow her in, but she pleads that this is an emergency, and trusting the girl, just this once, lets her in. Of course she isn't delivering a Valentines Gift, she has been sent to test the company security.
Imagine the second scenario, the telephone rings and the person on the other end explains that he is one of the IT engineers testing the company intranet and has foolishly gone to the data centre without taking his book of secure passwords, if he is found out he will probably be sacked; can the person please help him out this once and give him log in and password information. The result can be scary.
The third scenario is even more worrying; on a train station the offer is a free pen if the person will simply write their log in and password on a slip of paper. Each person so doing will be entered into a draw with the chance to win a holiday, one million pounds, or some other prize. Sadly too many people take up this offer and compromise their security systems.
This year with February 29 being the day when traditionally ladies can propose to their men it will be entirely possible that many secure buildings will be penetrated by women claiming to want to propose, and it must be surprise mustn't it?
And finally the smoking ban has had a very detrimental effect on security; the fire doors at the back of the building are left open to allow smokers to go out for a cigarette, and get back in afterwards. The social engineer will simply mingle with the smokers and follow them in. Security breached.
With Valentine's Day fast approaching, I recall methods used in the past to gain entry to some of London's most secure buildings.
Imagine the scene, a pretty girl with a teddy bear and a box of chocolates presents herself at reception, "It's a surprise for Jason Brown from his girlfriend and the bear, chocolates and message have to be delivered in person". The Receptionist says that security policies will not allow her in, but she pleads that this is an emergency, and trusting the girl, just this once, lets her in. Of course she isn't delivering a Valentines Gift, she has been sent to test the company security.
Imagine the second scenario, the telephone rings and the person on the other end explains that he is one of the IT engineers testing the company intranet and has foolishly gone to the data centre without taking his book of secure passwords, if he is found out he will probably be sacked; can the person please help him out this once and give him log in and password information. The result can be scary.
The third scenario is even more worrying; on a train station the offer is a free pen if the person will simply write their log in and password on a slip of paper. Each person so doing will be entered into a draw with the chance to win a holiday, one million pounds, or some other prize. Sadly too many people take up this offer and compromise their security systems.
This year with February 29 being the day when traditionally ladies can propose to their men it will be entirely possible that many secure buildings will be penetrated by women claiming to want to propose, and it must be surprise mustn't it?
And finally the smoking ban has had a very detrimental effect on security; the fire doors at the back of the building are left open to allow smokers to go out for a cigarette, and get back in afterwards. The social engineer will simply mingle with the smokers and follow them in. Security breached.
Labels: ISO27001, social engineering
Posted: Monday, 11 February 2008
Business Continuity Planning BS25999-2:2007
I wonder how many companies were faced with the same problem that I faced following the Christmas and New Year shutdown: my office landlord decided that he would turn off the heating during this period in order to save money. The net result was that the office, and more importantly the computer equipment, became very cold. Upon turning the heating back on, condensation formed and this caused the equipment to short out.
The resulting bang not only did my constitution no good, it meant that the computer equipment had to be repaired. Fortunately our company has a business continuity plan which was put into action and none of our clients were put to any inconvenience.
At the end of 2007 The British Standards Institute produced an new standard BS 25999-2 Business Continuity Management and its code of practice BS25999-1. This can be either a stand-alone system or as part of ISO27001 (Information Security Management Standard).
BS25999-2 sets out the requirements for BCM (business continuity management) and how any organisation can reduce or mitigate any incident which interrupts or degrades the company or its operations.
The main areas are:
Having a business continuity plan in place will not stop a disaster happening, but it certainly will ensure that its effect can be mitigated and will ensure that the company can be up and running in the shortest possible time.
It is important to note that many companies that have been subject to a major disaster and do not have a business continuity plan have gone out of business.
Be prepared. It is not only for boy scouts.
The resulting bang not only did my constitution no good, it meant that the computer equipment had to be repaired. Fortunately our company has a business continuity plan which was put into action and none of our clients were put to any inconvenience.
At the end of 2007 The British Standards Institute produced an new standard BS 25999-2 Business Continuity Management and its code of practice BS25999-1. This can be either a stand-alone system or as part of ISO27001 (Information Security Management Standard).
BS25999-2 sets out the requirements for BCM (business continuity management) and how any organisation can reduce or mitigate any incident which interrupts or degrades the company or its operations.
The main areas are:
- Identify what potential risks could affect the company;
- Know what equipment would be needed in the event of a loss of building/facility;
- Keep copies of staff information off-site to be able to contact key personnel if required;
- Plan who will do what and when;
- Make contingency plans for staff if buildings are unavailable;
- Keep copies of important information off-site;
- Review and train everyone in the continuity plan and IT disaster recovery routine;
- Test the plan regularly;
- Learn lessons from any tests;
- Ensure the plan is kept up to date.
Having a business continuity plan in place will not stop a disaster happening, but it certainly will ensure that its effect can be mitigated and will ensure that the company can be up and running in the shortest possible time.
It is important to note that many companies that have been subject to a major disaster and do not have a business continuity plan have gone out of business.
Be prepared. It is not only for boy scouts.
Labels: BS25999-2:2007, Business Continuity Planning, ISO27001
Posted: Thursday, 24 January 2008
Business Continuity Planning
Business continuity planning is one subject that is often left to the last minute but is one of great importance.
If you wait until 'something' happens, it could be too late. I have seen people wading in calf deep water looking for the stopcock; others reading the instructions on a fire extinguisher in the middle of a fire.
In reality we should all know what to do in an emergency well before the emergency happens and be prepared for most eventualities.
We have read about the terrorist attack, the dirty bomb and other major catastrophes but it is often the 'soft' disasters which can cause irreparable damage to a company.
One such problem occurred recently; the company uses a card entry system to gain access to the building. The server housing the operating system failed and prevented anyone entering the building. It was apparent that there was no manual override; people milled around outside the building, not really knowing what to do. Eventually someone broke a window to gain entry. Of course the alarm went off and before it could be turned off the police were on site; embarrassment all round.
The company has now put a system in place to override the card system if it fails in the future.
The winter season also means that illness will increase; how many companies have prepared for a flu epidemic? Sadly very few.
Companies that have incorporated ISO27001 (Information Security Management System) will have an emergency plan in place, regularly tested and validated. This together with an IT disaster Recovery Plan will be able to deal with most eventualities. The old saying that 'if you hope for the best but prepare for the worst' is a good mantra to use.
Companies that have suffered major disaster, like being in the vicinity of the Buncefield fuel depot fire, and did not have any business continuity plan have disappeared without trace. Insurance cover just didn't mitigate all the problems. Those companies that did have a plan in place, had difficulties but managed to survive.
It is a pity that, as of December 2007, there are only 363 companies in the UK certificated to ISO27001. It is a very big standard to achieve but the benefits are huge.
If you wait until 'something' happens, it could be too late. I have seen people wading in calf deep water looking for the stopcock; others reading the instructions on a fire extinguisher in the middle of a fire.
In reality we should all know what to do in an emergency well before the emergency happens and be prepared for most eventualities.
We have read about the terrorist attack, the dirty bomb and other major catastrophes but it is often the 'soft' disasters which can cause irreparable damage to a company.
One such problem occurred recently; the company uses a card entry system to gain access to the building. The server housing the operating system failed and prevented anyone entering the building. It was apparent that there was no manual override; people milled around outside the building, not really knowing what to do. Eventually someone broke a window to gain entry. Of course the alarm went off and before it could be turned off the police were on site; embarrassment all round.
The company has now put a system in place to override the card system if it fails in the future.
The winter season also means that illness will increase; how many companies have prepared for a flu epidemic? Sadly very few.
Companies that have incorporated ISO27001 (Information Security Management System) will have an emergency plan in place, regularly tested and validated. This together with an IT disaster Recovery Plan will be able to deal with most eventualities. The old saying that 'if you hope for the best but prepare for the worst' is a good mantra to use.
Companies that have suffered major disaster, like being in the vicinity of the Buncefield fuel depot fire, and did not have any business continuity plan have disappeared without trace. Insurance cover just didn't mitigate all the problems. Those companies that did have a plan in place, had difficulties but managed to survive.
It is a pity that, as of December 2007, there are only 363 companies in the UK certificated to ISO27001. It is a very big standard to achieve but the benefits are huge.
Labels: information security management, ISO27001
Posted: Thursday, 17 January 2008
2 Comments:
-
Ed. said...
-
There seems to be an ongoing confusion here between ISO Standards requirements and conformance and the possible REGISTRATION activity. It is perfectly possible to argue the case for compliance/conformance with the requirements of the various Standards, but other than on the dubious grounds of Publicity I have yet to hear a case for the necessary investment in the registration process.
-
said...
-
Although I agree in principle, formal certification does mean that someone else is confirming your compliance to a standard and this must carry more weight than a self declaration
A Happy New Year (and a more secure one!)
We should all hope that 2008 is going to be a more secure year for our data. It seems that every day brings fresh news that our data has been compromised in one way or another. The chief culprits appear to be government departments which are being forced to own up to data breaches in the past rather than being found out by the Information commissioner.
In addition to lost disks, there are paper records discarded in public dustbins and lost laptops by the boat-load. Security which was trumpeted by ministers as being paramount seems to have been very low on their priority list in their own domains. It is also lamentable that there has been a deliberate policy of hiding the facts from those people most at risk.
We must be vigilant as these data breaches might not affect us until some date in the future. Criminals will wait until the furore has died down before using the data illegally.
Let us make sure that 2008 is a year of data security, here is a recap of precautions:
The list goes on and on but use common sense - assume that the worst may happen and take precautions to stop or at least reduce it.
Let us all have a Happy and safe New Year
In addition to lost disks, there are paper records discarded in public dustbins and lost laptops by the boat-load. Security which was trumpeted by ministers as being paramount seems to have been very low on their priority list in their own domains. It is also lamentable that there has been a deliberate policy of hiding the facts from those people most at risk.
We must be vigilant as these data breaches might not affect us until some date in the future. Criminals will wait until the furore has died down before using the data illegally.
Let us make sure that 2008 is a year of data security, here is a recap of precautions:
- Always shred confidential documents or documents having identifiable data;
- Never give passwords or log on information to email enquiries, telephone callers or visitors;
- Be wary of emails directing you to a bank or other secure site which ask for personal information;
- Do be aware that information put into social sites such as Facebook may be visible to people other than the intended audience. Dates of birth, names and addresses, telephone numbers and details of family can be used to steal identities.
- Never dispose of old computers until the hard drives have been removed or destroyed; remember deleting or re-formatting the disk does not actually delete the data;
- Never leave confidential documents on desks overnight or when unattended (clear desk policies);
- Laptops should be secured with a multistrand cable to an immovable object like a radiator when unattended;
- Laptops should be password protected;
- Laptops should be encrypted if data is sensitive;
- Never share passwords and use complex passwords to prevent other gaining access to desktops and laptops;
Never leave desktops and laptops logged in and unattended;
The list goes on and on but use common sense - assume that the worst may happen and take precautions to stop or at least reduce it.
Let us all have a Happy and safe New Year
Labels: information security management, ISO27001
Posted: Thursday, 3 January 2008
Myths Surrounding ISO27001 Information Security
This week I am carrying the series of myths forward and this time surrounding Information Security (ISO27001).
- Information Security is for big companies
False Most small companies (and individuals) are targeted at
some time. - My computer has virus control software so I am safe.
False Anti-Virus software is only one area of protection. - I have turned off the Microsoft Automatic Update to protect my computer.
False Auto-update provides security patches to help protect your computer. - I always tear up sensitive paper information before putting it in the dustbin to
protect myself.
False tearing up paper is never as secure as shredding. - Cutting a credit card in half makes it useless to a thief.
False Shred any non required credit cards as a thief can copy the detail and your signature. - Email is a secure method of communication.
False Unless you encrypt your email, it is visible. - I can't remember complex passwords so I use my dog's name, but that is secure.
False A hacker will run a dictionary test to find easy passwords like this. - My company insists on 8 digit passwords so I have to write them down – but this is safe.
False Writing down passwords is a bad idea and is full of risk. - In my company we all share a generic password but this is secure.
False If there is s problem with a generic password is it almost impossible to find out who is responsible. - When we get new computers we always format the old hard disks to ensure they cannot be hacked.
False Hard disks should be physically destroyed otherwise data can be recovered, sometimes by simply un-formatting.
Information security is everyone's responsibility.
Labels: Information, ISO27001, security, Systems
Posted: Sunday, 28 October 2007
ISO09001 vs ISO027001
ISO9001
What is ISO9001?
- A Quality Management system for turning customer requirements into customer satisfaction.
- Provides the mechanism for continual improvement.
- A set of common sense guidelines for running a successful business.
What are the benefits of ISO9001 Registration?
- Internationally recognised quality mark
- Certificates awarded by independent accredited organisations.
- Customers do not have to do their own checks on a supplier.
How many ISO9001 Certificates have been issued?
Over 1 million worldwide.
The Model for ISO9001
What is covered by ISO9001?
BS EN ISO 9001:2000 requires 5 main sections to be addressed, these are:
- Quality Management System;
- Management Responsibility;
- Resource Management;
- Product Realisation;
- Measurement, Analysis and Improvement
Each section is subdivided as required and covers all elements of the business having an impact on quality.
ISO27001
What is ISO27001?
- An Information Security Management System for protecting customer information and data from unauthorised disclosure.
- Confidentiality, Integrity and Availability
- Risk assessment and management
- Access controls and computer security
- Protection of hardware and software assets
- Business continuity management and disaster recovery
What are the benefits of ISO7001 Registration?
- Internationally recognised Information Security Mark.
- Certificates awarded by independent, accredited organisations.
- 3rd Party assurance of information security credentials.
How many ISO27001 Certificates have been issued?
Under 4000 worldwide (includes BS7799 certificates)
The Model for ISO27001
What is covered by ISO 27001?
ISO27001 requires 5 main sections to be addressed, these are:
- Management Responsibility;
- Internal ISMS Audits;
- Management Review;
- ISMS Improvement
Correlation between ISO9001 and ISO27001
How long does it take to obtain certification?
This obviously varies from organisation to organisation, but the prime requirement is that the organisation must have three months of 'track record' from completion of the document set.
As a rough guide, ISO9001 can be achieved in about 6 months while ISO27001 takes about 12-18.
What documentation is needed?
A Quality & ISMS manual and procedures/processes for operating the systems.
Once certificates are issued what happens next?
The certification authority will carry out surveillance visits each year to ensure continued compliance.
Posted: Sunday, 9 September 2007
Business Continuity Planning
The flooding in July has shown that companies with proper business continuity plans have done well with little or no interruption in services. Those companies with no business continuity plans in place have fared less well. Some of these have been caught napping and their systems went down with uncertainty about resumption dates and doubts about insurance cover may mean that some companies ceased to trade.
A basic Business Continuity Plan looks at possible threats to the company and what action would be appropriate in these circumstances, moreover the actions are tested before disaster strikes and any corrective actions incorporated.
Plans that are put in place but are untested often fall at the first fence; an example of this is the company that has an uninterruptible power supply in place to deal with mains power loss, but takes no account of an interruption lasting an hour or more when the UPS power is exhausted.
Most of the planning is just common sense, but tell that to those companies facing ruin.
A basic Business Continuity Plan looks at possible threats to the company and what action would be appropriate in these circumstances, moreover the actions are tested before disaster strikes and any corrective actions incorporated.
Plans that are put in place but are untested often fall at the first fence; an example of this is the company that has an uninterruptible power supply in place to deal with mains power loss, but takes no account of an interruption lasting an hour or more when the UPS power is exhausted.
Most of the planning is just common sense, but tell that to those companies facing ruin.
Labels: Business Continuity Planning, ISO27001
Posted: Wednesday, 22 August 2007
Laptop Data Safety
Basic levels of password protection on laptops are easily overcome by the experienced thief and this is causing considerable concern within the industry.
There are two things you should do:
That takes some account of security for the laptop, but with attached devices such as SD cards and USB pen-drives the situation is different:
Anyone stealing the SD Card or Pen-drive can read the data on any computer loaded with similar software. This is clearly a point of vulnerability; the best method to protect this type of device is to encrypt it so that it is useless without the decrypt key.
This protection is not the expensive option it used to be, with open source software freely available. The best of these encrypt and decrypt on the fly and are transparent to the authorised but render the device useless to the thief and in may cases appear to be a blank device.
ISO27001 and Laptop Security
There are two things you should do:
- Physical security - Don't let your laptop out of your sight. Never leave it unattended in a public place. Never leave it in the boot of your car overnight at hotels. Always use a steel cable to attach it to a firm structure when in use outside your normal environment.
- Electronic security - Don't have sensitive data on a hard disk in the first place. Use a complex password and if possible second level authentication, such as a token or other device. When the laptop is on but is not being used, use the electronic lock facility to activate the password entry facility. Use a password on any screensaver.
That takes some account of security for the laptop, but with attached devices such as SD cards and USB pen-drives the situation is different:
Anyone stealing the SD Card or Pen-drive can read the data on any computer loaded with similar software. This is clearly a point of vulnerability; the best method to protect this type of device is to encrypt it so that it is useless without the decrypt key.
This protection is not the expensive option it used to be, with open source software freely available. The best of these encrypt and decrypt on the fly and are transparent to the authorised but render the device useless to the thief and in may cases appear to be a blank device.
ISO27001 and Laptop Security
Posted: Thursday, 21 June 2007
Memory Sticks, Sd Cards and Other Removable Media
ISO 27001 calls for controls to be implemented on removable media to stop unauthorised access/ transmission of data. It is not unknown for a disgruntled employee to download data containing commercial information onto some form of portable memory device just before leaving employment. This can be customer information, product information, designs or drawings.
The compromise of these documents can be very damaging for the employer. It does not matter that the employee has signed a confidentiality agreement because the damage is done.
Sensible employers who wish to prevent data downloads can stop any transfer of data from a USB port or other device by incorporating this into the Computer Group Policy, installed from the network during boot up, this disabling the USB port for this purpose; the port can still be used for a keyboard or mouse.
A less effective method would be to have a 'No USB memory stick' condition in the Employee's terms and conditions, but this does need to be policed.
I am constantly surprised that companies that are normally careful with computer data have no firm policy on removable or portable memory devices.
I have spoken here about USB sticks but this applies equally to SD cards, i-pods, etc. The relatively large capacity of these devices, often gigabytes in size, does mean that a considerable amount of data can be downloaded.
Security of data must be extended to portable memory devices.
The compromise of these documents can be very damaging for the employer. It does not matter that the employee has signed a confidentiality agreement because the damage is done.
Sensible employers who wish to prevent data downloads can stop any transfer of data from a USB port or other device by incorporating this into the Computer Group Policy, installed from the network during boot up, this disabling the USB port for this purpose; the port can still be used for a keyboard or mouse.
A less effective method would be to have a 'No USB memory stick' condition in the Employee's terms and conditions, but this does need to be policed.
I am constantly surprised that companies that are normally careful with computer data have no firm policy on removable or portable memory devices.
I have spoken here about USB sticks but this applies equally to SD cards, i-pods, etc. The relatively large capacity of these devices, often gigabytes in size, does mean that a considerable amount of data can be downloaded.
Security of data must be extended to portable memory devices.
Labels: ISO27001, removable media, sd cards, usb memory stick
Posted: Thursday, 24 May 2007
ISO27001 and Hard Disks
We all tend to take our hard disk drives very much for granted; they start each day and provide sterling service. With a little care and a bit of housekeeping such as defrag and cleanup.
A disk drive consists of disks of magnetic material spinning at relatively high speeds with a reading head flying less that the breadth of a human hair just above it. The smallest deviation will result in the reading head crashing into the magnetic disk with disastrous results. Add to this the mechanics and electronics of the thing, it is not surprising that ALL disk-drives will fail; yes 100% of them.
If you have been clever and have taken good backups of your data and have ensured that you have verified that the backup is good then you will have only a moderately bad time reinstalling the programs and settings etc. If you have been super efficient and have used a mirror raid system where the information on one disk is mirrored onto another, then you will have very little down-time.
The sad thing is that very few organisations have a full mirror set-up, not all organisations have a verified back-up and some organisations have no back-up at all. Irretrievable loss of all data can be very damaging, if not fatal, to an organisation.
ISO27001 Information Security Management Standard specifies the level that backup should take, the protection given to back up media and finally how redundant media is de-commissioned and disposed.
Don't let short term gains result in data loss.
A disk drive consists of disks of magnetic material spinning at relatively high speeds with a reading head flying less that the breadth of a human hair just above it. The smallest deviation will result in the reading head crashing into the magnetic disk with disastrous results. Add to this the mechanics and electronics of the thing, it is not surprising that ALL disk-drives will fail; yes 100% of them.
If you have been clever and have taken good backups of your data and have ensured that you have verified that the backup is good then you will have only a moderately bad time reinstalling the programs and settings etc. If you have been super efficient and have used a mirror raid system where the information on one disk is mirrored onto another, then you will have very little down-time.
The sad thing is that very few organisations have a full mirror set-up, not all organisations have a verified back-up and some organisations have no back-up at all. Irretrievable loss of all data can be very damaging, if not fatal, to an organisation.
ISO27001 Information Security Management Standard specifies the level that backup should take, the protection given to back up media and finally how redundant media is de-commissioned and disposed.
Don't let short term gains result in data loss.
Labels: hard disk drives, information security management, ISO27001
Posted: Thursday, 15 March 2007
Information Security and Social Engineering
Social engineering is the term used to obtain information from people without them realising what is going on.
A recent exercise carried out by one of our clients was to invite by email, specially selected employees (although all employees received the invitation) to take part in an exciting new venture. All, they had top do was to go to a secure web-site and enter their company log on and password to verify their interest. The recipients were warned not to talk about this venture to any of their colleagues as the matter was highly secret.
This company (that I will not identify) is accredited to ISO27001 and takes security very seriously but many of the employees did enter this confidential information into the web-site believing that it was quite innocent.
A delivery of flowers or chocolates is made, usually by a pretty girl, and the idea is to surprise the recipient so the usual security at reception is waived.
Labels: information security, ISO27001, social engineering
Posted: Saturday, 10 February 2007
Basic Computer Security
Other organisations should consider basic security on their computer systems however, it is surprising that really basic security measures on desktop and laptops isn't always being used.
Better safe than sorry
Labels: basic computer security, information security management, ISO27001
Posted: Saturday, 27 January 2007
Information Security Management: All you need to Know
Information is the lifeblood of all organisations and can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in films, or spoken in conversation.
In today's competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious. With the increased use of new technology to store, transmit, and retrieve information, we have all opened ourselves up to increased numbers and types of threats.
Threats
There is a need to establish a comprehensive Information Security Policy within all organisations. You need to ensure the confidentiality, integrity, and availability of both vital corporate information and customer information. The standard for Information Security Management System (ISMS) ISO27001, has fast become one of the world's established biggest sellers.
What is an Information Security Management System?
An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. BSI has published a code of practice for these systems, ISO/IEC 17799, which is now being adopted internationally.
Where do I Start?
Develop an information security policy and identify your organisation's key information assets. Purchase the standard, ISO/IEC 17799 & ISO27001 to help you do this.
- Carry out a risk assessment and build your ISMS. Training of key staff will help to ensure its successful implementation.
- Once your management system is fully implemented you can register to ISO27001 with one of the accredited certification bodies
What is ISO27001?
ISO27001 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimise the range of threats to which information is regularly subjected.
- Annex A of BS 7799 identifies 10 controls:
Security policy - This provides management direction and support for information security - Organisation of assets and resources - To help you manage information security within the organisation
- Asset classification and control - To help you identify your assets and appropriately protect them
- Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
- Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information
- Communications and operations management - To ensure the correct and secure operation of information processing facilities
- Access control - To control access to information
- Systems development and maintenance - To ensure that security is built into information systems
- Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
- Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirements.
Labels: annex a, bs7799, information security management, ISO27001
Posted: Saturday, 2 December 2006
0 Comments:
Post a Comment