Information security controls

An ISO/IEC technical report (TR) providing technical controls and compliance guidelines for auditors can improve the effectiveness of an organization’s information security system.

ISO/IEC TR 27008:2011, Information technology – Security techniques – Guidelines for auditors on information security controls, aims to instill confidence in the controls underpinning an organization’s information security management system. The review applies to all parts of the organization, including business processes and its information systems environment.

“The business environment is constantly changing – along with threats to a company’s survival. Organizations

need to be ahead of the game, and an excellent defence can be built around audit of the controls used to support the information security,” says Edward Humphreys, leader of the working group that developed the new document.



“ISO/IEC TR 27008:2011 supports a rigorous organizational security audit and review programme for information security controls, to enable the organization to have confidence that their controls have been appropriately implemented and operated and that their information security is ‘fit for purpose’.”

ISO/IEC 27008 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking. The document is principally aimed at information security auditors who need to check the technical compliance of an organization’s information security controls against ISO/IEC 27002 and any other control standards used by the organization. ISO/IEC TR 27008 will help them to:

- Identify and understand the extent of potential problems and shortfalls of information security controls
- Identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities
– Prioritize information security risk mitigation activities
– Confirm that previously identified or emergent weaknesses or deficiencies have been adequately addressed
– Support budgetary decisions within the investment process and other management decisions relating to improvement of organization’s information security management.

Read more text http://www.iso.org

Road vehicles – Pedestrian protection ISO 11096:2011

The number of pedestrian leg injuries caused by dangerous car design should be reduced thanks to an ISO International Standard defining a new crash test method.

According to the World Health Organization, road traffic accidents kill more than one million people a year, injuring another thirty-eight million (five million of them seriously). The death toll on the world’s roadways makes driving the number one cause of death and injury for people aged 15 to 44.

ISO 11096:2011, Road vehicles – Pedestrian protection – Impact test method for pedestrian thigh, leg and knee, sets out a test method to assess the protection of an adult pedestrian by simulating the leg-impact conditions sustained during the car-to-pedestrian crash.

The goal is two-fold – to:

- Provide information on pedestrian safety to consumers
– Induce manufacturers to develop vehicles with excellent pedestrian protection.

Sukhbir Bilkhu, Chair of the ISO subcommittee that developed the standard, commented: “The pedestrian impact test simulates accidents in which a pedestrian is hit by an oncoming vehicle. These accidents represent about 15 % of fatal crashes. Thanks to ISO 11096, we will make substantial progress in improving vehicle structure, and in so doing, reducing pedestrian lower-limb injuries.”

Read more text http://www.iso.org

Security techniques

From hackers trying to break into networks, to insiders using their knowledge and internal access rights to use company data for their personal gain, the impact from a wide variety of information security threats can be reduced using an information security incident management approach contained in the new International Standard ISO/IEC 27035:2011.

Information security breaches can compromise your business systems, and cause disruption to business operations. Being prepared and responding in a timely and effective way can mean the difference between minor incident and a business disaster. Using an information

security incident management system enables organizations to have the controls and procedures in place to manage a wide variety of security incidents and vulnerabilities.

ISO/IEC 27035:2011, Information technology – Security techniques – Information security incident management, gives “how to” guidance on detecting, reporting and assessing information security incidents and vulnerabilities.

It will help organizations respond to information security incidents, including the activation of appropriate controls for the prevention and reduction of, and recovery from, impacts, and, in so doing, learn and improve their overall approach.

Integrating an information security incident management system offers several benefits:

Read more text http://www.iso.org

the years between 2011 and 2018.

“The smart grid changes everything, but when it comes to cyber security issues, much of the story remains the same,” says senior analyst Bob Lockhart. “Integrating information technology into a power grid presents enormous potential to deliver energy more efficiently and profitably, but also brings inherent risks in terms of security vulnerabilities. The discovery of the Stuxnet worm in 2010 shone a bright light on the fragility of industrial control systems such as SCADA, and has created a new urgency among security vendors and utility managers alike. Nearly overnight, ICS security went from being a non-issue to being critical.”

Lockhart adds that ICS security initiatives will include major investments in control consoles and systems, telecommunications security, human-machine interfaces, and sensors and collectors. The ICS security enhancements will serve key grid operations application areas such as distribution automation, substation automation, and transmission upgrades. Pike Research’s analysis further indicates that smart grid deployments are not globally uniform, and thus some technology upgrades have been addressed earlier than others. For example, utilities tend to mitigate risks in transmission grids first, because a single outage in transmission can have such a wide-ranging effect.



The firm forecasts that ICS security investments will increase at a relatively steady rate over the next seven years, rising from $309 million in 2011 to $692 million annually by 2018. In addition to this revenue, a significant number of professional services opportunities exist, including development and maintenance of security reference architectures for utilities’ control networks, development of security policies and procedures, maintaining employee security awareness programs for ICS, and change management, among others.

Read more text http://www.businesswire.com

The new International Standard ISO/IEC 27005:2011, Information technology – Security techniques – Information security risk management, will help organizations of all types to better manage their information security risks.

It describes the information security risk management process and associated actions, and supports the general concepts specified in ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.

Edward Humphreys, Convener of the ISO/IEC working group that developed the standard comments:

“ISO/IEC 27005:2011 is an essential standard for those that want to manage their risks effectively and, in particular, to comply with the popular information security management system standard ISO/IEC 27001. Risk management is critical to good business governance, and this standard helps organizations with advice on the why, what and how of managing information security risks in support of their governance objectives.”

In this second edition, the framework outlined in ISO/IEC 27005 has been reviewed and updated to reflect the content of the risk management documents:

Read more text http://www.iso.org

PC World — Alas, another day, another data breach. Late Thursday, word broke that the hacker group LulzSec broke into SonyPictures.com and gained access to 1 million user accounts (the group apparently posted details for 50,000 accounts online). If you have a Sony Pictures account, the bad news is that your personal information may be out there.

You can’t change that fact, but you can take a few steps to limit the potential for damage.

1. Change Your Passwords.

This should be the first thing you do: Change your password for your account on the impacted site. If you used the same login information for any other sites, you should change your password on those sites too. And this may be a good time to change your approach to passwords–check out Alex Wawro’s story on how to build better passwords without losing your mind.

2. Watch for Phishing Attempts, Malicious E-mail

If your e-mail address gets exposed in a data breach, scammers, spammers, and malware authors may try to send malicious e-mails to you–well, more than usual, anyway–so you may see a spike in spam. As always, be on the lookout for any suspicious-looking e-mail. Don’t open attachments you weren’t expecting–even from people you know. Don’t click links in e-mail messages.

read at http://www.cio.com

Why an International Standard for PIN management? Take the example of just one financial institution, Visa. In 2007, Visa had 20 000 member banks with 1.59 billion cards in circulation generating 59 billion transactions per year, with peaks of more than 6 800 transactions per second.

The ISO standard for PIN management helps protect the identification numbers used for cardholder verification against unauthorized disclosure, compromise and misuse everywhere in the world. It thus helps minimize the risk of fraud through electronic funds transfer systems.

Mark Sutton, Chair of the ISO subcommittee that developed the standard,explains, “A PIN’s life span may be long and involve its use in many different countries, bank machines, shops, and even online. Its secrecy needs to be assured at all times, both for online and offline transactions, from the moment it is established to its deactivation (including any issuances, storage, entries, transmissions, validations, etc.).”

ISO 9564-1:2011, Financial services – Personal Identification Number (PIN) management and security – Part 1: Basic principles and requirements for PINs in card-based systems, specifies principles and techniques that provide the minimum security measures required for effective international PIN management. These measures are applicable to institutions responsible for the management and protection of PINs during their creation, issuance, usage and deactivation.
Online and offline PIN verification may have very different security requirements. Since online PINs can be verified independent of the card itself, any type of payment card or device can be used to initiate a transaction. However, there are special requirements for cards used in offline verifications. In particular because the latter type does not require that a cardholder’s PIN be sent to the issuer host for verification.
read at http://www.iso.org

Infromation security

Since its publication in October 2005, ISO 27001 has been implemented in many organisations as the best practice for information security management, with over three hundred UK organisations independently certified against the standard.

So if these organisations, which range from small and medium to large enterprises, have implemented ISO 27001, why are we still hearing about lapses in information security? Neil O’Connor, principal consultant, Activity asks what lessons are there to be learnt from every organisation, whatever its size, using ISO 27001 as a benchmark?

Introduction

Information security, and in particular the handling of personal information, has regularly been in the headlines over the last few months. There have been notable incidents at HM Revenue and Customs, the Ministry of Defence, Nationwide Building Society and Marks and Spencer among others.

These are all large organisations implementing information security management systems at least compliant with, if not certified against, the international standard for information security management, ISO 27001.

ISO27001



A key issue is that ISO 27001 is a management standard, not a security standard. It provides a framework for the management of security within an organisation, but does not provide a ‘Gold Standard’ for security, which, if implemented, will ensure the security of an organisation.

ISO 27001 takes a risk assessment based approach. An information security risk assessment is used to identify the security requirements of the organisation, and to then identify the security controls needed to bring that risk within an acceptable level for the organisation.

Once the security controls have been identified, ISO 27001 defines processes to ensure that a) these controls are implemented and are effective; and b) that the controls continue to meet the organisation’s security needs.

read full text on bcs.org

red full text on iso.org

Infromation security

With more and more organizations implementing information security management systems (ISMS) as part of their risk management strategy, the publication of a new ISO/IEC standard giving an overview of ISMS is particularly timely.

Information securityISO/IEC 27000:2009, Information technology – Security techniques – Information security management systems – Overview and vocabulary, will assist organizations of all types to understand the fundamentals, principles and concepts to improve protection of their information assets.



Applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, non-profit organizations), ISO/IEC 27000:2009 supplements the ISO/IEC 27000 family of standards by providing an introduction to information security management and defining related terms.

Today, an organization’s information assets are dependent upon information and communications technology. The technology assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information.

As the extent of the interconnected global business environment expands, so does the requirement to protect information as it is exposed to a wider variety of threats and vulnerabilities.



Edward Humphreys, convenor of the working group, which developed the standard, comments: “Standardized security techniques are becoming mandatory requirements for e-commerce, health-care, telecoms, automotive and many other application areas in both the commercial and government sectors. ISO/IEC 27000:2009, together with the other ISO/IEC 27000 family of standards, aims to assist organizations more effectively achieve an appropriate level of information security.”

red full story here