Kamis, 10 Mei 2012

Risk is Measurable


"Risk cannot be measured," is a common scientific and mathematical phrase often applied to information security. While it's true some risk measurements are subjective, it's naive to believe measurements aren't attainable. Risk is not a number, but a measurement of risk is.
For example, you can measure:
* The percentage of vendors meeting an organization's standards,
* A percentage level of compliance to regulations, and
* The number of vulnerabilities present in an environment.
It's critical for credit unions to identify, prioritize, and manage risk. Management and technical staff must jointly define criteria for measuring information security performance. And these measurements should clearly align with business goals and strategies.
When developing measurement criteria, avoid technical, legal, and subject matter jargon. Focus on measuring the services rendered. Clearly define goals, strategies, and measurements. This facilitates open communication, prudent planning, and financial rewards.
Here are common excuses for avoiding risk measurement:
* "Management doesn't understand." Information security encompasses technical and physical security issues. Ensuring confidentiality, integrity, and availability requires deep insight into technology, risk modeling, physical security, laws, and regulations. Technical complexities often hinder communication between management and information technology (IT) staff. The challenge for IT staff: Convey complicated information simply and clearly. The challenge for management: Be willing to accept change.
* "Security measurement is for large credit unions only." Incorporating information security risk measurement into an organization's processes takes time, persistence, and often a cultural change. People often feel threatened, dislike change, or have social motivations that slow the process. But credit unions of all sizes benefit from risk measurement activities. It may take time, but persistence pays off when the measurements support budget requests and supply valuable return-on-investment data.
* "Security moves too fast." Technology continues to change at an astounding rate. Many people feel information security measurement can't keep up with technological change. But the problem actually may be poorly designed measurements. The intent of measurement is to align corporate strategies with IT. Clearly define the organization's goals and objectives. Then measure information security as it relates to those goals and objectives.
SMART measurements
Prudent decisions require simple, measurable, attainable, repeatable, and timely (SMART) information. Keep information security risk measurements:
* Simple. Each measurement's objective must be clearly understood by all intended parties. Create a list of key performance indicators. Avoid technical, legal, and other jargon. Avoid data overload and stay focused on specific performance measurements.
* Measurable. While many facets of security and risk are hard to quantify, focus on what can be measured-for example, the number of vulnerabilities or the number of incidents.
* Attainable. Some measurements are direct outputs of existing reports and systems; others may require analysis to derive the value. Make sure your measurement goals are attainable over time, since they must be continually assessed and managed with minimal cost.
* Repeatable. Since you'll want to show trends to generate useful data, make sure the measurements are easy to take over time and can be repeated.
* Timely. Outdated information can skew analysis and directly impact decisions. The timeliness of data often determines its value. Make sure measurements are easy to deliver as needed. Aim for maximum automation with minimal manual activity. Establish clear communication and access rights at the start.
Your credit union can measure information security performance. Risk models, financial measurements, key performance indicators, and other measurements can help you align information security with organizational goals and strategies.
For quality information security consulting and services please contact ComSec @ http://www.comsecinc.com or 702-866-9412
Jeromie Jackson- renowned security analyst and highly sought after consultant is the CEO of ComSec, Inc. ComSec, Inc. provides information security, regulatory compliance, and IT governance services. Mr. Jackson was previously founder and Chief Technology Officer for Garrison Technologies- a well-respected security product integrator and consulting organization. Mr. Jackson is the President and founder of the San Diego Open Web Application Security Project (OWASP) Chapter, Vice President of ISACA San Diego, a speaker at many conventions, been interviewed on several radio talk shows, and was covered on Forbes Magazine. Today Mr. Jackson continues to consult enterprise and SMBs on measuring and improving their information security and risk management postures.
Security assessment services include Governance, Risk Management, Penetration Testing, Social Engineering, Security Awareness Training, Regulatory Gap Assessment (NCUA, FFIEC, FRB, OTS, Sarbanes Oxley (SoX), and HIPAA), Balanced Scorecards, COBIT & ITIL Alignment, & Web Application Assessments


Article Source: http://EzineArticles.com/1056886
By 
Diposting oleh di Tidak ada komentar:

What Exactly Is Best Practice?


The term Best Practice is a commonly used buzzword particularly in the consulting community. I am often asked by clients to advise them on the best practice in a particular area of their IT operation and delivery, however there is rarely a clear understanding of what this actually entails.
My favourite definition is that a best practice is a technique or methodology that, through experience and research, has proven to reliably lead to a desired result. An organisation which commits to using the best practices in any field is a committing to using all the available knowledge and technology to ensure success.
However, the challenges to using Best Practice are significant.
In my experience there is rarely a single best way to undertake any given process and the effectiveness and efficiency of any solution depends on multiple factors which may be different for each organisation. In addition, the fact that a way of doing things is widely adopted or accepted may not make it the best solution, but rather it may be a commonly adopted compromise in terms of cost-benefit.
In some cases the use of best practice can be detrimental to an organisation. Another company's way of operating may be a failure in a different cultural or organisational environment. Rigorous adherence to best practice standards can serve to limit organisational improvement and innovation.
Furthermore, it is important that current processes and procedures are not simply discarded in a search for a better way since these often represent significant investment in intellectual capital and have developed over time in a way that may best suit the organisation in question.
When looking to identify best practices, we therefore look for commonly accepted standards (where they exist) and also at comparable organisations to determine how a process can be performed.
Some examples of relevant and potentially useful standards in the Information Technology world include PMBOK and PRINCE2 (Project management), TSP/PSP, Agile, RUP, UML and BPMN (Software development), ITIL and COBIT (Information technology governance), SOA, J2EE, Web Services and TOGAF (Enterprise architecture), Six Sigma and CMMI (Process improvement) and ADKAR (Change management).
Once we have selected a proposed process, in agreement with the relevant staff from within the organisation, we recommend that the new process be piloted with a small group or project to validate its operation within the target business and to begin creating organisational learning and experience which can be leveraged to support the wider adoption.
Finally, for any process regardless of whether it is existing or new, the most important step is to commit to ongoing evolution and improvement using tools such as Six Sigma to guide the future development. Ultimately, the very best practices are simply those which operate efficiently and effectively and add value to your specific business operations.
Chris Young is the founder of White Water Consulting (http://www.whitewater.com.au) and is a senior consultant with a broad knowledge and experience in financial services, change management and information technology. His areas of focus include delivering business-aligned IT strategy and implementing best practices in process improvement, project management and software development process. White Water Consulting provides practical solutions to designing and implementing information technology strategy. By remaining independent of solutions and solution providers White Water Consulting can concentrate on your actual business needs and recommend strategies that are pragmatic and cost effective.


Article Source: http://EzineArticles.com/958805


By 
Diposting oleh di Tidak ada komentar:

Capability Maturity and Process Assessment


Introduction
Many organizations depend on IT for their core and critical business services. Being confident in a service provider's capability to deliver IT services is therefore important for a range of strategic, tactical and operational activities. Higher levels of capability provide give greater confidence that an organization can deliver the desired business and IT services. Lower levels of capability may indicate potential sources of risk.
Benchmarking and comparison with best practice
Benchmarking and assessment tools help senior managers to understand areas of weakness, risk and what can be done more efficiently. Comparing the current situation with international standards and best practices is a good starting point for assessing current capability and planning improvement.
In addition to performance and customer satisfaction benchmarks, many organizations assess their service management capability and IT processes using:
- ISO/IEC 20000 IT Service Management series
- ITIL service management best practices
- COBIT
- ISO/IEC 15504 series
A capability maturity model (CMM) or process assessment model (PAM) can be used by an organisation as the framework for benchmarking, internal assessment and planning improvement.
Using COBIT maturity models
COBIT 4.1 (published by ITGI and ISACA, 2007) provides guidance on maturity modelling for management and control over IT processes that is based on a method of evaluating an organization's processes from a maturity level of non-existent (0) to optimised (5).
The COBIT generic maturity attribute model is useful for performing a high level assessment for a range of processes. It provides a useful model to identify where issues are and how to set priorities. There is also a specific model based on the generic scale for each of COBIT's 34 IT processes.
ISO/IEC 20000 series
ISO/IEC 20000-1, published in April 2011, is the core of the 20000 series, providing the basis for establishing a Service Management System (SMS), service improvements, management reviews, internal and certification audits. Part 1 is set of requirements which are compulsory for a certification audit, considered often as the destination that is reached.
ISO/IEC 20000-4, published in 2010, defines service management process reference model, aligned to Part 1. The process reference model defines each Part 1 process using inputs, outputs and activities. Although it can assist with process design it was developed as the basis of five-level process assessment model (PAM)..
Using ISO/IEC 15504 and process assessment models (PAM)
The 15504 series sets out the requirements for performing a process assessment and writing a process assessment model (PAM) that is conformant. There are general requirements that apply to all types of assessments and specific requirements that apply to assessments of process capability and organizational maturity.
A process assessment model is composed of a set of indicators of process performance and process capability. The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings for each process. Using 15504 helps to ensure that the assessment output is self-consistent and provides evidence to substantiate the ratings.
Work is currently under development to produce ISO/IEC 15504-8, an Exemplar IT Service Management Process Assessment Model. Several pilots are underway using the draft PAM.
This article was submitted on behalf of Connectsphere by Jo Da Silva.
ConnectSphere provides consulting and professional development services to help organizations to adopt ITIL® service management best practices and use ISO/IEC 20000. Managing Director Shirley is UK Principle Expert on the ISO and BSI committees that develop IT, IT service management and process assessment standards. If you want to find out more about using the IT service Process Assessment Model and ISO/IEC 20000, contact ConnectSphere at http://www.connectsphere.com - They are specialists in IT Governance and ITIL Training Courses.
ITIL ® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.


Article Source: http://EzineArticles.com/6241568
By 
Diposting oleh di Tidak ada komentar:

What IT Service Management Training Is Available?


he variety and depth of IT Service Management training has changed over the years.
Way back we all 'knew' our qualifications, first there was ITIL and the Managers certificate, and then came the Foundation. Then for a long time during the reign of ITIL V2, we had the familiar Foundation, Practioner and Managers certificates.
Foundation providing the entry prerequisite for further qualifications, prepared you with a brief exploration of some key processes from the framework, which you could cover in greater depth at Practioner level, with the final hurdle of the Managers Certificate, widely recognised as a tough exam which demonstrated a wide knowledge of IT Service Management, not just what was captured in the core ITIL publications.
Now we have the renewed framework and qualification structure for ITIL V3, which specialises in the Service Lifecycle as described in the ITIL publications.
We still have the Foundation, the entry-level, required for any further progression in the qualification structure as before. But as the ITIL examination structure now covers considerably more information than previously, the level and depth of understanding at Foundation level is considerably reduced.
The next layer of qualification is the Intermediate level. Here the qualifications split into two distinct streams Lifecycle and Capability. Both streams focus on the content of the ITIL publications, the Lifecycle stream looking at the management challenges for the Lifecycle stages, the Capability stream looking at the process management in grouped segments of the Lifecycle. These take the understanding of the framework as captured in the publications to much greater depth, so much so, that it is recommended that students complete some preparation between Foundation and Intermediate, to ensure they have studied the framework in more detail than is delivered at Foundation.
Unlike the previous Practioner courses, which were 'stand alone', these qualifications are not only recognised individually, but also build credits towards the Intermediate Expert qualification. A mix of disciplines is recommended to attain the required number of credits to achieve the higher qualification.
Expert status can only be granted once the required number of credits has been achieved, and the qualification of 'Managing Across the Lifecycle' has been passed. This last examination tests the candidates' knowledge of the complete management of the Service Lifecycle, as descried in the ITIL publications.
Once the required number of credits is achieved, (described on the Official ITIL website http://www.itil-officialsite.com/Qualifications/ITILV3QualificationScheme.asp) the qualification of ITIL Expert can be applied for and is awarded.
All of the qualifications are based on multiple choice examinations (of varying complexity), so they are specific to the framework publication, allowing no variation or originality of IT Service Management thinking, as could previously be achieved in the written examinations for both Practioner and Managers certificate in V2.
The final level of qualification - the ITIL Master, has not yet been formally released, although there is a pilot scheme currently in operation (article date October 2010).
In the IT Service Management arena we also have the qualification schemes that have arisen around ISO/IEC 20000, the IT Service Management standard. Some of the qualifications have been linked to specific certification schemes, but they provide education relating to the standard and its attainment.
As with the ITIL qualification structure, ISO/IEC 20000 begins with a Foundation qualification, introducing the standard at an entry level. Beyond this, the qualification structure splits according to requirement, for Auditors (those who will be involved in the governance and audit against the standard) and for Consultants (those who will be involved in the guidance for implementing the requirements of the standard).
These qualifications are applicable to those who wish or need to know more about the ISO/IEC 20000 standard. They are extremely helpful to those who are intending to attain the standard in their organisation.
Then we have COBIT - the framework for IT Governance and Control. Process driven, and providing guidance on the governance and audit of IT services. This also has a Foundation qualification, to introduce the concepts and provide a basic understanding of the framework.
These are the main frameworks that have recognised qualifications applying to IT Service Management. There are many more individual qualifications being developed by the various Examination Institutes, but these are too numerous to mention. This article does not cover the qualifications provided by the HelpDesk Institute for the development and improvement of service desks and customer service.
The choices are many and varied, and continue to increase as more qualifications are developed. Your Accredited Training Organisation will be able to help you identify the best programme to meet your needs.
"ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries"
Helen Morris, director of Henry Gale Associates Ltd., co-founder of Helix SMS Ltd., specialises in IT Service Management and Best Practice implementation in global organisations. Helen is a skilled and highly qualified consultant working in private and public sectors. With over 25 years of IT experience, she has valuable perception and insight into the issues facing businesses today.


Article Source: http://EzineArticles.com/5253486
By 
Diposting oleh di Tidak ada komentar:

ITIL - Understanding and Using IT Service Management


'ITIL' is a term that is fast gaining currency around the IT world. It is often wrongly described as 'IT governance' - in fact, on its own, it certainly isn't this. ITIL is a collection of best practices that helps companies implement an IT Service Management culture. However, its growing popularity reflects the substantial impact it can make on a company's IT and business performance and the fact that, in combination with other frameworks, it is a vital ingredient in creating true IT governance.
What is IT Service Management?
Today's businesses are increasingly delivered or enabled using information technology. Business and IT management need guidance and support on how to manage the IT infrastructure in order to cost-effectively improve functionality and quality. IT Service Management is a concept that deals with how to define and deliver that guidance and support. In common with other modern management practice, it views things from the customer's perspective, i.e. IT is a service that the customer or consumer receives. It can be made up of hardware, software and communications facilities, but the customer perceives it as a self-contained, coherent entity.
So what is ITIL?
Standing for 'IT Infrastructure Library', ITIL is a set of best practices that are at the heart of the IT Service Management approach. It provides guidance on how to manage IT infrastructure so as to streamline IT services in line with business expectations. ITIL is a best practice framework, presenting the consolidated experience of organisations worldwide on how best to manage IT services to meet business expectations.
ITIL was originally developed during the 1980s by the UK's Central Computer and Technology Agency (CCTA), a government body, which created ITIL version 1 as an approach to incorporating various vendor technologies and serving organisations with differing technical and business needs. CCTA has now become part of the Office of Government Commerce (OGC), which, as official publisher of the ITIL library, updated it, published version 2 and continues to develop and support it.
ITIL has since become widely adopted across the world in both public and private sectors and is recognised as best practice, being deployed in organisations of all shapes and sizes.
What makes up the ITIL Library?
ITIL documentation consists of seven 'sets' or 'volumes': Service Support, Service Delivery, ICT Infrastructure Management, Security Management, Planning to Implement Service Management, The Business Perspective and Applications Management.
Of these, Service Support, Service Delivery and Security Management are considered the central components of the ITIL framework, covering vital issues such as Incident Management, Configuration Management, Change Management, IT Service Continuity Management, Availability Management and IT Security Management.
Learning about ITIL
The seven ITIL volumes are published by The Stationery Office, the official publisher of the UK government. In addition, to gain an overview and a sense of how to navigate these, it is helpful to consult one of several recommended introductory texts. 'Foundations of IT Service Management Based on ITIL - An Introduction' is widely accepted as the best starting point and self-study guide. 'Implementing Service and Support Management Processes - A Practical Guide' is a thorough and comprehensive handbook on the subject, while the 'itSMF Pocket Guides' provide a good overview of each of the ITIL components.
Getting certified
Part of the reason for the recent growth in ITIL awareness is the publication in December 2005 of a new global standard to which businesses can become certified. ISO 20000 (or ISO/IEC 20000:2005, to give it its correct name) is closely based upon the pre-existing British standard BS15000 - in fact, it is virtually indistinguishable. The standard comprises two parts: ISO/IEC 20000-1 is the specification for IT Service Management against which an organisation's practices can be certified; ISO/IEC 20000-2 is the 'code of practice' that describes best practices and the requirements of Part 1.
BS15000 has become widely used around the world since it was published in 2003 and was adopted virtually unchanged as the national standard in Australia and South Africa. A number of companies across the USA, Europe and Asia have already become certified as BS 15000 compliant. We also recommend several excellent books that provide guidance on achieving BS15000/ISO 20000 compliance.
Upon the publication of ISO 20000, BS15000 was withdrawn and individual standards and certification bodies are drawing up their own formal transition programmes for conversion to the new standard. Companies already holding BS15000 should encounter no difficulty in converting their certification to the new standard, as this should be one of the considerations addressed by the individual certifying bodies.
Practitioners can also pursue a structured programme of ITIL examination and certification, comprising the ITIL Foundation Certificate, ITIL Practitioners Certificate and ITIL Managers Certificate. Examinations and certification in Europe are managed through two independent bodies: EXIN, the European Examination Institute for Information Science; and ISEB, the Information Systems Examination Board. Between them, these two organisations control the entire certification scheme. In the United States, HDI is a principal organiser of examination and certification, and it and similar organisations provide coverage elsewhere around the world. These organisations ensure that personal certification is fair, honest and independent of the organisations that provide the training, and accredit training suppliers to bring about a consistent quality of course delivery.
ITIL and IT Governance
When combined with certain other frameworks, ITIL makes a major contribution to the creation of effective IT governance. ITIL processes can be mapped to CobiT (Control Objectives for Information and Related Technology) processes, and the two frameworks complement each other nicely: if the CobiT control framework tells the organisation 'what' to do in the delivery and support areas, ITIL best practices help the organisation define 'how' to deliver these requirements. Similarly, ITIL works very effectively with ISO 17799, the international code of best practice for information security, providing guidance on how to manage the various processes that ISO 17799 prescribes.
By drawing upon these three complementary frameworks as appropriate to its needs, an organisation can establish an IT governance regime that delivers real and lasting competitive advantage to its business.
Alan Calder is CEO of IT Governance Limited, an authorised international distributor of ITIL books (published by TSO on behalf of the Office of Government Commerce) and of British and international standards published by BSI. The seven ITIL volumes are available at http://www.itgovernance.co.uk/catalog/23, while introductory books may be accessed at http://www.itgovernance.co.uk/catalog/7. All items may be purchased online for worldwide delivery. For more information visit http://www.itgovernance.co.uk/itil.aspx


Article Source: http://EzineArticles.com/245168


By 
Diposting oleh di Tidak ada komentar:

The Top Five Sources of Best Practices Used in IT Auditing


The top five sources of IT security best practices consist of standards, frameworks and guidelines. The sources listed below are international organizations and governmental entities. The perspectives on IT security, risk and controls vary considerably.
IT auditors working in different technology environments know that the selection of best practice standards and frameworks is a critical task. There are invariably differences between the concepts in best practice documents and the implementation in real world technology environments.
This 'Top Five' list is intended to be used as a reference for IT auditors, security practitioners, risk managers, compliance professionals, IT administrators, software developers and the broad range of IT professionals. We hope to add value to the overall IT professional community.
1. Control Objectives for Information and related Technology (COBIT). Published by ISACA.
The latest version is COBIT 4.1 which consists of generally accepted best practices, processes, measures and indicators for IT governance and control. The formal mission is to "to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors". COBIT 4.1 contains 34 high-level processes which cover 318 control objectives and are categorized in the four domains below: -Planning and Organization -Acquisition and Implementation -Delivery and Support -Monitoring and Evaluation
2. ISO/IEC 27001 IT Security Techniques -- Information Security Management Systems. Published by the International Organization for Standardization.
This is an Information Security Management System (ISMS) standard which is part of the ISO/IEC 27000 family of standards. The official name is ISO/IEC 27001:2005 - Information Technology -- Security Techniques -- Information Security Management Systems -- Requirements. The standard was created in 2005 by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). The objective is a management system for information security.
The standard emphasizes a risk management approach in which an organization identifies, analyzes and evaluates risks. The focus is on reducing risk in a range of areas where information security could be compromised. There are over 130 controls defined as part of the standard.
3. Center for Internet Security (CIS) Benchmarks
The Center for Internet Security (CIS) Benchmarking and Metrics Division publishes consensus best practice standards for security configurations. Information security metrics and other resources are also published to measure security status and to make decisions about security investments. The official objective is to 'reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.'
The Benchmarks are detailed recommendations for technical control rules and values in operating systems, middleware and software applications and network devices. There are 53 different benchmarks including Unix and Microsoft Windows operating systems, Oracle and Sybase databases, Cisco and Juniper network routers and more. These benchmarks were created through a consensus of hundreds of security professionals in business, industry, government and academia worldwide.
4. US Department of Defense, Security Technical Implementation Guides (STIGs)
Security Technical Implementation Guides or 'STIGs' contain guidelines for the standardized installation and maintenance of computer software and hardware. The US Defense Information Systems Agency (DISA) created these best practices as a series of configuration documents in support of the US Department of Defense (DoD).
The STIGs are standards to configure systems and devices. These standards are intended to be used in conjunction with security checklists which are also known as lockdown or hardening guides. There are also Security Readiness Review Scripts (SRRs) for testing systems for compliance with the STIG configuration.
The STIGS cover most operating systems, databases and web servers.
5. US National Institute of Standards and Technology (NIST), Computer Security Division, Special Publications (SPs).
These 'special publications' are designed to help secure our nation's information and information systems. There are over 300 NIST information security documents including Federal Information Processing Standards (FIPS), NIST Interagency Reports (NIST IR), the Special Publication (SP) 800 series and the Information Technology Laboratory (ITL) Bulletins.
The SP 800-series is based on ITL research, guidelines and outreach efforts with industry, academic and government organizations.
The 'special publications' are organized into 'families' focused on a specific aspect of IT security and control such as risk assessment, access controls, audit and accountability, system and information integrity and contingency planning. Some examples of specific guides are the Guide to General Server Security, Guide to Secure Web Services, Guidelines on Electronic Mail Security and Security Considerations in the System Development Life Cycle.
Looking for certified IT auditors at reasonable rates. Continental Audit Services, is your provider to control risks, improve security and comply with regulations. IT best practices applied to all major operating systems, databases and other technology. Visit http://www.continentalaudit.com.


Article Source: http://EzineArticles.com/5685231


By 
Diposting oleh di Tidak ada komentar:

Proposing An Information Security Awareness Program


Risks to confidentiality, integrity, and availability of organizational information assets are constant, yet evolve on a daily basis. Individuals need to be informed and prepared for information security threats directed towards them, their computers, and ultimately their way of life. These threats take on many forms, but they all fit in certain established and identifiable categories. An individual's ability to distinguish between benign incidents and an actual information security threat or risk rests on the breadth and depth of security awareness training they have received.
Proposing that an Information Security Awareness Program be developed for the employees of your organization to educate them on the information security risks they face while utilizing organizational information assets, and by extension, their personal information is a wise move for IT executives to make. The awareness program can be developed in conjunction with the implementation of an overall IT Governance methodology such as COBIT or as a standalone program depending on the IT maturity level of your organization.
Firewalls, intrusion detection, and intrusion prevention systems, although a requirement for today's network, can not completely defend an organization from current security threats. Organizations need to ensure that their employees, vendors, partners, and subcontractors will not leave the organization vulnerable to various risks such as operational disruptions, loss of valuable informational assets, public embarrassment, or legal liability due to a lack of information security awareness.
There is not only a clear need from a practical standpoint to ensure individuals receive adequate and properly funded training in the protection of organizational and personal information assets, but depending on your organization's industry there may also be regulatory requirements such as HIPAA and SOX to do so. The development and implementation of an information security awareness program should encompass a mandatory annual refresher component to ensure the promotion of a security aware culture among employees.
Information security has become a key concern among information technology professionals and that concern, when shared by management, will benefit organizations as a whole. Top-down management support is crucial for the survival of the program and its goal of creating a culture of information security awareness within the organization. The program would also be a valuable component of showing that executive management is performing due diligence in securing organizational information assets.
Written by Claudio LoCicero, M.S.
Over his career he has held several technical and management positions both in the United States and overseas within the private and government sectors.
He holds a Master of Science in Information Technology with an Information Security Specialization from a university designated as a National Security Agency Certified Center of Academic Excellence for Information Assurance. He also holds numerous professional certifications such as the Project Management Professional (PMP), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Information Technology Infrastructure Library (ITIL) Foundation, along with several other professional certifications from Cisco, Microsoft, and the National Security Agency (NSA).
He is an active member of the International Information Systems Security Certification Consortium (ISC2), Information Systems Audit and Control Association (ISACA), Information Systems Security Association (ISSA), and the Project Management Institute (PMI).


Article Source: http://EzineArticles.com/741389


By 
Diposting oleh di Tidak ada komentar:

Compliance With ISO27001 - Is It Really Necessary?


In today's high technology environment, organizations are becoming increasingly dependent upon their information systems. Information is widely regarded as the life blood of the modern enterprise. And, consequently, the security controls surrounding these systems are becoming the differentiating factor in customer choice. With data being held on many of the most sensitive aspects of the business, including key third party stakeholders, information security integrity has become a focal point of all business initiative. The protection of information assets - information security - is therefore overtaking physical asset protection as a fundamental corporate governance responsibility.
Organizations are facing a flood of threats to their information, with new challenges emerging almost daily. Any breach to security can have a severe effect on the operational running, reputation, or legal compliance of the organization. Damage to any one of these areas can be measured by its impact on the bottom line, in both the short and long term. It is self-evident that organizations should, therefore, take appropriate steps to secure and protect their information assets. This is now particularly relevant with the web of legislation and regulation to conform too, making firms criminally liable, and in some instances making directors personally accountable for implementing and maintaining appropriate risk control and information security measures. No longer is it enough to find and fix vulnerabilities on an ad-hoc basis. Only a comprehensive, systematic approach will deliver the level of security that any organization really needs.
Today, security processes need to be well documented and substantiated. So it's no longer good enough to be secure; organizations have to be able to prove they are secure. If done correctly, this additional layer of regulatory scrutiny and reporting can help enterprises combine their security and compliance programs better to streamline efforts, control costs and keep networks secure and compliant.
With the key corporate governance objective being to ensure that the organization has an appropriate balance of risk and reward in its business operations, information security requirements should be identified by a methodical assessment of security risks, with expenditure on risk controls needing to be balanced against the business harm likely to result from security failures.
The most practical and effective way for policy makers to handle their information security risks and obligations, is to adopt and implement an information security policy and information security management system (ISMS) that is capable of being independently certified as complying with ISO/IEC 27001:2005. The standard provides the only independently developed framework for the management of information security. While compliance with the standard does not of itself confer immunity from legal obligations, it does point clearly to management's implementation of best practice, of effective IT governance. Security risks managed in this systematic and comprehensive manner help to garner competitive advantage in the organization through the adherence to an international best practice standard. Certification to ISO27001 can also aid in forming part of any potential legal defense required after a security breach.
ISO27001 compliance ensures a company will meet the regulatory guidelines and standards such as the following:
o Sarbanes Oxley (SOX) requires companies to disclose information regarding finances and accounting. SOX helps prevent financial malpractice and accounting disclosures. All US-listed companies must adhere to SOX regulations.
o Gramm-Leach Bliley Act (GLBA) requires financial institutions to protect customer data and provide privacy notices. Banks and financial institutions must follow GLBA.
o Health Insurance Portability and Accountability Act (HIPAA) requires health care organizations to ensure the privacy of personal health information. Hospitals, medical centers and any business dealing with patient medical records must comply with HIPAA.
o Payment Card Industry (PCI) specifies how to secure information systems and media containing cardholder account information to prevent access by or disclosure to any unauthorized party. PCI also covers effective deletion of unnecessary data. Companies that store, process or transmit credit card holder data must follow PCI.
o COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
ISO27001 provides a single coherent and over-arching framework for compliance with all the regulations and standards laid out above, while also actually providing a risk assessment-based approach to information security. Nonetheless, in order to achieve a risk assessment that is completed methodically, systematically and comprehensively an appropriate software tool is a must. It is practically impossible to carry out and maintain a useful risk assessment for an organization that has more than about four workstations without using such a tool that contains fit-for-purpose databases of risk threats and vulnerabilities. This is because the risk assessment is a complex and data-rich process. And for an organization of any size, the only practical way to effectively undertake the project is to create a database that contains details of all assets within the scope of the ISMS, and then to link, to each asset, the details of its (multiple) threats and (multiple) vulnerabilities, and their likelihood and resulting impacts, together with details of the asset ownership and its confidentiality classification.
The risk assessment process is made enormously simpler if ready-made databases of threats and vulnerabilities are used. The database should also contain details of the control decisions made as a result of the risk assessment, so at a glance, it easy to see what controls are in place for each asset within the ISMS. To one extent or another, the software tool chosen to perform the ISMS should automate the risk assessment process and generate a Statement of Applicability. It should also encourage the user to perform a thorough and comprehensive security audit on the organization's information system, while not generating too much paperwork. The chosen software should produce risk assessment results that are easily comparable and reproducible.
One such tool on the market developed to help organizations quickly and easily carry out an ISO27001-compliant risk assessment is the ISMS tool vsRisk(TM)- the Definitive ISO27001: 2005-Compliant Information Security Risk Assessment Tool. Equipped with a wizard-based approach to simplify and accelerate the process for undertaking risk assessments; asset by asset identification of threats and vulnerabilities; the tool easily imports additional controls to deal with risks, and an integrated threats and vulnerability databases, which are continually updated to ensure that they are the most up-to-date available. vsRisk(TM), in terms of functionality, ease of use and value for money, and alignment with the requirements of ISO27001 is the most complete ISMS software tool on the market.
Effective risk management is a continuous Plan-Do-Check-Act-Cycle which means that the risk assessment must be regularly revisited at planned intervals and take into account changes in the business environment, regulatory bodies, and a review of the residual risks. However, following the initial resource intensive phase of the ISMS implementation the organization should find subsequent reviews of the ISMS are much less labour intensive and relatively easily maintained with the aid of the right software tool.
* vsRisk(TM) can also be found as part the No 3 Comprehensive ISO 27001 ISMS Toolkit, a necessity for organizations looking to accelerate their ISO27001 project and develop an ISO27001-compliant Information Security Management System (ISMS).
Chris Hanwell is the Product and Services Executive of 27001.com (itgovernance.co.uk), the one-stop-shop for information security books, tools, training and consultancy


Article Source: http://EzineArticles.com/1099155




By 
Diposting oleh di Tidak ada komentar:

Meeting Regulatory Standards for Compliance: Seven Tips to Help Insurers Guarantee Effective Enterprise-wide Data Searches

As an insurer, you probably recognize the value of digital storage and workflow automation for business. Not only does it accelerate processing speeds and improve service; it makes the burden of regulatory compliance significantly easier. In order to meet regulatory standards, efficient data collection across the enterprise is critical. You need to be able to use that data when and where it is needed. 

From HIPAA and Sarbanes Oxley to market conduct examinations, regulatory issues such as Solvency II, and more, mounting regulations continue to dictate the way we store information and conduct everyday business. Establishing clear policies that respond promptly to regulatory changes and implementing them effectively helps you to protect your leaders and your company. Still, you need immediate, thorough, and accurate audit trails to demonstrate your commitment to the policies you create. 

The time-consuming measures you have to put in place to respond to increasing regulations can be frustrating, but they aren’t avoidable. The regulations are not going to disappear; in the wake of numerous recent financial scandals and the ensuing economic crisis, they are expected to proliferate. The sooner you get a handle on your information, the better equipped you will be to survive public and private scrutiny from government, compliance officers, and auditors. 

Here are a few tips to help you stay afloat in the turbulent sea of changing regulations: 

1) Create a central repository for all of your information. Although digital capture and storage improves data quality and makes data access easier, faster, and more secure, ‘going digital’ alone is not enough. Electronic files should be stored in a single, central electronic document management (EDM) repository, or that repository should point to the location of files that are stored in multiple systems. This enables centralized queries and searches, rather than probing through multiple digital data silos when you need information quickly. It gives you and your auditors instant, detailed insight into your business transaction details. 

2) Configure your document management system to restrict access to information in accordance with regulations and your internal policies. Make sure your system has the flexibility to let you define and limit access by business unit, department, a person’s role or position, and individual. Make sure it can also prohibit access to specific pages within routine documents that contain sensitive information. 

3) Take into consideration the enterprise-wide needs for the data within your documents that you weren’t originally planning to catalog as you create a file indexing plan. The data may be vital to another department’s or individual’s process. Understand how people with diverse job functions search for information so you can make it quick and easy for them to find it when it’s needed. 

The regulations are not going to disappear; they are expected to proliferate. The sooner you get a handle on your information, the better equipped you will be to survive public and private scrutiny from government, compliance officers, and auditors. Make sure any data they need to find from the files is included in your indexing plan. Making changes in the indexing scheme later in order to correct current oversights is very costly. 

4) Take care that your enterprise search application fully integrates with your electronic storage repository. This helps you to guarantee a complete return of requested files and data. Otherwise, you may encounter errors and omissions as a result of poor interoperability between your document management repository and the search tools you use. 

5) Choose an enterprise search application that lets you access data in structured forms and files as well as unstructured data stored in your repository, such as data stored in handwritten correspondence or emails. Comprehensive search will save you and your staff considerable time, and you will rest easier knowing that your queries aren’t overlooking anything. 

6) Make sure your system provides clear, structured data in an auditable format that will meet the needs of auditors and compliance officers. Electronic queries should provide details of all file access and business transactions involving digital media. This makes it easier to prove compliance with the information governance policies you establish and communicate. 

7) Don’t forget to include email archival and indexing in your document management system. Some sources suggest that businesses store as much as 90% of their critical data in email communications. The ability to search email messages and attachments that have been archived and indexed ensures thorough and fast access to important information, saving you time and money. When you need to search email to show proof of compliance or to support other documentation, you’ll be glad not to have to resort to slow manual searches. 

Compliance Scenario: Before and After EDM 

Let’s imagine someone in your company—for whatever reason—obtains and shares private information about a person whom the company recently insured, who has health problems. The insured person learns through a conversation related to a job application that her potential employer is aware of her health issues, but she knows that she has never mentioned them. She suspects that someone on the insurer’s staff saw information on the health insurance application and leaked it to the potential employer, and she files a lawsuit against the company. The court issues a subpoena for her application and any records pertaining to who accessed it, when, and for what reason. 

In a paper-based system, your compliance routine might look like this: 

• Management talks with the appropriate person about the files that need to be pulled. 

• The records manager discovers that the health insurance application is missing. Only pre-specified employees who are legally allowed to access the files – those who rely on the information to do their jobs and service the client – are permitted access. 

• Management approaches every person in the office who was permitted to access the insured’s files, but no one claims to have pulled the document since the day it was approved and sent to the records manager for appropriate storage. Don’t forget to include email archival and indexing in your document management system. The ability to search email messages and attachments that have been archived and indexed ensures thorough and fast access to important information, saving you time and money. 

• Management assumes staff is innocent, but asks the appropriate staff members to search their offices for the application, which is not found. 

• The records manager is instructed to search through the files of others whose applications were logged as being pulled from the files on the same day. 

• Fortunately, the file is found, stuck to another applicant’s file that was checked out the same day. 

• Since there was no record of authorization to pull the applicant’s file from storage, and yet it was missing, the company can not prove its staff is innocent of foul play. The lawsuit moves forward, requiring additional records relating to a staff member who is accused and suspected. An inordinate amount of time is wasted on searching for and pulling documents. In addition, the company pays considerable fines because it can not prove compliance without a doubt. 

In a mixed media system with partly digital records and partly paper, the same routine might look like this: 

• The records manager searches the paper files for the application in question. 

• The human resources manager searches through sensitive digital records that are under her domain as well as supporting paper documentation. 

• Files are compiled and presented for analysis. 

• There is some data inconsistency about the employee, most likely resulting from errors in the manual data entry of information. 

• Both the records manager and HR manager lose valuable time conducting an exhaustive search. Since not all files are digital, nor are they in one place, considerable time is wasted, and the audit trail is not complete. 

Imagine the same scenario, with everything stored in a single, centralized EDM system: 

• The court subpoenas the applicant’s form and the HR records that are specific to the employee who is suspected of foul play. 

• Queries are built to retrieve the application as well as the suspected employee’s files. 

• The compliance officer and auditor are granted access to query the electronic files. They examine the file interactions remotely from their laptops, giving them direct access to the information they need and allowing the company’s staff to remain focused on other mission-critical work. 

• Clear audit trails show that the suspected person (the applicant’s agent) accessed the file and inappropriately forwarded its contents to a friend who works at the company where the insured had applied. 

• Company policy and corporate communications show the insurer regularly and clearly 

• Digital records show that the agent accessed those communications and was not oblivious of the rules. The insurer was also able to locate and produce a form signed by the employee in question that affirmed that he was aware of corporate policy. 

Result: The insurer is able to demonstrate corporate compliance with the policies the company set in place. 

Today’s electronic document management and reporting tools give management, compliance officers, and auditors unquestionable proof of the access, movement, interaction with, and use of files and data. 24/7 remote desktop access provided by web-based document management systems make auditing a breeze, giving those who audit your files easy access while removing the burden of search from your shoulders. Effective enterprise search not only lets you deliver information and improve service to your customers; it provides information to others who need it while making sure you aren’t distracted from focusing on the business at hand. 

Summary 

Meeting regulatory standards for compliance is only going to become more complicated as regulations increase. By digitizing your information, storing it in one place, and establishing effective search across your enterprise, you gain control over your information and how it is used. How you use the extra time you gain through the increased efficiency is up to you. 

Optical Image Technology offers an integrated suite of imaging, document management, and workflow software. The DocFinity suite includes document archiving, lifecycle management, electronic forms, and email management products that support compliance. To learn more about our products and services, visit our website athttp://www.docfinity.com, or call us at 800-678-3241. 

©2009 Optical Image Technology, Inc. All rights reserved. DocFinity, IntraVIEWER, and XML FormFLOW are trademarks or registered trademarks of Optical Image Technology, Inc. 

 by: Laurel Sanders - http://www.docfinity.com 
Diposting oleh di Tidak ada komentar:

IT Governance - The Basics


What Is IT Governance?
At the macro level, successful IT governance is accomplished by basing IT practices on high-quality, well-defined, repeatable processes. At the micro level, IT governance focuses on developing precise policies, clearly defined procedures, and scrupulously detailed documentation. In addition to zeroing in on these areas, IT governance also constitutes a forward-looking plan for continual improvement.
Types of Governance Models
There are two main public models for IT governance. The IT Infrastructure Library (ITIL) is a widely accepted approach. Specifically developed for IT service management and operations, ITIL is a framework of best practices that are documented in an abstract fashion to be applicable to any IT organization. ITIL's main focus is to provide service objectives, key activities, and key performance indicators for applications management, IT service delivery and support, infrastructure management, and business perspectives. This method is divided into 48 modules/processes.
Elsewhere, the Control Objectives for Information and related Technology (COBIT) is used as a control framework for corporate IT processes. Organizations use COBIT to manage accountability of IT resources, focus resources on business goals, and to build a framework for risk assessment. It divides information technology into 34 modules/processes that are further organized into four domains: planning, acquiring and implementing, delivery and support, and monitoring.
Action Plan
1.Get executives on board. IT governance is a control management system that enables you to translate a strategic vision into practical and measurable actions. If the top executives don't understand and support a strategic framework for IT governance, then the outcome won't have value. Also, governance is embedded in organizational culture and politics, not just processes. Backing from the C-level team is therefore critical.
2.Know what you're working towards. Reviews of successful IT governance models have revealed that there are characteristics common to all models. Derived from industry standards, the following outcomes are indicative, but not exhaustive, of well-executed governance deployments:
  • Complete, flexible IT structure geared toward the delivery of business applications. 
  • Centrally managed IT infrastructure, as well as centralized IT staff. 
  • Estimated project costs based on a five-year lifecycle cost. 
  • Project portfolio management in place. 
  • Clearly defined reporting relationships and strict adherence to standards.

3.Use modules from the standards bodies. An IT shop in a mid-sized company won't be able to implement ITIL or COBIT in whole - they are simply too big and all-encompassing. You can, however, use parts of them that speak directly to your particular needs. For example, if the help desk is your worry, then use the help desk module from ITIL like the government of Ontario did. When using this module-by-module approach, keep the following tips in mind:
  • Be sure to first benchmark the trouble area before moving ahead with the module. This way, you will be able to better measure performance over time. 
  • Continue to stay focused on this one area of change, as training, implementation, and change management will pose major ongoing challenges. 
  • Use such projects as a learning experience. Document everything and use this information when moving on to the next area that could use governance.

4.Tie in governance with compensation. Management must lead the charge when implementing IT governance. Bonus programs for employees will have to change to reflect a focus on positive metrics and key performance indicator improvements.
In Summary
IT governance plays an important role in making companies more successful via streamlined and standardized processes. Get started now to realize long-term benefits.
Visit [http://hcsfit.com] to learn more.


Article Source: http://EzineArticles.com/4084526
By Rick Spair
Diposting oleh di Tidak ada komentar:
Langganan: Postingan (Atom)