Cyber Security Awareness Month - Day 8 ISO 27001

The ISO 27000 series consists of a number of standards that apply to information security.  The main standard that you can actually certify against is ISO 27001. The remaining standards are mainly supporting standards that help you address specific areas of information security.
ISO 27001 is an information security management standard. The main objective of which is to make sure that an organisation has the processes in place to manage information security within the organisation. Unlike the Payment card Industry Data Security Standard (PCI DSS, more on that in a later diary) ISO 27001 is not prescriptive.  It doesn't tell you exactly what to do, it provides high level guidance and you have to work the rest out yourself. This is where the supporting standards come into play.  ISO 27002 for example provides more information on implementing specific controls and provides examples. If you are stuck on how you should be assessing risk, then you need to take a look at ISO 27005 (ISO31000 is also excellent it is the old AS/NZS 4360).

One of the main difficulties of complying with the standard is the first realisation that you are complying with sections 4 through to 8 whereas many people concentrate on the controls in annex A (Annex A BTW is 27002 with less detail provided).  Sections 4 through to 8 outline the system that needs to be in place.  The Plan, Do Check, Act cycle.  The standard is risk based, the idea being that you identify your assets, assess the risk, based on those risks select controls that you are going to implement, monitor how it is all going and then rinse lather and repeat the cycle.  The other key idea is that it is a system for the security of information. So not specifically computer systems, but the information it manages and holds as well as the information used to manage the environment. Many ISO 27001 systems initially concentrate on the technical aspects of IT security, do I have a firewall, do I have AV, do I have processes to manage it, etc.  As the system matures the system tends to go up a level and looks at the processes that are being performed by a group or division and the information they need to successfully do this. For Example, the CISO needs to report on the status of information security in the organisation. What information is needed? They might need stats from various systems, pentest results, vulnerability analysis results, risk assessments, and so on. All are information assets that the CISO needs to do their job. How is that information generated, by whom? How reliable is it? So in ISO 27001 world there are a number of different levels that your system can work at.

Just going back to sections 4 through to 8 for a little bit.  One of the first things you will be doing is to define the scope of the system you are about to implement.  Typically this will be phrased along the lines of "management of information security for system/group/division/product/application/service by responsible group".  Usually it will be a little bit prettier than that, but you get the general idea.  Like a quality system (ISO 9000 series) you define the scope of the environment.  If you have a scope that doesn't include a HR function, then the HR function will become an input into your system, but not part of it.  CYou may have to request them to do certain check prior to hiring, but in my experience those types of processes are usually mature. Good scoping can be your saviour if you are going for certification.

So certify or just comply?  That is one of the main questions we get when talking about 27001. The choice is quite simple.  If you are going to use it as a marketing tool to improve confidence in your organisation's ability to manage information security, then certify.  If you just want to make sure that you are covering the bases that should be covered, then complying but not certifying may be the right choice for you.

Where to start. Well after you have bought your copy of the standard you could perform a gap analysis on what you currently do and what the standard expects to be done.  Be brutally honest.  You can use this mechanism to monitor your progress and show improvement as thing change.  Expect to fail miserably and make sure that management understands this before you start.  You haven't needed to comply with the standard before, therefore there are going to be gaps. If you've never run a 5km race previously, the chances of you finishing it on your first go are pretty slim.  Once you have your gaps you will have a starting place and you can start working on progressing and improving security.

In order to certify you must have what are called the documented processes in place (Sorry I can't really list them as without the standard to provide context they won't make sense).  Without these processes, written down, being followed and maintained, you cannot pass a certification audit. Likewise it will be difficult to pass a certification audit if you do not have an information security policy, change control, Business Continuity Plan, Incident response plan, Acceptable usage policy and more. However what you do or don't have will come out in the gap analysis.

As a management system ISO 27001 is quite reasonable.  If you do it correctly the overhead on your scarce resources won't be too bad.  It makes you document those processes that are actually important to the organisation, which is never a bad idea. It forces you to think about issues that you may not have thought about previously. In fact that probably goes for most standards.The standard forces the engagement of management in information security matters and this often results in better understanding of what you really do and possibly even more funding.  The main thing to remember is don't work for the standard, make the standard work for you. If you are doing it to tick a box, you will likely fail

It is a brief overview of ISO 27001. If you have anything specific, let us know via the comments, or contact form.
Cheers
Mark H

 source: https://isc.sans.edu/diary/Cyber+Security+Awareness+Month+-+Day+8+ISO+27001/14230

Cyber Security Awareness Month - Day 8 ISO 27001

The ISO 27000 series consists of a number of standards that apply to information security.  The main standard that you can actually certify against is ISO 27001. The remaining standards are mainly supporting standards that help you address specific areas of information security.

ISO 27001 is an information security management standard. The main objective of which is to make sure that an organisation has the processes in place to manage information security within the organisation. Unlike the Payment card Industry Data Security Standard (PCI DSS, more on that in a later diary) ISO 27001 is not prescriptive.  It doesn't tell you exactly what to do, it provides high level guidance and you have to work the rest out yourself. This is where the supporting standards come into play.  ISO 27002 for example provides more information on implementing specific controls and provides examples. If you are stuck on how you should be assessing risk, then you need to take a look at ISO 27005 (ISO31000 is also excellent it is the old AS/NZS 4360).

One of the main difficulties of complying with the standard is the first realisation that you are complying with sections 4 through to 8 whereas many people concentrate on the controls in annex A (Annex A BTW is 27002 with less detail provided).  Sections 4 through to 8 outline the system that needs to be in place.  The Plan, Do Check, Act cycle.  The standard is risk based, the idea being that you identify your assets, assess the risk, based on those risks select controls that you are going to implement, monitor how it is all going and then rinse lather and repeat the cycle.  The other key idea is that it is a system for the security of information. So not specifically computer systems, but the information it manages and holds as well as the information used to manage the environment. Many ISO 27001 systems initially concentrate on the technical aspects of IT security, do I have a firewall, do I have AV, do I have processes to manage it, etc.  As the system matures the system tends to go up a level and looks at the processes that are being performed by a group or division and the information they need to successfully do this. For Example, the CISO needs to report on the status of information security in the organisation. What information is needed? They might need stats from various systems, pentest results, vulnerability analysis results, risk assessments, and so on. All are information assets that the CISO needs to do their job. How is that information generated, by whom? How reliable is it? So in ISO 27001 world there are a number of different levels that your system can work at. 

Just going back to sections 4 through to 8 for a little bit.  One of the first things you will be doing is to define the scope of the system you are about to implement.  Typically this will be phrased along the lines of "management of information security for system/group/division/product/application/service by responsible group".  Usually it will be a little bit prettier than that, but you get the general idea.  Like a quality system (ISO 9000 series) you define the scope of the environment.  If you have a scope that doesn't include a HR function, then the HR function will become an input into your system, but not part of it.  CYou may have to request them to do certain check prior to hiring, but in my experience those types of processes are usually mature. Good scoping can be your saviour if you are going for certification.

So certify or just comply?  That is one of the main questions we get when talking about 27001. The choice is quite simple.  If you are going to use it as a marketing tool to improve confidence in your organisation's ability to manage information security, then certify.  If you just want to make sure that you are covering the bases that should be covered, then complying but not certifying may be the right choice for you.  

Where to start. Well after you have bought your copy of the standard you could perform a gap analysis on what you currently do and what the standard expects to be done.  Be brutally honest.  You can use this mechanism to monitor your progress and show improvement as thing change.  Expect to fail miserably and make sure that management understands this before you start.  You haven't needed to comply with the standard before, therefore there are going to be gaps. If you've never run a 5km race previously, the chances of you finishing it on your first go are pretty slim.  Once you have your gaps you will have a starting place and you can start working on progressing and improving security.

In order to certify you must have what are called the documented processes in place (Sorry I can't really list them as without the standard to provide context they won't make sense).  Without these processes, written down, being followed and maintained, you cannot pass a certification audit. Likewise it will be difficult to pass a certification audit if you do not have an information security policy, change control, Business Continuity Plan, Incident response plan, Acceptable usage policy and more. However what you do or don't have will come out in the gap analysis. 

As a management system ISO 27001 is quite reasonable.  If you do it correctly the overhead on your scarce resources won't be too bad.  It makes you document those processes that are actually important to the organisation, which is never a bad idea. It forces you to think about issues that you may not have thought about previously. In fact that probably goes for most standards.The standard forces the engagement of management in information security matters and this often results in better understanding of what you really do and possibly even more funding.  The main thing to remember is don't work for the standard, make the standard work for you. If you are doing it to tick a box, you will likely fail

It is a brief overview of ISO 27001. If you have anything specific, let us know via the comments, or contact form.

Cheers

Mark H

http://isc.sans.edu/diary.html?storyid=14230&rss

Petakan Gizi Buruk Lewat SMS

KOMPAS/DIDIT PUTRA ERLANGGA RAHARDJO

Tampilan pemetaan gizi buruk menggunakan aplikasi Life yang dikembangkan tim Gatotkaca dari Institut Teknologi Telkom, Bandung.

Oleh Didit Putra Erlangga Rahardjo

Salah satu kendala menanggulangi gizi buruk adalah keterlambatan menangani anak balita. Akibatnya, terjadi gangguan pertumbuhan, bahkan anak balita kehilangan nyawa. Jika dirunut ke belakang, masalah yang lebih mendasar adalah kesulitan dalam mekanisme pelaporan.

Itulah persoalan yang ingin diselesaikan Gatotkaca, tim beranggotakan dosen dan lulusan Institut Teknologi (IT) Telkom, Bandung, saat menyodorkan aplikasi yang dinamakan Life untuk memetakan gizi buruk secara real time. Pemetaan itu tetap mengandalkan data dari bidan yang tersebar di sejumlah daerah. Bedanya, data tidak berbentuk laporan tertulis, tetapi diketik dan dikirim lewat layanan pesan singkat (SMS).
”Aplikasi kami dimulai dari keprihatinan mengenai panjangnya rantai pelaporan gizi buruk. Dengan perangkat lunak, semua bisa dipercepat,” ujar ketua tim Gatotkaca, Dody Qori Utama.

Pengamatan tim terhadap pola pelaporan gizi buruk di Indonesia, bidan yang menemukan bayi dalam kondisi buruk menuliskan laporan untuk diserahkan ke dinas kesehatan kota/kabupaten. Data direkapitulasi dengan data daerah lain sebelum dilaporkan ke dinas kesehatan provinsi. Di tingkat provinsi, hal serupa berulang, yakni rekapitulasi dari kabupaten/kota lain sebelum dilaporkan ke Kementerian Kesehatan. Rekapitulasi diulang di tingkat pusat hingga didapatkan pemetaan secara nasional untuk perumusan kebijakan intervensi.
Pendekatan itu memakan waktu yang panjang. Dari pengamatan Dody, dibutuhkan waktu setahun agar laporan sampai ke tingkat pusat. Pola pelaporan secara manual juga menguras energi dan waktu bidan. Padahal, mereka memiliki tugas lain, seperti penyuluhan.

Dengan aplikasi ini, bidan tinggal mengetik parameter yang sudah ditentukan, seperti usia bayi, berat badan, tinggi badan, dan lingkar kepala, di telepon seluler (ponsel) mereka. Data dikirim ke server untuk disatukan dengan data dari bidan lain sehingga pemetaan gizi buruk bisa langsung dilihat. Menurut Umar, salah seorang anggota tim, hanya diperlukan jeda satu detik antara data diterima server dan ditampilkan di peta.

Penghargaan
Aplikasi ini dikembangkan selama sembilan bulan pada tahun 2010. Saat itu, aplikasi Life menyabet juara ketiga dalam kompetisi Imagine Cup International yang digelar Microsoft di Polandia. Pada peringatan Hari Jadi Ke-67 Jawa Barat, akhir Agustus lalu, tim Gatotkaca mendapatkan penghargaan Anugerah Inovasi Jawa Barat 2012 di bidang kesehatan.

Anggota inti tim Gatotkaca terdiri atas enam orang, yakni Dody, Anggunmeka Luhur Prasasti, Umar Ali Ahmad, Arganka Yahya, Kania Audrint, dan Tauhid Nur. Dody adalah dosen Informatika IT Telkom. Adapun Anggunmeka, Umar, Arganka dan Kania sebelumnya mahasiswa. Sebagian dari mereka sudah lulus saat aplikasi Life mendapat penghargaan dari Pemerintah Provinsi Jawa Barat. Tauhid yang memiliki latar belakang kedokteran memberikan masukan dan arahan pengembangan aplikasi.
Seusai mendapatkan Anugerah Inovasi Jawa Barat 2012, aplikasi buatan tim Gatotkaca mengundang rasa penasaran dari Ketua Tim Penggerak PKK Jawa Barat Netty Heryawan. Ia ingin menerapkan aplikasi ini untuk Jawa Barat. Pertengahan September, mereka akan dipertemukan dengan Dinas Kesehatan Jawa Barat untuk membicarakan peluang implementasinya.

Sederhana
Kesederhanaan adalah prinsip tim Gatotkaca sewaktu membuat aplikasi Life. Pencantuman data tidak boleh menyu- litkan bidan, yang tingkat pendidikannya beragam. Jenis ponsel yang digunakan untuk mengirimkan data juga tidak terpaku pada merek atau sistem operasi.
Menurut Dody, pihaknya menyiapkan aplikasi khusus berisi kolom-kolom parameter yang diisi bidan. Untuk ponsel yang memiliki tampilan antarmuka sederhana, data tetap bisa dimasukkan melalui layanan pesan singkat. Data yang berasal dari bidan diolah server dan hasilnya bisa berupa populasi, persentase, atau latar belakang ekonomi keluarga. Dengan demikian, bisa didapatkan gambaran yang lebih utuh.
Dengan percobaan pada dua posyandu di Bogor, para bidan mengaku terbantu karena caranya sangat mudah. Tinggal memasukkan data melalui pesan singkat dan mereka menghemat waktu tanpa harus membuat laporan tertulis.

Server yang dibutuhkan untuk mengolah data tidak harus berbentuk fisik. Umar mengatakan, server berbasis komputasi awan juga memadai. ”Dengan kapasitas memori 2 gigabyte dan kapasitas penyimpanan 500 megabyte, server virtual bisa disewa dengan tarif Rp 500.000 per bulan,” kata Umar.
Sistem tersebut bisa diimplementasikan secara terpisah pada tingkat kabupaten atau provinsi. Umar menjelaskan, peluang kerja sama dengan perusahaan melalui skema CSR juga terbuka, misalnya dengan subsidi biaya pengiriman data atau bahkan insentif untuk mendorong pelaporan para bidan.

Setelah indikator gizi buruk, tim Gatotkaca kini menggarap versi yang lebih canggih dengan memasukkan parameter lebih banyak. Mereka berharap bisa menggunakan metode serupa untuk penyakit yang sulit dipetakan, seperti tuberkulosis, diabetes, penyakit kaki gajah, dan infeksi HIV. Jika data makin cepat diterima, respons pemerintah diharapkan bisa lebih cepat.

Eight questions for a holistic risk assessment

Eight questions for a holistic risk assessment

 

By Ken Tysiac

July 19, 2012

Internal control has emerged from isolation.
In recent years, according to an International Federation of Accountants (IFAC) report, internal control has come to be viewed as an integral part of risk management and governance rather than a separate concept unto itself.
This integration demands that individual risks be assessed holistically rather than in a linear or unconnected way, according to the report, Evaluating and Improving Internal Control in Organizations. The report explains how accountants can ask the right questions to ensure a proper risk assessment that determines the overall effect of uncertainty on an organization’s goals.
All important business decisions should be made with this comprehensive risk assessment in mind, the report says. To assess risk across an organization, the report recommends that accountants ask:

• Are the various departments that deal with a specific risk or have responsibility for associated controls working together?
• Does the organization have an accurate and comprehensive understanding of its current risks?
• Does the organization understand how various risks might have common causes or mutually reinforcing consequences?
• Are the organization’s risks within the limits for risk taking as determined in its risk management strategy and policies on internal control?
• Are risks treated on an individual basis or does the organization understand the overall effect of uncertainty on its objectives?
• Does the organization sufficiently know the effectiveness of its controls and how they could be further improved?
• How can the organization be certain it knows the correct answers to the preceding questions?
• What are the processes for monitoring and evaluating, and are the processes effective?

The role of successful internal control as a driver of prudent business decisions is expanding as organizations take a proactive approach toward risk assessment and its integration into governance.
University of Wisconsin professor emeritus Larry Rittenberg, CPA, Ph.D., CIA, explained during a recent telephone interview that understanding controls themselves and whether they are working is an important step that leads to opportunities for organizations to improve.
Rittenberg is a former chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which has another key internal control document under development. COSO’s Internal Control—Integrated Framework is undergoing an update that was released in an exposure draft in December and is scheduled for a final release in the first quarter of 2013.
Rittenberg said that when he served on the board of directors of one of the world’s largest oil companies, PetroChina, the audit committee and top management carefully examined the company’s controls and processes with the goal of improving them.
“They believed it would lead to more efficiency and effectiveness as well,” Rittenberg said. “I think the whole idea of changing the mindset [from] just the compliance activity into a proactive approach [is important].”
That idea is reinforced by the IFAC report’s practical guidance. The report describes nine key principles for evaluating and improving internal control:

• Supporting the organization’s objectives.
• Determining roles and responsibilities with respect to internal control.
• Fostering a culture that motivates members to support risk management strategies and policies.
• Linking internal control achievement to individual performance objectives.
• Ensuring that participants in governance are competent to fulfill internal control responsibilities.
• Responding to risk.
• Communicating regularly.
• Monitoring and evaluating.
• Providing for transparency and accountability to stakeholders.

An effective internal control system is one of the best defenses against business failure and an important driver of business performance, according to the report. And it says accountants play a key role in internal control as creators, enablers, preservers, and reporters of sustainable value creation for organizations.
—Ken Tysiac (ktysiac@aicpa.org) is a JofA senior editor. 

How to Say Goodbye to Spreadsheets

Want to trade in your company's ancient spreadsheets for more nimble business intelligence applications? We talk to CIOs who've done it.

By John Edwards

CIO — Janis O'Bryan views traditional spreadsheet applications in the same light as floppy drives, dial-up modems and other dusty IT relics. "In many respects, it's simply time to move on," says the CIO for Hudson Advisors, a global commercial mortgage brokerage and real estate asset management firm headquartered in Dallas.

By shifting her company's IT and global corporate accounting departments to a business intelligence (BI) application, O'Bryan is like many other CIOs who have transitioned employees away from traditional spreadsheets and toward sophisticated tools produced by vendors such as Oracle, Applix, Business Objects, Cognos, SAS and iDashboards. CIOs who have made the switch frequently cite benefits such as faster and more detailed analysis, better planning capabilities, consistent views between users, automated data inputs from multiple sources and increased data source accuracy.