Archive for category Security Management

A New World To Secure

Posted by Fredrik Björck in Security Management, Security Philosophy on March 29th, 2009

This article describes briefly how information security will be affected by the coming changes with regards to how we interact with information and communication systems.

We have recently witnessed how virtualization of servers and clients have transformed how we think about information processing. Today, we all understand that the information we see at our computer screen can reside anywhere in the world. The application and software we use can be somewhere else. Nevertheless, we use it here and now. Call it Cyberspace, virtualization or the Cloud – most of us use it every day.

What has happened? Information processing has been totally released from its boundaries in terms of geographical location. The only limit is the bandwidth used to transfer the information from the place of processing to where we are for the moment. Since the bandwidth capacity available to us continues to increase really fast, we can almost discount that as a limitation in the near future.

But we are still not “free”. There is something that limits the use of information and communication technologies today. That is the interface we have to the information. We continue to carry around small mobiles and laptops. We continue to read small screens and punch in text messages in small keyboards. All this to simulate the “limitless” mobile life. But we are not there yet.

The way we interface with information and communication systems is about to change. This, I think, will be the next big communication revolution.

Pretend for a moment that you had access to the same Internet-based services and your software on your computer and mobile without having to carry them around. You could interface with these services and control them using your voice, gestures, or even thoughts. No keyboard needed.

But not only that; there would be no screen to look at. The screen will be replaced with small gateways or we can call them translators between the systems and you. You might perceive the services by hearing the results of a command, or seeing the results like if they were projected like superimposed images in your sight, in what you see right now.

What will enable this radical change is again that technology has made it possible. Speech recognition and facial recognition is developing fast, as is speech synthesis. Screen and projection technologies are also developing at a rapid pace, as is wireless network connections.

Take a small wireless netbook – this gives you a great feeling of freedom today. Well, tomorrow you will not need to punch in the commands at the keyboard – you will just say them, show them, or (later) think them. You will not need to look at the screen to see the answer – just listen, or just watch the information you asked for projected in your own sight – right there in front of you.

Implications for security

All these developments give rise to important information security implications:

  1. Protect objects (information and services) as close to the source as possible, since it will be everywhere. E.g. encrypt your information before you send it to the cloud or out in space.
  2. Decide on access rights for subjects (people or processes) as close to the subject as possible, since both objects and subject will not be bound by time or space. E.g. use biometrics to ensure that the person accessing the information or service is the person expected.
  3. Lars Söderlund at Alliansor: The move towards thinner clients, with decreased storage and processing power at the client side, will increase the importance of availability of network connectivity as a part of information security.
  4. Your ideas here….

Please help develop these ideas by commenting this article. I will update the article using your comments.

7 Comments


ISO 27001 Implementation Guide – Management review

Posted by Fredrik Björck in Security Management, Security Standards on March 7th, 2009

reader

Summary

This article explains the management review of an organisations’ information security management system that is mandated by the international standard on information security management, ISO 27001. It might be of interest of information security managers and those seeking to implement the ISO 27001 standard.

Agenda

-    What is the “management review of the ISMS” in the context of ISO 27001?
-    What are the roles involved in the management review?
-    What is the purpose and rationale behind this requirement?
-    What are the steps that we need to take in order to fulfil this requirement?
-    How can the results of the management review be documented?

Definition

The “management review of the ISMS” in the context of ISO 27001 refers to the annual activity where management reviews the organization’s information security management system (ISMS), ensuring its continuing “suitability, adequacy and effectiveness” (ISO 27001).

Requirement

The requirement as stated in ISO 27001, chapter 7:

Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitablity, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained

Each of ISOs management systems standards, including ISO 9001 (for quality management systems) and ISO 14001 (environment management systems) have a corresponding requirement that mandates a management review. In fact, the whole idea and the concepts use to describe the management review is directly derived from ISO 9001.

Roles

Management. Management here refers to the group of individuals who has the widest authority in the organization, and essentially control the operations with their decisions. They are concerned not only with information security, but also with the overall aim of the organization. Because of this, they are in the position to see the overall picture and judge weather or not the information security management system is suitable, adqeuate and effective in relation to the current strategies and the road ahead.

Information security officer. However, management need the help of a good information security manager or officer (CISO) in order to review the management system. In fact, most often management do their role in this review by attending one meeting and making some important decisions. It is the information security manager who has to plan this meeting; to gather its inputs, to fascilitate its processing, and to take care of its output.

Rationale

The idea behind this requirement for those seeking ISO 27001 certification is that:

  • Management commitment: High level management commitment is crucial for running a successful information security effort in any organization, therefore they should be involved in taking the decisions so that their executive power is transferred to the information security people.
  • Track development: One of the ideas behind having an information security management system is that high level management is able to track the development of information security in their organization.
  • Reserve resources: High level management’s decisions are needed to get reserved resources for information security, after prioritizing security against other possible alternative investments.

Steps

There are three major steps involved in order to conduct a management review successfully:

  1. Review input: Preparing information for the meeting
  2. Meeting: Presenting the information, discussing, and getting approval
  3. Review output: Documenting decided changes to documents and controls

Review Input

The input to a management review shall include:

a)    Results of ISMS audits and reviews;
b)    Feedback from interested parties;
c)    Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness;
e)    status of preventive and corrective actions;
f)    vulnerabilities or threats not adequately addressed in the previous risk assessment;
g)    results from effectiveness measurements;
h)    follow-up actions from previous management reviews;
i)    any changes that could affect the ISMS; and
j)    recommendations for improvement. (ISO 27001)

Meeting

One natural way to organise the meeting is that the information security manager presents the information in the review input. It should be possible for the management to complement the presentation by looking at and reading actual reports and other review inputs during the meeting.

After the review inputs are presented and discussed, the information security manager gives his/her recommendations for changes, priorities and improvements, and describes the need for financial and other resources.

The result of the meeting is a set of agreed changes / decisions, including the reservation of resources. These actions and decisions are listed here below as review outputs.

Review Output

The output from the management review shall include any decisions
and actions related to the following :

a)    Improvement of the effectiveness of the ISMS.
b)    Update of the risk assessment and risk treatment plan.
c)    Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:

1)    business requirements;
2)    security requirements;
3)    business processes effecting the existing business requirements;
4)    regulatory or legal requirements;
5)    contractual obligations; and
6)    levels of risk and/or risk acceptance criteria.

d)    Resource needs.
e)    Improvement to how the effectiveness of controls is being measured. (ISO 27001)

Documentation

The meeting should be documented in terms of the inputs, the recommendations and the outputs. On way of doing this is that a powerpoint-template of used for the management review presentation every year, including the sections listed in review inputs and outputs aboove. Each section for the inputs are filled with information avout the current state by the information security manager before the meeting. Each sections for the putputs are filled in during the meeting as they are agreed. In addition, there should be a protocol from the management review meeting which lists the date, the participants, and what was agreed. This protocol should be signed by a representative for the top management of the organisation.

About the author: Dr. Fredrik Björck (CISA, CISSP) has been working with information security management systems and certification since 1997, in academia and as an auditor and consultant. He is founder and CEO of Visente, a consultancy specialising in strategic information security advisory services. Visente has taken the first government authority in sweden through ISO 27001 certification, and has helped the Swedish Standards Institute with the Swedish translation of the ISO 27001 and 27002 standards. This article is a part of Visentes’ knowledge sharing initiative fo the benefit of a more secure society.

No Comments


SetPageWidth