GSU is developing an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard to protect the university's reputation, ensure security and availability of information, and reduce risks. The roadmap involves strategic planning, continuous reviews and improvements, and incremental implementation of controls. It will align information security with business goals and provide comprehensive, auditable best practices for managing risks through plans, implementation, monitoring, and improvements.
Use of the COBIT Security Baseline as a framework for an information
security program at a large state agency. Presented at the 2005 MN Govt IT
Symposium.
Here is an easy to use checklist for ISO 27001
if you require any advise please call CAW Consultancy Business Solutions on 01772 932058 or our 24 hour hotline 07427535662
Use of the COBIT Security Baseline as a framework for an information
security program at a large state agency. Presented at the 2005 MN Govt IT
Symposium.
Here is an easy to use checklist for ISO 27001
if you require any advise please call CAW Consultancy Business Solutions on 01772 932058 or our 24 hour hotline 07427535662
The webinar covers:
1- Build a business case to implement ISO27001
- Who are stakeholders?
- Who is project executive sponsor?
- Incentives to implement? Is BOD in support? Industry /market pressures?
- History (previous attempts/audits/issues/implications if failed)
- Consultant selection
- Cost and budgetary constraints.
- Resources constraints
2- Costs of not implementing ISO 27001
3- Wrap-up
Presenter:
The webinar was presented from PECB Partner and Trainer Mr. Mohamad Khachab who has 30 years of professional experience in management consultancy, project management, teaching/training, IT Procurement, preparing proposals, information risk management, research, developing bidding documents, and business development activities.
Link of the recorded session published on YouTube: https://youtu.be/6kBp3SxKDP8
Here are the ISO 27001:2013 documentation, implementation and audit requirements.
This document specified documentation, implementation and audit requirements for only ISO 27001, but not 114 controls specified in Annex A.
I request IS practitioners to comment and suggest improvements.
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
There is a new ISO 27001 coming out later this year. It sets new requirements to your information security management systems (ISMS). This slide deck presents how the updated standard impacts your IT Risk Management processes. The slide deck is also presented in this webinar: http://www.neupart.com/events/webcasts
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that provides a good practical framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and security under management control.’’
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
ISO / IEC 27001 is soon released in its 2013 edition. Risk Management processes are at the core of this international standard for Information Security Management.
BT Global Services - Our approach to InnovationGrace Kermani
At the heart of BT is a quest for innovation, for ideas, for new answers to old problems. The electric telegraph. The first broadcast TV picture. The first programmable computer. It’s part of our DNA. Our network delivers the world live, and it helps moments of genius happen every day. We’re celebrating those sparks of inspiration, because we believe in the power of communication to make a better world.
Tma World Viewpoint: Building Global Alignment Through Enterprise Wide LearningTMA World
Globalization used to be a race to plant flags around the world. Today, those early globalizers are seeking greater integration and alignment of talent.
TMA World's latest Viewpoint examines how a training portfolio review can go beyond global consistency and create genuine alignment across your organization.
The webinar covers:
1- Build a business case to implement ISO27001
- Who are stakeholders?
- Who is project executive sponsor?
- Incentives to implement? Is BOD in support? Industry /market pressures?
- History (previous attempts/audits/issues/implications if failed)
- Consultant selection
- Cost and budgetary constraints.
- Resources constraints
2- Costs of not implementing ISO 27001
3- Wrap-up
Presenter:
The webinar was presented from PECB Partner and Trainer Mr. Mohamad Khachab who has 30 years of professional experience in management consultancy, project management, teaching/training, IT Procurement, preparing proposals, information risk management, research, developing bidding documents, and business development activities.
Link of the recorded session published on YouTube: https://youtu.be/6kBp3SxKDP8
Here are the ISO 27001:2013 documentation, implementation and audit requirements.
This document specified documentation, implementation and audit requirements for only ISO 27001, but not 114 controls specified in Annex A.
I request IS practitioners to comment and suggest improvements.
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
There is a new ISO 27001 coming out later this year. It sets new requirements to your information security management systems (ISMS). This slide deck presents how the updated standard impacts your IT Risk Management processes. The slide deck is also presented in this webinar: http://www.neupart.com/events/webcasts
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that provides a good practical framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and security under management control.’’
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
ISO / IEC 27001 is soon released in its 2013 edition. Risk Management processes are at the core of this international standard for Information Security Management.
BT Global Services - Our approach to InnovationGrace Kermani
At the heart of BT is a quest for innovation, for ideas, for new answers to old problems. The electric telegraph. The first broadcast TV picture. The first programmable computer. It’s part of our DNA. Our network delivers the world live, and it helps moments of genius happen every day. We’re celebrating those sparks of inspiration, because we believe in the power of communication to make a better world.
Tma World Viewpoint: Building Global Alignment Through Enterprise Wide LearningTMA World
Globalization used to be a race to plant flags around the world. Today, those early globalizers are seeking greater integration and alignment of talent.
TMA World's latest Viewpoint examines how a training portfolio review can go beyond global consistency and create genuine alignment across your organization.
Being distinct is what sets your business apart from the competition. Why would you want a safety program that is like everyone else's. Workplace Safety Revolution will show you how to develop, plan and execute an Integrated Management System in 10 simple steps. Don't let anyone deliver your company a safety program that can be cut and pasted from the internet or from a binder off the shelf. We will show you how to ensure your investment in safety creates a transformational change.
Enterprise Mobility - Strong Mobile Strategy (7 steps to get you started)TkXel
For 2016 and years to come, a mobile strategy is no longer a nice-to-have option. It is poised to transform businesses and move industries. A mobile strategy done right can drive the company’s growth, increase revenue, reduce costs and improve workforce mobility.
Developing a Modern Mobile App StrategyTodd Anglin
Mobile apps are important. There is little debate of that. But how you build, maintain, and deploy mobile apps remains the source of great debate for CIOs and developers alike. Unfortunately, there is no "one size fits all" mobile app strategy, so it is critical to understand how to choose the right technology for the right app. In this session, we will explore the four key approaches for building mobile apps, and establish a framework that will help you develop a mobile app strategy guaranteed to help you select the right technology for your next project.
Build a successful enterprise mobility strategyAjit Gokhale
Build a sustainable , scalable and fail-safe mobility strategy for your enterprise. Mobien Technologies helps companies create a robust, ROI driven mobility strategies.
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
This webinar illustrates:
- An overview of the GDPR
- How an ISO 27001-aligned ISMS can support GDPR compliance
- The top risks that result in data breaches
- The benefits of implementing an ISMS
- The technical and organisational requirements to achieve GDPR compliance
- How to improve your overall information security in line with the GDPR’s requirements
A recording of the webinar can be found here: https://www.youtube.com/watch?v=s7XQwBQ6JMg
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
Exsolution provides ISO 27001 Certification in Dubai and it refers to Information security management in an Organization related to physical and network entity.
Similar to Gs Us Roadmap For A World Class Information Security Management System– Isoiec 270012005 (20)
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Gs Us Roadmap For A World Class Information Security Management System– Isoiec 270012005
1. GSU's Roadmap for a World-Class Information Security Management System– ISO/IEC 27001:2005 Tammy Clark, Chief Information Security Officer, William Monahan , Lead Information Security Administrator “ You will now have a starting place and a destination, and you will be able to determine what it will cost you to get there. You will be going someplace.” H. Stanley Judd
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
Editor's Notes
Background: GSU is located in downtown Atlanta – approximately 27,000 students (undergraduate & graduate) - second largest university in Georgia. CIO – JL Albert Information Security Program – Tammy Clark (CISO), William Monahan (Information Security Lead Admin), Miss Nancy Chang (Information Security Intermediate). Started aligning the university’s security plan with ISO 17799 (now ISO 27002) in September of 2004 (what the standard says – current state of security– strategic & tactical goals) – incrementally have addressed the 133 controls (risk assessments, data classification, incident response, security awareness training…) – taking it to the next level with ISO 27001 ((ISMS) = controls + governance))
Can only provide a 3000’ view of our ISMS activities in 45 minutes. It is all about governance – In the early stages of the GSU Information Security program (2000-2004), a myriad of initiatives, processes (technology/people/processes) were introduced to the enterprise. The program evolved from reactive mode (chasing the threats and problems) to proactive (managing information security, large scale incident reductions, preventive and corrective actions). From late 2004 – 2006, the next phase of the program was a campus wide effort to comply with ISO 27002 (17799), through assessing the control objectives, individual controls and ensuring that GSU was either mitigating risk, accepting risk, transferring risk, or not affected…all of which had to be justified by top management and University IT department heads and managers. Finally, in 2007, our CIO JL Albert went forward in championing the initiative to get 2 areas of the University certified under ISO 27001. From Nov 2005 going forward, a major paradigm shift happened at GSU, when the Security Review policy was brought forward by JL to the President, and sanctioned/mandated security reviews on IT projects that cost over $4999. JL instituted an ITPR process which included a security review and approval as the final step in the process. This allowed Information Security to recommend controls and re-engineered processes that integrated information security into the departments’ business processes. The resultant effect has been that the university’s information security program is viewed as a business enabler, a change agent, and integral to the success of the University’s academic and business objectives.
Strategic planning ensures that University information security program objectives are met in a consistent, measureable, and cost effective manner. It provides an umbrella framework that allows for prioritization, gap analysis, metrics, and effective integration of security processes and solutions into the University’s infrastructure. At the strategic operational level, there is a consistent push each year to prioritize action items based on the results of targeted risk assessments, regulatory and policy implications and/or guidance, and University strategic academic and business goals. This all works behind the scenes to keep the information security program poised to take advantage of opportunities to integrate into business processes, influence decisions of top management about future directions of information technology, and build the perception that information security adds value to the overall enterprise.
Meeting between Mao and Dr. Kissinger – you have to sell 27001. Selling Points for Top Management – Protecting the university’s reputation. Compliance More robust and reliable infrastructure due to the reduction of business discontinuities that arise when security defenses are breached. Avoid liability for illegal or malicious acts committed with the university's computer or network resources. Selling Points for Key Enterprise Stakeholders – Protecting their department’s reputation. Compliance More robust and reliable infrastructure due to the reduction of business discontinuities that arise when security defenses are breached. Avoid liability for illegal or malicious acts committed with the university's computer or network resources. Understanding of Key Strategic and Business Goals – Business objectives and ISMS objectives should be aligned – not just CIA – privacy, nonrepudiation, transparency, ethics, democracy… Researcher example - Identity management/digital signatures/federation via smart card technologies
Top Management support is critical. At GSU, our CIO ‘sells’ our ISMS initiative to top management at the University (President, Provost, Deans, VP’s, etc.), while CISO and staff continually promote the concepts and initiatives to middle tier managers and below. All in all, without that level of support and participation that our CIO provides, the chances for success would measurably decrease. You’ve got to find a myriad of ways to demonstrate to your CIO/top management that information security governance is a top priority and critical to the success of your program and initiatives to protect confidential data. COMMUNICATE, COLLABORATE, AND CELEBRATE THE ACHIEVEMENT OF GOALS , SMALL OR LARGE, ALONG THE PATHWAYS TO YOUR FINAL DESTINATION!
ISO 27001 Certification The ISO 27001: 2005 certification process is comprised of two steps, which at minimum provides one control into the organization, dependent of its size and its objectives concerning risk management (ISMS scope and limits). The first stage has as a goal the purpose of enabling auditors to understand how an ISMS is registered in the policy, and the risk management objectives of the organization. In this regard, the auditors will have knowledge of documents relating to the creation (definition of scope and limits, control objectives…) and ISMS implementation (assessment report, treatment plans…). An assessment report could be produced. The second stage will be to confirm that the organization, in the process of installing and improving its ISMS, acts in accordance with its policies, objectives, and business processes. It is based on the results of the first stage. This organizational audit will seek to confirm that ISMS complies with the requirements of the ISO 27001: 2005 standard. The auditors will obtain knowledge of the ISMS performance reports, its controls, procedures, and processes. A report audit will be produced, and the certification from the appreciation of certification chosen. The ISO 27001: 2005 certification requires 3 years (repeatable after audit) during which the organization receives monitoring control. Revised in 2005 and renamed in 2007, ISO 27002 is a guide of good practices for information security management which can represent an interest for any type of organization (companies, governmental bodies…) no matter its size or its branch of industry. This standard defines objectives and recommendations in terms of information security and its ambition is to answer global information security concerns in regards to the organizations total activities.
Control Objectives (Annex A of ISO 27001)corresponding with the domains in ISO 27002, along with a description of controls: See http://www.praxiom.com/iso-17799-objectives.htm
Using the ISO 27000 series to framework your information security program: Compatible with other standards and guidelines Assists with compliance Customizable—not a ‘one size fits all’ approach Favors incremental deployment of controls Assists in integrating business requirements with IT and information security goals/objectives Helps you to prioritize areas of greatest risk/need Consistent and measurable
The use of the PDCA model not only assists in the development of a comprehensive and effective Information Security Management System—it also emphasizes development and improvement of policies, objectives, processes and procedures, routine reviews and continuous improvements
The Plan phase The plan phase represents the development of the information security management system framework and takes into account the characteristics of the organization (mission, location, assets, activities, corporate culture…) as well as any laws, regulations, and contractual obligations to which it is subjected. When the global framework of information security management is established, it must determine the specific settings of ISMS. Scope—definition is up to you—suggest you take an incremental approach of incorporating two or three areas of your campus such as Information Security, Finance, Alumni and focus on building the framework out before you add additional areas. Should be defined in terms of characteristics of the business: location, assets, technology, take into account interfaces and dependencies ISMS has with other parts of your campus that are not within the scope (HR, Legal, etc.), third parties your campus partners with (in Georgia, the Board of Regents supplies IT support and services to many of the USG campuses) Policy—Keep it clear and succinct; include scope and boundaries; provide management support and direction; set objectives; establish risk assessment criteria Risk Assessment Approach—Up to you to choose the method that works best for your university—with expectation that results are comparable and reproducible
The Do phase This step concerns the ISMS implementation and integration within the organization. In this regard, the fist step is the definition of a risk treatment plan, measure system, and efficiency assessment in regards to implemented controls. The measure and assessment system of controls efficiency should enable the production of reproducible and comparable results. This system should consider the rapport between control costs and their efficiency. The second step in the ISMS introduction phase is the implementation regarding the risk treatment plan containing the chosen controls and also a training program. A training program will ensure that individuals are skilled in order to carry out the tasks assigned to them. It also determines the necessary skills for the achievement of their tasks and if necessary to propose training and to evaluate this efficiency. The organization will keep an outline of competences and qualifications acquired. The last step concerns ISMS management and resource sufficiency. It is advisable to make sure that the ISMS established is compatible not only with identified controls but also with the policies and procedures selected. Moreover, in order to ensure the longevity of continuous improvement processes, the organization must identify and provide the necessary resources to introduce, review, maintain and improve the ISMS.
The Check phase Opportunity to forge a partnership/collaborative working relationship with your internal auditors. We found that the following encouraged their active participation and interest: --Clearly defined objectives and goals --Attainable scope/certification timeframe --Automated process to audit ISMS that would save time and effort --Future state: demonstrated value of project in terms of time savings for auditors as we bring departments in under our 27001 project, all of the objective evidence will be within our automated system and our internal auditors, provisioned with accounts, will be able to examine a myriad of supporting documentation and processes that allow them to assess risk, compliance, controls, etc. Auditable requirements in ISO 27001: --Required processes: Document control Internal audits Corrective Actions Preventive Actions --Required documentation: Statements of policy and objectives Scope and boundaries Procedures and controls Description of Risk Assessment Methodology Risk Assessment Report and RTP Metrics Objective evidence SOA
The Act phase The Check phase should identify any necessary ISMS improvements in order to ensure that the information security risks are correctly managed. An organization must not only implement improvements but also preventive actions in order to anticipate all incapability’s between the different ISMS processes. In this regard, it must consider controls, processes, policies, and procedures already established in order to ensure that ISMS functions will work correctly. It is then necessary to communicate with key stakeholders in connection with actions and implemented improvements in order to preserve the dynamic of continuous improvement. Indeed, the success of this management’s information security approach depends on the full comprehension of ISMS components. Finally, as for each process or action, the organization should ensure, by means of assessment that the evaluation achieves its objectives. This measurement step will allow the documentation of the organization’s risk management progression.
If You Don't Know Where You 're Going , Any Road Will Get You There In December of 2004, we developed a holistic, comprehensive security plan based on ISO 17799—133 controls and 11 domain areas As we developed the initial plan, we conducted a ‘state of security’ assessment in each domain area and developed action plans to address deficiencies We modify our plan each year to incorporate changes in the ISO 17799 standard, as well as new requirements due to compliance legislation, university policies, risk analyses We also develop action plans each year which lead to the addition of policies, procedures, and new solutions being layered into our security infrastructure
Vote early and vote often GSU implemented a Risk Assessment policy in November of 2005 (as a byproduct of updated ISO 17799:2005 updates) – are conducting approximately 50 risk assessments per year – this proactive approach has yielded big dividends Not just about recommending managerial and technical controls – have improved efficiencies via Risk Assessments (secure LDAP) Most nonconformities are a result of recommendations not being implemented or undue delay. High Risk – mitigation plan immediately Medium Risk – do it within one year Low Risk – not going to worry about it
Would rate GSU as a 2.5 out of 5 on the Capability Maturity Model. We just started having a third party (internal audit) following up on our High Risk projects to ensure that controls were adequate/commensurate with risk and that they were implemented in a timely manner – will be done before preassessment in December. ISO mandates that we reevaluate risk – lessons learned from shredders. We are migrating from NIST 800-30 to BS 7799-3:2005 for our Risk Assessments. NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems." BS 7799-3:2005 Information security management systems. Guidelines for information security risk management" . Internal auditors and BSI will keep everyone honest – what gets checked gets done
Copyright Tammy Clark, May 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by pe