Tuesday, July 31, 2007

Evaluating Security

The exact role of internal audit regarding information security varies widely among companies, but it always provides a significant opportunity for internal audit to deliver real value to the board and management. Internal auditors should play an important role in ensuring that information security efforts have a positive effect on an organization and protect the organization from harm.

Why worry so much about information security? Consider some reasons why organizations need to protect their information:

Availability. Can your organization ensure prompt access to information or systems to authorized users? Do you know if your critical information is regularly backed-up and can be easily restored?

Integrity of data and systems. Are your board and audit committee confident they can rest assured that this information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that could compromise reliability?
Confidentiality of data. Can you tell your customers and employees that their nonpublic information is safe from unauthorized access, disclosure, or use? This is a significant reputational risk today!

Accountability. If information has been compromised, can you trace actions to their source?
An audit of information security can take many forms. At its simplest, the auditors will review the information security program’s plans, policies, procedures, and key new initiatives, plus hold some interviews with the key stakeholders. At its most complex, a large internal audit team will evaluate almost every aspect of the security program and even do intrusion testing.
This diversity depends on the risks involved, the assurance requirements of the board and executive management, and the skills and abilities of the auditors.

For example, if the organization is undergoing extensive change within its IT application portfolio or IT infrastructure, that would be a great time for a comprehensive assessment of the overall information security program (likely best just before or just after the changes). If last year’s security audit was positive, perhaps a specialized audit of a particular activity or an important e-commerce application would be useful. The audit evaluation can, and most times should, be part of a long-term (read: multi-year) audit assessment of security results.

Homebusiness Ideas

Wednesday, July 25, 2007

Security and Compliance (Part II)

BS7799 Contents of Part 1

• Scope
• Terms and definitions
• Security policy
• Security organisation
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• Systems development and maintenance
• Business continuity management
• Compliance

BS7799 Contents of Part 2

• Scope
• Terms and definitions
• Information security management system requirements
• Detailed controls
1. Security policy
2. Security organisation
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and environmental security
7. Communications and operations management
8. Access control
9. System development and maintenance
10. Business continuity management
11. Compliance

Critical Success Factors

• Policies, Objectives and Activities that reflect business objectives
• Appropriate resources
• Consistency with culture
• Visible support and commitment from management
• Clear understanding of the security requirements and risk
• Effective marketing of security to all employees
• Distribution of information to all partners, suppliers, employees and contractors
• Providing appropriate training and education
• Key performance indicators

Selecting Controls

• Identify business objectives
• Identify business strategy
• Identify security strategy
• Identify and implement controls

Key controls

1. Information security policy document
2. Allocation of security responsibilities
3. Information security education and training
4. Reporting of security incidents
5. Virus controls
6. Business continuity planning
7. Control of proprietary software copying
8. Safeguarding of company records
9. Compliance with data protection legislation
10. Compliance with the security policy

Certification requirements for BS7799 /ISO 17799

Organisation shall establish and maintain a document ISMS
• Management framework
1. Risk management approach
2. Identify control objectives and controls
3. Documented evidence: - evidence of the actions undertaken - a summary of the management frame work - the procedures adopted to implement the controls - the procedures covering the management and operation of the ISMS

In 2005 International Organization for Standardization released a specification, ISO 17799 in 2005 which establishes guidelines and general principles for initiating, implementing, maintaining and improving information security in an organization. They intended to be implemented to meet the requirements identified by a risk assessment.

Management frame work

• Define the policy
• Define the scope of the information security management system
1. Characteristics of the organisation
2. Location
3. Assets
4. Technology
• Undertake risk assessment
1. Threats
2. Vulnerabilities
3. Impacts
4. Degree of risk
• Manage the risks
• Select control objectives & controls
• Prepare statement of applicability
1. Selected control objectives and rationale
2. Exclusion of controls and rationale

Applying BS7799/ISO17799

• A Practical Approach
• Gap Analysis
• Action Planning
• Risk Assessment and Treatment
• Developing an improvement programme
• Effective Statement of Applicability
• Planning and Costing a BS7799/ISO17799 project
• ISMS (Information Security Management System)
• Audit

Homebusiness Ideas

Wednesday, July 18, 2007

Security and Compliance (Part I)

It is possible to have excellent security and not be compliant, and it is also possible to pass a compliance audit and have a very poor organization security. The illusion that compliance equals security has led organizations to excessively spend on compliance at the detriment of security. There are five principles in balancing compliance with security
• Base your security program on a security framework
• Leverage compliance budgets for information security controls
• Automate policy compliance and auditing
• Be prepared to manage change in threats and regulations
• Create an effective awareness and training program

Different organizations, information security professionals and consulting companies approach security program in different ways. Many organizations follow the ISO 17799 approach (International Organization for Standardization) and a few follow the COBIT standards (Control Objectives for Information and Related Technology) which are both great starting points. But there is another approach called the Sherwood applied Business Security Architecture (SABSA).
The SABSA model uses different roles that work with the following perspective:
• Business owner – Contextual
• Architecture – Conceptual
• Designer – Logical
• Builder – Physical
• Tradesman – Component
• Facilities Manager - Operational

SABSA model slices an enterprise into six different layers so that security can be more focused, it is more business oriented. Although the model is theoretical and academic in nature, once an organization has its security building blocks in place it can evolve past the ISO model and implement the SABSA

Complying with BS7799/ISO 17799

Developing and implementing considerations from Business and Technical Perspective consists of: Part 1
• Code of practice for information security management
Part 2
• Specification for information management systems

Why Implement:
• Helps realise the security policy
• Builds a level of business confidence
• Easy and flexible architecture
• Common standard
• Position of strength
• Ability to leverage business benefits
• Develop best practice • Introduce bench mark standards
•Recognised international standards

The standard was developed from the following legislation:
• Data Protection Act 1984
• Data Protection Act 1988
• Data Protection Act 1998
• Computer Misuse Act 1990
• Copyright Designs and Patents Act 1988
• Human Rights Act 2000
• Regulatory Investigatory Powers Act 2000 (RIP Bill)

homebusiness Ideas

Monday, July 09, 2007

Site Optimization (Homebusiness Ideas)

Rhys is dealing with a problem. For one of his top search terms, he's ranked #1 in MSN, Yahoo, and Alta Vista - yet he's not showing up on Google at all!

Here is Nicoles response, an SEO guru, to give them some answers. I hope her advice helps you, too.Now here's Nicole...Hi Rob, Rhys, and everyone else who's having problems getting listed with Google.
To start, I want to point out that there are two important components to any successful search optimization campaign:
Your on-site optimization efforts -- such as "sprinkling" your best keywords throughout your salescopy (like Rob did)
Your off-site optimization efforts -- such as getting quality inbound links to point to your site You need to focus on both these areas if you want your SEO efforts to pay off.

Now, in terms of how to get Google to give your site a good ranking, there are three specific things you need pay attention to (because they're what the Google spiders pay the most attention to!):
1. Your inbound linksI'll say it before, but I'll say it again because it's just so important: If you want to get a good, solid ranking with Google -- one that won't just disappear overnight -- you need to build a network of high quality inbound links pointing to your site.By high quality I mean, from sites that have a Google PageRank of 4 or more. (You can check out a site's PageRank by downloading the Google Toolbar to your browser.)

The best ways to get these links are to:
Get your site listed with the 'Net's top directories, like Yahoo and DMOZ.org (the Open Directory Project)
List your site on industry-specific directories
Write content-rich articles and submit them to high PageRank article directories
Offer free content to high PageRank sites that target the same market as you (but offer different, complementary products)
Participate in forums that are popular with your target market and be sure to include a link to your site in your signature block Make sure you acquire your inbound links gradually over time, so they look natural.

As I mentioned in last week's newsletter, you can buy links, if you want -- just don't buy a whole bunch at once. Nothing screams "paid advertising" more than 100 links mysteriously pointing to your site overnight!

2. Your anchor tagsIt's not just enough to have any old inbound link pointing to your site... do whatever you can to make sure the anchor tag has your top-performing keywords in it.Google is looking for hyperlinks attached to actual phrases (as opposed to URLs). The idea is, hyperlinked phrases are more likely to lead to a useful reference site.

For example, if you have a dog training site, Google will pay more attention to a hyperlink that's attached to a phrase like, "best dog training tips" than a link that's attached to: http://www.doghouserules.com/.

Here's what the ideal link looks like:keywordphrase

And like I said last week, make sure your anchor tags don't all use the exact same keyword phrase. They should include variations on a number of different keywords. That'll make them look more natural in the eyes of the search engines.

3. Your title tagsDid you know that your title tag is one of the most important tags on your site?It's one of the first things the spiders look at when they arrive on your site.

That's why you absolutely have to make sure you include your top-performing keyword phrase in your title tag.(You can see what your title tag is by looking at the very top of your browser when you're on your homepage. What information appears there? Does it include your top keyword phrases? It should!)

On top of that, your title tag is the text some search engines display in the listings that appear in the search results. So it needs to clearly communicate to your visitors exactly what they'll find when they arrive at your site. And the best way to do that is by including the keyword phrases they typed into the search engine.

Finally, I wanted to point out that you need to have patience. Search engine optimization isn't an overnight cure to your traffic woes. Sometimes it can take up to six months to see the results of your work. But I promise you, the results will be worth it!