Tuesday, July 31, 2007

Evaluating Security

The exact role of internal audit regarding information security varies widely among companies, but it always provides a significant opportunity for internal audit to deliver real value to the board and 
management. Internal auditors should play an important role in ensuring that information security efforts have a positive effect on an organization and protect the organization from harm.

Why worry so much about information security? Consider some reasons why organizations need to protect their information:

Availability. Can your organization ensure prompt access to information or systems to authorized users? 
Do you know if your critical information is regularly backed-up and can be easily restored?

Integrity of data and systems. Are your board and audit committee confident they can rest assured that this information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that could compromise reliability?
Confidentiality of data. Can you tell your customers and employees that their nonpublic information is safe from unauthorized access, disclosure, or use? This is a significant reputational risk today!

Accountability. If information has been compromised, can you trace actions to their source?
An audit of information security can take many forms. At its simplest, the auditors will review the 
information security program’s plans, policies, procedures, and key new initiatives, plus hold some interviews with the key stakeholders. At its most complex, a large internal audit team will evaluate almost every aspect of the security program and even do intrusion testing.
This diversity depends on the risks involved, the assurance requirements of the board and executive management, and the skills and abilities of the auditors.

For example, if the organization is undergoing extensive change within its IT application portfolio or IT infrastructure, that would be a great time for a comprehensive assessment of the overall information security program (likely best just before or just after the changes). If last year’s security audit was positive, perhaps a specialized audit of a particular activity or an important e-commerce application would be useful. 

The audit evaluation can, and most times should, be part of a long-term (read: multi-year) audit assessment of security results.

I wish You Great Success.

Wednesday, July 25, 2007

Security and Compliance 2

BS7799 Contents of Part 1

• Scope
• Terms and definitions
• Security policy
• Security organisation
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• Systems development and maintenance
• Business continuity management
• Compliance

BS7799 Contents of Part 2

• Scope
• Terms and definitions
• Information security management system requirements
• Detailed controls
1. Security policy
2. Security organisation
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and environmental security
7. Communications and operations management
8. Access control
9. System development and maintenance
10. Business continuity management
11. Compliance

Critical Success Factors

• Policies, Objectives and Activities that reflect business objectives
• Appropriate resources
• Consistency with culture
• Visible support and commitment from management
• Clear understanding of the security requirements and risk
• Effective marketing of security to all employees
• Distribution of information to all partners, suppliers, employees and contractors
• Providing appropriate training and education
• Key performance indicators

Selecting Controls

• Identify business objectives
• Identify business strategy
• Identify security strategy
• Identify and implement controls

Key controls

1. Information security policy document
2. Allocation of security responsibilities
3. Information security education and training
4. Reporting of security incidents
5. Virus controls
6. Business continuity planning
7. Control of proprietary software copying
8. Safeguarding of company records
9. Compliance with data protection legislation
10. Compliance with the security policy

Certification requirements for BS7799 /ISO 17799

Organisation shall establish and maintain a document ISMS
• Management framework
1. Risk management approach
2. Identify control objectives and controls
3. Documented evidence: - evidence of the actions undertaken - a summary of the management frame
 work - the procedures adopted to implement the controls - the procedures covering the management 
and operation of the ISMS

In 2005 International Organization for Standardization released a specification, ISO 17799 in 2005
 which establishes guidelines and general principles for initiating, implementing, maintaining and 
improving information security in an organization. They intended to be implemented to meet the 
requirements identified by a risk assessment.

Management frame work

• Define the policy
• Define the scope of the information security management system
1. Characteristics of the organisation
2. Location
3. Assets
4. Technology
• Undertake risk assessment
1. Threats
2. Vulnerabilities
3. Impacts
4. Degree of risk
• Manage the risks
• Select control objectives & controls
• Prepare statement of applicability
1. Selected control objectives and rationale
2. Exclusion of controls and rationale

Applying BS7799/ISO17799

• A Practical Approach
• Gap Analysis
• Action Planning
• Risk Assessment and Treatment
• Developing an improvement programme
• Effective Statement of Applicability
• Planning and Costing a BS7799/ISO17799 project
• ISMS (Information Security Management System)
• Audit

I wish You Great Success.

Wednesday, July 18, 2007

Security and Compliance 1

Security and Compliance (Part I)

It is possible to have excellent security and not be compliant, and it is also possible to pass a compliance audit and have a very poor organization security. The illusion that compliance equals
 security has led organizations to excessively spend on compliance at the detriment of security. 
There are five principles in balancing compliance with security.
• Base your security program on a security framework
• Leverage compliance budgets for information security controls
• Automate policy compliance and auditing
• Be prepared to manage change in threats and regulations
• Create an effective awareness and training program

Different organizations, information security professionals and consulting companies approach security 
program in different ways. Many organizations follow the ISO 17799 approach. 
(International Organization for Standardization) and a few follow the COBIT standards. 
(Control Objectives for Information and Related Technology) which are both great starting points. 
But there is another approach called the Sherwood applied Business Security Architecture (SABSA).
The SABSA model uses different roles that work with the following perspective:
• Business owner – Contextual
• Architecture – Conceptual
• Designer – Logical
• Builder – Physical
• Tradesman – Component
• Facilities Manager - Operational

SABSA model slices an enterprise into six different layers so that security can be more focused, it is more business oriented. Although the model is theoretical and academic in nature, once an organization has its security building blocks in place it can evolve past the ISO model and implement the SABSA

Complying with BS7799/ISO 17799

Developing and implementing considerations from Business and Technical Perspective consists of: Part 1
• Code of practice for information security management
Part 2
• Specification for information management systems

Why Implement:
• Helps realize the security policy
• Builds a level of business confidence
• Easy and flexible architecture
• Common standard
• Position of strength
• Ability to leverage business benefits
• Develop best practice • Introduce benchmark standards
•Recognized international standards

The standard was developed from the following legislation:
• Data Protection Act 1984
• Data Protection Act 1988
• Data Protection Act 1998
• Computer Misuse Act 1990
• Copyright Designs and Patents Act 1988
• Human Rights Act 2000
• Regulatory Investigatory Powers Act 2000 (RIP Bill)

I wish You Great Success.

Monday, July 09, 2007

Site Optimization

You need to focus on two core two areas if you want your SEO efforts to pay off:
1. Your on-site optimization efforts -- such as your best keywords in your sales copy 

2. Your off-site optimization efforts -- such as getting quality inbound links to point to your site 

For good rankings, there are three specific things you need pay attention to:

1. Your inbound links - you need to build a network of high-quality inbound links pointing to your site.
By high quality I mean, from sites that have a Google PageRank of 4 or more. 
(You can check out a site's PageRank by downloading the Google Toolbar to your browser.)

The best ways to get these links are to:
- Get your site listed with the top directories, like (the Open Directory Project)
- List your site on industry-specific directories
- Write content-rich articles and submit them to high PageRank article directories
- Offer free content to high PageRank sites that target the same market as you 
- Participate in forums that are popular with your target market and include a link to your site 


2. Your anchor tags - Make sure the anchor tag has your top-performing keywords in it.
Google is looking for hyperlinks attached to actual phrases (as opposed to URLs). 
The idea is hyperlinked phrases are more likely to lead to a useful reference site.

For example, if you have a dog training site, Google will pay more attention to a hyperlink that's attached to a phrase like, "best dog training tips" than a link that's attached to: doghouserules.com.

Ensure your anchor tags don't all use the exact same keyword phrase. They should include variations on a number of different keywords. That will make them look more natural to the search engines.

3. Your title tags - Your title tag is one of the most important tags on your site? It's 
one of the first things the spiders look at when they arrive on your site.

Ensure you include your top-performing keyword phrase in your title tag.
(You can see what your title tag is by looking at the very top of your browser when you're on your 
homepage. What information appears there? Does it include your top keyword phrases? It should!)

Your title tag is the text some search engines display in the listings that appear in the 
search results. So, it needs to clearly communicate to your visitors exactly what your site is about.
The best way to do that is by including the keyword phrases they typed into the search engine.

Finally, have patience. Search engine optimization is not an overnight strategy. 
Sometimes it can take up to six months to see the results of your work. But the results will be worth it!

I wish You Great Success.