April 7, 2010

HB 327:2010 - Communicating and consulting about risks

Good evening friends and readers,

Shame on me… On March 6th 2010, I was so excited to purchase my own copy of the Australian standards body latest handbook that I totally forgot to post about it!!!

The reason why I use the word excited is that from a professional perspective, the Australian standards body and the New Zealand Task Force has always been innovators in the field of applied risk management and their publications had never been less than great.

Most people are not aware of this fact, and we tend to forget that the "buzz" around ISO:31000 or the one we experimented with ISO:27005 both originates from beautiful Australia and no less beautiful New Zealand.

Nearly all modern risk management practices in the ISO world find their roots in AS/NZ 4360 and the handbooks created over the past few years by this Oceania think tank.

“Handbook 327 – Communicating and consulting about risks”, like the rest of their documents, is just great. It is, to my knowledge, the first time that somebody provides such a concise and specific view of those two risk management aspects we tend to neglect.

Within a short 28 pages, this self-described “Owner’s Handbook” gives you basic but relevant advices on communication and consulting on the topic of risks within your organization.

The reason it is important that you understand the consulting aspect is that although you might be THE risk specialists, the detectors, the ones who actually see the real day to day and operational risks are out of your reach. And guess what, your discipline is out of theirs.

In short, this document explains you how you can help them, help you!

The first part of the document explains why you should do it and gives you great insights to help you sell your case. It provides you with:

• An overview of the communication and consulting process
• A way to identify stakeholders and engage them in the process
• A fresh perspective on power holder agenda, legitimacy and urgency
• Distortion of the process, the messages and its output
• Managing perceptions (tolerable vs. acceptable risks)
• Managing uncertainty (precaution, measurement and communication)

The second part explains how to do it by asking the right questions and supports you in determining:

• What are the communication objectives?
• Who will/should be involved?
• What are the communication channels?
• What needs to be communicated or consulted about?
• How will you communicate and conduct consulting engagements?
• What are the barriers to overcome?

Finally, an interesting element provided within part two is 4 short case studies; one on risk treatment, one on getting people on board, one on relevant risk identification by non-“risk-pro” and finally, one on communication and early involvement benefits.

You might find this document a bit light in content but personally, I see HB 327 as a great reminder of what needs to be kept in mind when acting as the subject matter expert on risk management within your organization.

Our counterparts and customers are often less proficient than we are in the discipline but they are the one with the real knowledge, the "down to earth perspective" we need to provide good input to our top management.

I hope you will enjoy the reading!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer

April 5, 2010

Issues with Authorstream when viewing ISO 27001 trainings solved

Good evening everybody,

Although the presentations where still accessible on the blog through the embedded viewer, something went wrong with AuthorStream.

Authorstream experimented some issues over the week end and my stuff got wiped! Thanks to Mr. Fournier, one of the readers, the problem was promptly identified and I just reload everything from my last backup.

Unfortunately, I lost every trackers and historical data on viewership but it is no big deal. Until now, the service has been just perfect, but if the problem occurs again, I will switch to PPT-to-MP4 conversion.

Well, that’s it for tonight. Until next time, enjoy the presentations!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

April 1, 2010

Financial Management of Cyber Risk - Implementation Framework for CFOs

Good morning !

An excellent report just got published.  Underwritten by Symantec wit the support of the Internet Security Alliance and of American National Standard Institute, this document provides a practical and easy-to-understand framework for executives to assess and manage the financial risks generated by modern information systems.

The 76-page document offers a pragmatic action plan that addresses cybersecurity from an enterprise-wide perspective.

Developed by a task force of more than sixty industry and government experts, The Financial Management of Cyber Risk: An Implementation Framework for CFOs has been funded and managed by the private sector and is offered as a free resource on cyber risk mitigation for organizations across the country.

It is available for download from the ANSI or the ISA web site.

Here is the download link to the ANSI store (free but registration required)

I hope you will enjoy the reading as much as I did :)

Have a great day!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

March 31, 2010

New ISO 27001 Training Available !

Good afternoon everybody,

Let me first start by saying that I have been amazingly busy in March, lots of challenging and interesting customer’s project and an intense training delivered in Montreal 2 weeks ago.

The good news is that my latest ISO 27001 training is now available for you to watch.

This is part 1 of 2 training on ISO 27001 clauses 4 which defines the requirements for implementing an ISMS from a scoping, risk management and document management perspectives.

Just click on the image to watch it (31 minutes duration).

The second part of the training will be available in April.

I hope you will enjoy, don't forget to send me your comments please!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

March 19, 2010

#1 ISO/ISO 27001 Related Blog on TechnoRati - Big thanks to all the readers

Good morning (again) to all of you!

Just a quick post to thank you again, I know I already did it back in early February, but this morning, this blog has hit another milestone I personnally set for myself when I decided to start it.

In fact, "martindion.blogspot.com - ISO Security Training" became the number one ISO/ISO27001 related blog on TechnoRati billboard :)

For those of you who don't know TechnoRati, it is a tracking system for bloggers to determine how well their blog is perceived.  It does not focus on how many hits you have or how well you rank in search engines but rather on how many other bloggers, public articles, information sources (all of this called "Authority") points back or link back to you and your article.

I am really happy that I already hit this milestone since:
- I started the blog a little over 3 months ago
- The readership already rank in the thousands on a monthly basis
- People start to send me more and more question, AND:
- I do not use any form of publicity and do not engage in any link exchange solicitytion with other blogs

This recognition from you the readers and from my peers encourage me to continue my work and to bring you the best available information from the field when it comes to ISO 27001.

Cheers and have a good week end,

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

ISO:27001 for small business and/or limited perimeter (Part 3 of 3)

Good morning folks,

This is the third and final posting in a series of 3, as a reminder, Cyril, one of the blog readers, asked me by email an interesting suite of questions:

1. Is there documentation or feedback information on ISO27001 ISMS implementation within a smaller organization (ie: business unit only or department) publicly available?
2. Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavor?
3. Does other frameworks are more adapted to such context?

My understanding of your third question:
Is there any information security management framework available that might be better adapted to the context of a business unit, department oriented or smaller business information security?

Big question that I will do my best to answer but keep in mind that this blog focuses on the implementation of ISO frameworks in general.

For those of you who didn’t already listen to training #1 published last January, I invite you do to do so since I cover a bunch of information security related standards in that video training.

The first observation that comes to mind when answering your question is that although some non-ISO security frameworks are available, most of them if not all, try to directly attach and relate themselves to ISO 27001. Some of them should be seen as complement, some others offer equivalence but with a different perspective on the topic of information security and IT governance.

A second observation I would like to make is the fact that ISO has been created with a “one size fit all” mindset. In other words, it is business sector and size agnostic. Not all the controls are applicable to your specific context and the perimeter can differ from organizations to organizations.

As an example, let’s say you want to certify a business process outsourcing division that focuses on accounting services and that do not conduct software development. The controls documented in Annex A, section 12 are mostly irrelevant and can be excluded from the statement of applicability.

Furthermore, keep in mind that adopting the ISO 27001 framework does not automatically mean that you have to shoot for certification so you can lose some pressure and start experimenting :)

However, let’s say you want to stick with ISO 27001. What I personally like to do with customers who are getting into the 27001 business is to give it a CMM twist.

A Capability Maturity Model enables you to define how well you are doing some things on a scale of 0 to 5. The reason why I prefer to do this with “starters” is that the customer can work on various control improvement, without shooting for “certifiability”. The side benefit of the CMM scorecard is that it enables you to easily track the implementation progression and report on it to top management in an iterative manner.

To start using this combine approach you have to conduct an initial audit to establish a baseline by defining the current maturity level of the controls. The second step is to define the target levels you want to attain and to span the work over a 2 or 3 year period. If you want to be certified, all the controls should minimally attain level 3 and some of them are to be at level 4.

The good news is that by using and updating your ISO27001/CMM scorecard, you are practicing on a day to day basis, the Plan-Do-Check-Act cycle required by ISO:27001. Here is a sample CMM scale you can apply to ISO27001:

- Level 0: The control is not implemented or, although required, not respected at all.
- Level 1: The control is not documented and/or its application is intuitive/irregular.
- Level 2: The control is not documented but evidence shows that it is done on a regular basis by the staff.
- Level 3: The control is formally documented and proofs of its regular application are available, regular audits are made.
- Level 4: It is documented, evidences are available, performance is measured by mean of detective/automatic control and key performance indicators are available/communicated to top management.
- Level 5: The previous requirement plus an integrated control approach is implemented to prevent and/or correct deviance from the previously set objectives.

In a nutshell, I suggest you stick with ISO27001 since it is the only framework formally certifiable. Used in conjunction with CMM it will help you ease the implementation process.

The reason why I am making this claim is that although some other security frameworks are great and sometime, freely available; I do not think they are any easier to implement. To make yourself an opinion on the other framework, have a look to the following:

- ISM3 (Information Security Management Maturity Model)
- CoBIT from the ISACA and it can be used in conjunction with ValIT from the ITGI
- SSE-CMM (System Security Engineering Capability Maturity Model
- The Standard of Good Practices from the Information Security Forum
- The Security Publications from the NIST (National Institute of Standards and Technology)
- PCI-DSS from the Payment Card Industry Security Standards Council

To conclude, although I have a strong opinion on the adoption of ISO as the framework of choice, I see one alternative. If you want to achieve certification down the road, and that you want to limit re-work, I suggest you to start specific projects based on the NIST publicly available documents.

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

March 18, 2010

ISO 27001 for small business and/or limited perimeter (Part 2 of 3)

Good morning folks,

This is the second posting in a series of 3, as a reminder, Cyril, one of the blog readers, asked an interesting suite of questions:

1. Is there documentation or feedback information on ISO:27001 ISMS implementation within smaller organizations publicly available? (ie: business unit only or department)
2. Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavour?
3. Do other frameworks are more adapted to such context?

Since we discussed question 1 in the last posting, let’s jump right away to question #2 which is: What is the potential impact in terms of value perception or image when certifying only a subset of an organization?

This question is really interesting. First, as I have discussed in a previous posting on LinkedIn there are many different reasons why companies decide to obtain ISO 27001 certification:

- Marketing
- Better security process
- Continual improvement… (See previous post for all the reasons)

Second, one must know that an early step towards certification is to define the ISMS perimeter (Information Security Management System).

If you carefully and scientifically analyze the potential situation using the following approach:

MIX “First Observation” / “Reason #1” WITH “Observation #2”

It is safe to assume that an organization going for certification with marketing reasons in mind will make an outstanding effort in reducing the perimeter to the smallest possible unit within the organization. This scientific demonstration is also known in lay man terms as the “biggest bang for the buck” :)

The reason why this question is so interesting is that those miss led persons I just mentioned will get the unpleasant surprise of discovering that within a large organization, it is not easy to limit the certification scope to a specific department or a subset of a business since:

- Physical security is managed centrally
- Human resources processes are handled by a specific department and are standardized across the organization
- Access control management (physical, logical, network, OS, DBMS, Applications…) are rarely managed by a single person or department (ie: HR + IT most of the time)
- Corporate email, file storage, backing and printing services are shared corporate facilities and it would be hard to operate it differently than the corporate standard for a single department
- End users are within the scope of certification; therefore, if your system is used by human beings out of your department, you will need some security measures and a security awareness campaign aimed to them.

The list of reason can go on and on but I think you get my point...

With that said, ISO allows you to scale down the certification perimeter to a single business process or a limited perimeter. In my opinion, if you want to do it, there are three good ways of defining and scoping a smaller perimeter:

- A specific office /region / geographical location / country
- A shared service unit such as “information technology” and its datacenters
- A self sustained business process (ie: an off location call centers with their own servers, IT staff and purpose in life, in short, a business within the business)

On the point of “Would trying to limit the perimeter give a bad image to the initiative?” I think that you can now determine on your own that the result of doing so without taking certain precaution will most certainly have a negative impact, if now on the initiative, on you!

If you make the mistake of not considering that certain controls transversally affect the organization, you won’t succeed, therefore, you will have invested a lot of time, efforts and spend precious organizational budgets to achieve near to nothing.

Yes, the security posture will have improved, but remember one thing: YOU told top execs when selling your project that your success measurement criteria will be the certification proving you did your job correctly…

Note to myself: In a future post, I should take some time to discuss how to sell the project internally and what you can safely promise your management when talking ISO 27001 certifications without shooting yourself in the foot.

I hope this post will help you get a better understanding of the benefit, requirements but also of the potential pitfalls to consider when limiting the perimeter and scope of your certification.

Now readers and fellow bloggers, the ball is in your court! Although I just gave you what I think to be nice property tour, my posting is not a fully detailed answer or analysis of the “perimeter and scoping” nuts and bolts. I didn’t look into all the possible scenarios and constraints, and therefore will ask you to either comment or proposed specific perimeter scoping scenarios you would like to debate on.

Until next time, have a great day :)

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer

ISO 27001 for small business and/or limited perimeter (Part 1 of 3)

Good evening folks,

I hope all of you are doing well, as I am giving an ISO 27001 Lead Auditor certification training in my hometown this week, I am writing you from beautiful Montreal city in Canada.

First, I would like to start this post by sincerely thanking Cyril, one of the blog readers, for an interesting set of questions and comments. Here are his questions:

1- Is there documentation or feedback information on ISO 27001 ISMS implementation within smaller organizations (ie: business unit only or department) publicly available?
2- Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavour?
3- Do other frameworks are more adapted to such context?

Since each of those questions deserves my full attention and will require a potentially lengthy answer, I will answer to each of them in a different posting over the next few days.

Question 1: Is there feed back or documentation source available on small business / limited perimeter ISO27001 certification?

Let me first answer your question by saying that the reason why I decided to start this blog is specifically the lack of publicly available, non-commercial and community oriented meeting place for people wanting to learn and share on the topic of ISO27001. So I hope my blog will eventually fill that particular space.

With that said, there are a few discussion groups available, but I must unfortunately admit that those are low “traffic”. Still, they might be interesting places to look at as a lot of questions were asked and answered over time. Here are some forums and web sites you might want to look into:

http://groups.google.com/group/iso27001security
http://tech.groups.yahoo.com/group/iso-27001/
http://www.17799.com/modules.php?name=Forums

Another place you should go to if you have specific questions is LinkedIn. It is one of the best places to ask questions to a wide audience of potential experts. Although the quality of answers is variable, if you post your inquiries in the Information Security and Quality Management subsections, you will reach in "near realtime" tens of thousands of people who might have faced the same issue. Here are the links to the LinkedIn Q&A space:

LinkedIn Quality Management Q&A Section
LinkedIn Information Security Q&A Section

Finally, one thing you should do is to get online and look at who got certified, revise their certification scope and identify two or three companies who got certified in a similar context. Once you spot them, I suggest you do not hesitate to contact them to discuss the matter at heart. After all, this is a professional inquiry and anybody with a normal level of professional courtesy will gladly answer to your question. Here are some links you can look into to find certified companies you can contact:

http://www.iso27001certificates.com/
http://www.sgs.com/certified_clients
http://www.bsigroup.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search/

I hope this posting answers your question, and that you will find what you are looking for in the previously mentioned resources.

Stay tune for the next posting and until then, have a great day!

PS: Readers are invited to leave comments!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

March 12, 2010

Nothing to worry, standby for new post !

Good day everybody,

Just want to apologize, I was offline most of the week and will be delivering a training next week. 

But hang in there!!!! I am done with "ISO 27001 - Clause 4" training script.  I will try to record it and to put it online mid-next week :)

Until then, have a great day !

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

February 23, 2010

Iqnite Conference, June 15th - Talking Security (ISO 27001 and PCI-DSS)

Good morning everybody,

It is now official, I will be participating to the Iqnite Conference in Geneva on June 15th 2010. The Iqnite conference (formerly known as Software & Systems Quality Conference) is one of the most important events for the Testing and Quality community.  

Over the course of the conference, industry professionals will share practical strategies and knowledge providing you with valuable information to raise the overall benefit of Testing and Quality Management in your organization and increase profits.

This year, a call for paper specific to Information Security topics was made and I am happy that my suggestion was accepted. I will conduct a 90-minute workshop on ISO:27001 implementation pitfalls and lessons learnt from the field.

I was also happy to learn that Mr. Stephan Slunitschek will participate in the conference and present the PCI-DSS Implementation Project we are currently working on at the Touring Club Swiss (TCS). Stephan is a member of the management consulting office at the TCS and he his the PCI-DSS Project Director on which I act has the Subject Matter Expert.

The presenters who comes from the Geneva and Vaud Canton, Cosworth, Merck, Generali, SQS, TCS, Above Security, Skyguide, Evocean, Capital Group and Six Group will be sharing their experience with regards to testing, quality and the business benefits derived from those initiatives.

To conclude, I personally think this conference will be interesting, since we will have among us people from different industry sectors (Government, Insurance, Pharma...) and holding a mix of different position (Trainers to CIO...) who will share real life experiences.

I hope some of you will be able to join us in beautiful Geneva on June 15th!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

February 22, 2010

New Training : ISO 27001 Roles and Responsibilities

Good day !

I am happy to announce you the availability of this second training session which focus on information security roles and responsibilities.

This is a mini-training to keep you from starving until I publish the upcoming ISO:27001 Clause 4 training.

The duration is only 15 minutes but it touches two very important concepts, the Everett Rogers Innovation Adoption Curve Applied to Information Security Management:



And the ISO 27001 Wheel of Roles and Responsibilities:


To learn more about those two concepts, listen tho the training by clicking on the image !


I hope you will enjoy, thanks in advance for posting your comments!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

February 8, 2010

Social networks at work: To be or not to be?

Whether you like it or not, whether you use them or not, social networks are now part of our life, if not yours directly, it is for some of our friends, children and colleagues.

Now that we have them in our lives, we have to learn to use it safely and correctly, thus the question: Is it ok to have them and use them at work?

Before answering, let’s just step back a few years ago…

When the “Web/Internet” appeared in the corporate world, I recall most of my client saying there was no need for such a thing at work, it was a total waste of time, employees where losing productivity… To some extent it was true, but honestly, today, lots of people cannot perform their job without accessing it.

It is still true that there is some loss of productivity but it brings a lot of joy and relaxation to workers. Being able to coordinate some personal issues via email, find the next vacation spot online, reserve tickets without having to drive down to a travel office. Let’s be honest, it saves us a lot of time and it improved our quality of life, happiness, and therefore, improve our ability to perform job better because overall, personal things are now easier to manage.

It was a paradigm shift back then as the social networks are right now. The thing is that most of us just didn’t found yet the best way to leverage them for day to day business.

With that said, we can’t use them inconsiderately, especially not at work. Although you might not be able to establish the value of social networks for your business yet, you might still decide to “please” your staff and allow the access and use of social network in the office. If you do so, make sure you train your staff to limit potential and/or negative impacts on your business.

To help you do this, the ENISA (European Network and Information Security Agency) has conducted a study and produced a report (available for download here) that establish 17 golden rules social network users should follow to insure an adequate level of security and act responsibly when using them.

Although it makes a lot of sense to security professionals, I have noticed that a lot of people do not see the potential issues with social networks. In a nutshell, the ENISA suggest that the users:

- Pay attention to what they post and upload
- Choose friends with care
- Protect the work environment and avoid reputational risks
- Protect mobile phones (lots of mobile users out there)
- Respect other people’s privacy
- Get trained, get an understanding of the risks
- Protect their privacy using adequate privacy settings
- Report lost/stolen mobile ASAP
- Pay attention to location based services

There is much more to it than those simple recommendation topics in the report. A lot of the information can be re-use and integrate into your own security awareness training so please take the time to read it carefully.

All in all,some of the real risks of social networks from a business standpoint are:

- Cyber bullying and electronic harassment between employees or between your staff and your competitors staff???  (come on, we are not 12 year old anymore);
- The principle of “guilty by association”:  When people privately belong to group or associations that do not represent well your overall corporate culture, standpoint or image;
- Leakage of privileged information.  It is human nature to speak about what we do. Sometime, people get excited about a specific project or initiative they work on and starts discussing it online. This happen all the time over email and bulletin board and that risk is even more important with social network since you have to feed the beast once your in; and,
- Potential loss of control over corporate image:  It happen when employee start defending corporate point of view based on their own interpretation of events or when they publicly complain about something that should be managed internally.

To conclude, private and work lives are to be kept apart. If you are to allow people to use social networks at work, clear boundaries are to be established between those two. I think it is important to define posting guidelines (with example of what is allowed and what is not allowed) and make them available to your staff.

PS: Watch out for the staff who travels a lot, many social networks user implement mobile components on their cell phone and it can crank up a bill pretty quickly!

Thanks for reading and have a great day,

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer

February 5, 2010

ISO 27003:2010 Standard Now Available

Good afternoon everybody,

Last post for this week :) In case some of you didn't noticed, the ISO 27003 standard version 2010 was published this week.

This standard  focus on the key elements and deployment activities necessary to successfully design and implement an ISO 27001 based Information Security Management System (ISMS).

It describes the various steps that you need to go through to specify, design, define and implement the requirements of the ISMS from it's inception to a "certifiable" status and provides guidance on how to plan the ISMS project and get management endorsement.

In the next trainings we will go in more details on this standard content and why it might appeal to you if you are responsible for implementing an ISMS within your organisation.  For those of you who ever heard of the BIP documents from the BSI, you must be aware that the objectives are the same and that they are both similar in nature.

The 2010 official release is shorter (68 pages) than the 2007 originally planned draft who accounted for no less than 110 pages but in this case, quality comes before quantity.

Every ISO practionners and consultants should have their own copy!  Don't forget that this is copyrighted material, every member of the project team should also have it's named copy unless your company or the client have a site license!  It can be purchased in electronic or paper form from the ISO web site at a cost of 168.- Swiss franc plus shipping if applicable.

Have a great week end !

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

February 4, 2010

Privacy Protection – Swiss Made

Good morning,

Yesterday, I participated with 65 of my peers to an informational workshop on the “current state of affairs” with regards to the Privacy Protection laws and initiatives that are underway in Switzerland.

The “core” working group composed of the unit chief, the privacy commissioner and both legal councils exposed us over a two-hour period to various bits and pieces of information that I will try to resume in the current posting.

First, let me start by saying that although the Swiss regulation is not really aggressive in terms of retaliation against the privacy vandals and “neglector”, it is really well structured. Some might complain it is too much, but it is clear that all the relevant aspects are formally addressed in the regulation.

Currently, the mandate of this working group is to bring to the market a government approved way of certifying both product and services in terms of privacy protection compliance. This is quite unique for now since I am not aware of any formal “country driven” initiative. A lot of private and commercially driven privacy label exists but the Swiss government is attempting to formalize certification channels and to impose such exercise in the regulation.

This information session started with a presentation of the results from a survey that was conducted among the participants a few weeks before. The topic of the survey was service and product certification which is, in my understanding and opinion, important to determine if this vision corresponds to a market need and not only to a government wish. Roughly, over 75% of the response confirms a market demand which is great news for the core workgroup.

We were then presented with the current status with regards to legislative works, everything seems to be on track from that standpoint as well.

Then, Mr. Baumann, the Swiss Federal Privacy Commissioner (or Préposé Fédéral à la Protection des Donnée et à la Transparence) presented us his analysis of what is already available on the market in terms of service and product certification processes.

To resume, the Swiss government is currently looking at an ISO type of certification based on currently available standards such as ISO 27001 and ISO 20000 for service certification and ISO 15408 (Common Criteria) for product certification.

I personally agree with the approach. Simply said, there is no other way to go. Continuous improvement and independent certification of both service and product is necessary. Some elements still need to be cleared out: Which standards should be use, how to tackle the task and how does this fit in the more general framework / certification market?

To clear out those last questions, a workgroup involving the private sector is currently in the buildup. Work is scheduled to be started in March 2010 and deliverables are expected by mid-2011.  My candidature is up, I will try to get involve in that workgroup for myself since I find this pretty interesting, but also on behalf of the CLUSIS.

To obtain further information on the regulation, I invite you to visit the commissionners' web site.

Have a great day and talk to you soon,

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

February 3, 2010

Business Continuity Management System – NFPA 1600 2010 released

Good day everybody!

Before diving into the subject, I just want to inform everybody that the next video training will be available toward the end of next week.  Now, lets get back to business :)

For many years now, a lot of people had been struggling with business continuity. First and foremost, it is often a question of language: business continuity, disaster recovery, resiliency, service availability… People use different terms and do not necessarily agree on the scope and meaning of those words.

With that said, whatever it means to you, from an ISO 27001 or BS 25999 perspective they all fall within one category: Business Continuity Management.

The reason why I think it is important to talk about this today, is that the National Fire Protection Association of the United States had just updated the 2007 version of the standard for Disaster/Emergency Management & Business Continuity Programs. The standard can be downloaded for free, right here!

The purpose of my posting is not to provide you with details about the changes between both versions but rather to expose you to the existence of the standard and its content to help you gain a better understanding of  Business Continuity Management Systems.

Chapter 3 – Definition
It provides the reader with 24 definitions of words we commonly use when discussing BCMs.

Chapter 4 – Program Management
This section defines the requirement in terms of management commitment, roles and responsibilities, resource allocation and records management. For those of you who are already versed in ISO:27001 and BS:25999, you can see there are a lot of “clause 4 to 8” elements in there.

Chapter 5 – Planning
Focus on establishing the scope, understanding the constraints and requirements, conducting risk and business impact assessment and making decision in terms of preventive measures and possible mitigations.

Chapter 6 – Implementation
Talks about the various elements that needs to be put in place to make it happen such has emergency response, incident management, training, crisis communication, emergency operation centers and the various operational procedures.

Chapter 7 – Testing and Exercises
Document the requirements for testing, exercising, evaluating and insuring that the plan actually works.

Chapter 8 – Program Improvement
Again, much like the PDCA enforced by ISO standards, the NFPA clearly states how and why the program should improve and what needs to be done to insure adequacy of the program with regulatory changes and the evolution of the organization.

Annex A – Explanatory Material
Provides 15 pages of really useful supplemental information such as a mapping of the NFPA 1600:2010 standards to the Disaster Recovery Institute Professional Practices and a bunch of guidelines for many of the topics mentioned previously.

Annex B – Program Development Resources
Includes a list of supplemental reference and resources on the subject.

Annex C – Conformity Self Assessment
This is really a great section in this document! It provides the reader with a list of self-audit/self-assessment questions to go through to establish if you are doing your job in terms of business continuity and with regards to the management of the BCM program.

All in all, this is a great and free resource to get a better understanding of BCM.  In comparison to BS:25999, it lacks a bit in terms of structure, components and workflow specifics to management systems and continuous improvement but the quality and depth of the information included as well as the practical aspects covered in there makes it a unique document that complements BS:25999 and which surely fills a lot of empty spaces left within ISO:27001.

As a conclusion, I just want to remind you how great Annex C is, although the standard is free, many people I know would have paid just to get that section!

Have a great evening and thanks for your time and comments !

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer

January 29, 2010

ISO27001 Lead Auditor Certification & Thank you !

Good morning folks,

I promise myself that I would not plug anything on my personnal blog but I have been asked by the readers a couple of time per week since I started my blog : when and where do my next face-to-face training will be?

*** Beginning of Plug***
The date is now known, if any of you want to attend, I will be giving an RABQSA ISO 27001 Lead Auditor Certification class in Montreal, Canada between March 15th and 19th 2010. You can contact our Montreal office or myself to get more details.
***End of Plug***

With that said, I just want to give you all a big thank you!  Thanks for reading, thanks for coming back, thanks for the cheer up and thanks for the questions.

To give you a better idea, over a thousand unique visitors came to read my blog in the last month and the average time spent on the site is about 3 minutes (enough time to read the postings).  Over 70% of you came back to the blog at least 5 times in January and last week online training was viewed by 150 persons already :)

Again, thank you all and see you soon,

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
(ATHQWWCEPEQE)

January 28, 2010

Risk, Security & Compliance Job Descriptions

Hello everybody,

I just came across an interesting eBook created by Mr. George Lekatis from Compliance LLC . This eBook provides a collection of 100 job descriptions covering risk management, information security and compliance positions.

The descriptions are about 2 pages each and are more in the line of job posting, still they are interesting in my opinion to point you in the right direction. It can be freely downloaded here.  There is a bit of self promotion in there but I can not blame him, the book is free and normalizing all job description surely took some time.  If I had one recommandation to make to Mr. Lekatis, it would be to provide a better index to ease the navigation through the book.

As a final remark, if you are looking for a formal and more detailed resource on the subject of job description, roles and responsibilities, you should look at the all time classic “Information Security Roles & Responsibilities Made Easy V.2.0” by Cresson Wood. It might seem a bit pricy but it definitely worth the investment if you are looking for a full blown reference on the subject.

Talk you soon !
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

January 27, 2010

Subscription Service Now Available !

Good day!

As requested by many of you, I have set up an email subscription service to complement the Blog. Now it is up to you to become an official “Follower” or to simply subscribe to the posting notification mailing list using the widget on the left toolbar.

Subscription to the post notification service mailing list will enable you to receive a short email with a link to new posting as soon as they become available on my blog.

You can confidently use this feature knowing that it uses a double opt-in system and that your email won’t be made available to anybody else but me. This mailing list will only be use to inform you of new posts and major change to the blogging system.

I hope this new feature is in line with your expectations.

Have a great day!

PS: As a 3rd and final alternative, you can also send an email to martindionblog+subscribe@googlegroups.com

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

Cloud Computing Security - 10 questions to ask yourself

In a recent CIO Magazine article, Tim Brown took the time to assemble 10 questions that should be investigated in detail before making the move the Cloud Computing.

Here is a brief recap on which I hope we’ll be able to brainstorm on them together:

1. Does Cloud Computing will change my risk profile?
2. Does it have an impact on my current information security policy, should it be modified in accordance?
3. Does cloud computing prevents us from meeting our regulatory obligation?
4. Is the selected provider is using / is certified on current security standards (ISO 27001, FINMA, FISMA…)?
5. What is the incident response workflow between them and our organization should an incident occur?
6. Who is responsible / liable for securing the data?
7. How do I ensure that only appropriate data is moved to the cloud?
8. How do I ensure that only authorized parties can access those data?
9. What is the hosting model and security architecture (clustering, zoning, isolation, segmentation, shared space…)?
10. How are we going to determine if we can trust this provider now and in the future?

The interesting thing about those questions is that they can be asked for any type of outsourcing deals.

My questions to you are:
- What are your top three questions in this list?
- What steps would you take to insure that you obtain adequate information to take a position on those three questions?

Have a great day and talk to you soon!

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

January 21, 2010

First ISO:27001 training available - Introduction to standards

Good day !

I am happy to announce you the availability of this first training session which focus on the available standards in the market and provides you an overview of the ISO certification process.

This training as well as the ones to come will be available via AuthorStream. Click on the image to start the presentation!


I hope you will enjoy, thanks in advance for posting your comments!

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

January 18, 2010

Update and new risk certification (ISACA CRISC)

Good morning,

In case you wonder, I should be ready to post the first ISO training video this week. In the meantime, I came across a news piece and I thought it might be interesting to discuss it :)

As some of you may know, the ISACA is launching a new certification, the CRISC (pronounce See Risk). Like for previous certification, the ISACA will grandfather industry professional based on their existing credential to get certified (starting this April), or you will be able to take the exam in 2011.

Two things come to mind, if you are a risk management expert, get involved, I'll sure do, you can help the ISACA prepare the training or exam material over the course of 2010 so people can get trained and take the exam in 2011. If you are experienced enough to be grandfathered, it means you can help, so please do.

Now, the second thing that comes to mind is: Do we need another certification? The same question comes around every time a new one is launched. Already available on the market, there is the ISO 27005 Risk Management certification, the Associate Risk Manager (ARM), somebody will surely design something around ISO 31000 / ISO 31010, there is also the MoR certification for ITIL practitioners...

In my own opinion, the ISO27005 certification program is good but the standard is a bit weak, it is primarily design for supporting the ISO27001 company certification process and do not take in consideration the real operational risk management measure that organization is looking for, ISO31000 will surely complement well the 27005 standard to help people get a more holistic view of enterprise risks.

The ARM has been designed by the US insurance industry with a deep focus on estimation of risks and financing, it lack a lot in the area of information technology and business continuity risks while MOR is mostly (nearly only) about information technology, project management and business continuity...

So, by analyzing the market, I think we can safely assume that there is enough space (and differentiators) for a new certification. One must also take a step back to look at how the ISACA work. From my perspective, the biggest contribution of the ISACA is not the certification they launch but the body of knowledge they create to train and support professional on the core aspect of those certifications.

If you are certified, you already know what I am talking about, did you got rid of your CISA or CISM books? Surely not, they contain great information, I even know people that buy back the review manuals on a yearly basis to get up to date information.

Give me your thought and input on the subject, tell me what you think this certification and its body of knowledge should contain, we might be able to get something out of it, and I will escalate this information from the field to the association.

Have a great day and see you soon,

Martin Dion (CISSP/CISM)
ISO27001 Lead Auditor & Trainer
CTO @ Above Security