January 29, 2010

ISO27001 Lead Auditor Certification & Thank you !

Good morning folks,

I promise myself that I would not plug anything on my personnal blog but I have been asked by the readers a couple of time per week since I started my blog : when and where do my next face-to-face training will be?

*** Beginning of Plug***
The date is now known, if any of you want to attend, I will be giving an RABQSA ISO 27001 Lead Auditor Certification class in Montreal, Canada between March 15th and 19th 2010. You can contact our Montreal office or myself to get more details.
***End of Plug***

With that said, I just want to give you all a big thank you!  Thanks for reading, thanks for coming back, thanks for the cheer up and thanks for the questions.

To give you a better idea, over a thousand unique visitors came to read my blog in the last month and the average time spent on the site is about 3 minutes (enough time to read the postings).  Over 70% of you came back to the blog at least 5 times in January and last week online training was viewed by 150 persons already :)

Again, thank you all and see you soon,

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
(ATHQWWCEPEQE)

January 28, 2010

Risk, Security & Compliance Job Descriptions

Hello everybody,

I just came across an interesting eBook created by Mr. George Lekatis from Compliance LLC . This eBook provides a collection of 100 job descriptions covering risk management, information security and compliance positions.

The descriptions are about 2 pages each and are more in the line of job posting, still they are interesting in my opinion to point you in the right direction. It can be freely downloaded here.  There is a bit of self promotion in there but I can not blame him, the book is free and normalizing all job description surely took some time.  If I had one recommandation to make to Mr. Lekatis, it would be to provide a better index to ease the navigation through the book.

As a final remark, if you are looking for a formal and more detailed resource on the subject of job description, roles and responsibilities, you should look at the all time classic “Information Security Roles & Responsibilities Made Easy V.2.0” by Cresson Wood. It might seem a bit pricy but it definitely worth the investment if you are looking for a full blown reference on the subject.

Talk you soon !
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

January 27, 2010

Subscription Service Now Available !

Good day!

As requested by many of you, I have set up an email subscription service to complement the Blog. Now it is up to you to become an official “Follower” or to simply subscribe to the posting notification mailing list using the widget on the left toolbar.

Subscription to the post notification service mailing list will enable you to receive a short email with a link to new posting as soon as they become available on my blog.

You can confidently use this feature knowing that it uses a double opt-in system and that your email won’t be made available to anybody else but me. This mailing list will only be use to inform you of new posts and major change to the blogging system.

I hope this new feature is in line with your expectations.

Have a great day!

PS: As a 3rd and final alternative, you can also send an email to martindionblog+subscribe@googlegroups.com

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

Cloud Computing Security - 10 questions to ask yourself

In a recent CIO Magazine article, Tim Brown took the time to assemble 10 questions that should be investigated in detail before making the move the Cloud Computing.

Here is a brief recap on which I hope we’ll be able to brainstorm on them together:

1. Does Cloud Computing will change my risk profile?
2. Does it have an impact on my current information security policy, should it be modified in accordance?
3. Does cloud computing prevents us from meeting our regulatory obligation?
4. Is the selected provider is using / is certified on current security standards (ISO 27001, FINMA, FISMA…)?
5. What is the incident response workflow between them and our organization should an incident occur?
6. Who is responsible / liable for securing the data?
7. How do I ensure that only appropriate data is moved to the cloud?
8. How do I ensure that only authorized parties can access those data?
9. What is the hosting model and security architecture (clustering, zoning, isolation, segmentation, shared space…)?
10. How are we going to determine if we can trust this provider now and in the future?

The interesting thing about those questions is that they can be asked for any type of outsourcing deals.

My questions to you are:
- What are your top three questions in this list?
- What steps would you take to insure that you obtain adequate information to take a position on those three questions?

Have a great day and talk to you soon!

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

January 21, 2010

First ISO:27001 training available - Introduction to standards

Good day !

I am happy to announce you the availability of this first training session which focus on the available standards in the market and provides you an overview of the ISO certification process.

This training as well as the ones to come will be available via AuthorStream. Click on the image to start the presentation!


I hope you will enjoy, thanks in advance for posting your comments!

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

January 18, 2010

Update and new risk certification (ISACA CRISC)

Good morning,

In case you wonder, I should be ready to post the first ISO training video this week. In the meantime, I came across a news piece and I thought it might be interesting to discuss it :)

As some of you may know, the ISACA is launching a new certification, the CRISC (pronounce See Risk). Like for previous certification, the ISACA will grandfather industry professional based on their existing credential to get certified (starting this April), or you will be able to take the exam in 2011.

Two things come to mind, if you are a risk management expert, get involved, I'll sure do, you can help the ISACA prepare the training or exam material over the course of 2010 so people can get trained and take the exam in 2011. If you are experienced enough to be grandfathered, it means you can help, so please do.

Now, the second thing that comes to mind is: Do we need another certification? The same question comes around every time a new one is launched. Already available on the market, there is the ISO 27005 Risk Management certification, the Associate Risk Manager (ARM), somebody will surely design something around ISO 31000 / ISO 31010, there is also the MoR certification for ITIL practitioners...

In my own opinion, the ISO27005 certification program is good but the standard is a bit weak, it is primarily design for supporting the ISO27001 company certification process and do not take in consideration the real operational risk management measure that organization is looking for, ISO31000 will surely complement well the 27005 standard to help people get a more holistic view of enterprise risks.

The ARM has been designed by the US insurance industry with a deep focus on estimation of risks and financing, it lack a lot in the area of information technology and business continuity risks while MOR is mostly (nearly only) about information technology, project management and business continuity...

So, by analyzing the market, I think we can safely assume that there is enough space (and differentiators) for a new certification. One must also take a step back to look at how the ISACA work. From my perspective, the biggest contribution of the ISACA is not the certification they launch but the body of knowledge they create to train and support professional on the core aspect of those certifications.

If you are certified, you already know what I am talking about, did you got rid of your CISA or CISM books? Surely not, they contain great information, I even know people that buy back the review manuals on a yearly basis to get up to date information.

Give me your thought and input on the subject, tell me what you think this certification and its body of knowledge should contain, we might be able to get something out of it, and I will escalate this information from the field to the association.

Have a great day and see you soon,

Martin Dion (CISSP/CISM)
ISO27001 Lead Auditor & Trainer
CTO @ Above Security