Good morning everybody,
It is now official, I will be participating to the Iqnite Conference in Geneva on June 15th 2010. The Iqnite conference (formerly known as Software & Systems Quality Conference) is one of the most important events for the Testing and Quality community.
Over the course of the conference, industry professionals will share practical strategies and knowledge providing you with valuable information to raise the overall benefit of Testing and Quality Management in your organization and increase profits.
This year, a call for paper specific to Information Security topics was made and I am happy that my suggestion was accepted. I will conduct a 90-minute workshop on ISO:27001 implementation pitfalls and lessons learnt from the field.
I was also happy to learn that Mr. Stephan Slunitschek will participate in the conference and present the PCI-DSS Implementation Project we are currently working on at the Touring Club Swiss (TCS). Stephan is a member of the management consulting office at the TCS and he his the PCI-DSS Project Director on which I act has the Subject Matter Expert.
The presenters who comes from the Geneva and Vaud Canton, Cosworth, Merck, Generali, SQS, TCS, Above Security, Skyguide, Evocean, Capital Group and Six Group will be sharing their experience with regards to testing, quality and the business benefits derived from those initiatives.
To conclude, I personally think this conference will be interesting, since we will have among us people from different industry sectors (Government, Insurance, Pharma...) and holding a mix of different position (Trainers to CIO...) who will share real life experiences.
I hope some of you will be able to join us in beautiful Geneva on June 15th!
Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security
February 23, 2010
February 22, 2010
New Training : ISO 27001 Roles and Responsibilities
Good day !
I am happy to announce you the availability of this second training session which focus on information security roles and responsibilities.
This is a mini-training to keep you from starving until I publish the upcoming ISO:27001 Clause 4 training.
The duration is only 15 minutes but it touches two very important concepts, the Everett Rogers Innovation Adoption Curve Applied to Information Security Management:
And the ISO 27001 Wheel of Roles and Responsibilities:
To learn more about those two concepts, listen tho the training by clicking on the image !
I hope you will enjoy, thanks in advance for posting your comments!
Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security
I am happy to announce you the availability of this second training session which focus on information security roles and responsibilities.
This is a mini-training to keep you from starving until I publish the upcoming ISO:27001 Clause 4 training.
The duration is only 15 minutes but it touches two very important concepts, the Everett Rogers Innovation Adoption Curve Applied to Information Security Management:
And the ISO 27001 Wheel of Roles and Responsibilities:
To learn more about those two concepts, listen tho the training by clicking on the image !
ISO 27001 February Training
See more presentations by martin.dion |
I hope you will enjoy, thanks in advance for posting your comments!
Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security
Libellés :
A8. Human Resources Security,
ISO 27001,
Training Content
February 8, 2010
Social networks at work: To be or not to be?
Whether you like it or not, whether you use them or not, social networks are now part of our life, if not yours directly, it is for some of our friends, children and colleagues.
Now that we have them in our lives, we have to learn to use it safely and correctly, thus the question: Is it ok to have them and use them at work?
Now that we have them in our lives, we have to learn to use it safely and correctly, thus the question: Is it ok to have them and use them at work?
Before answering, let’s just step back a few years ago…
When the “Web/Internet” appeared in the corporate world, I recall most of my client saying there was no need for such a thing at work, it was a total waste of time, employees where losing productivity… To some extent it was true, but honestly, today, lots of people cannot perform their job without accessing it.
It is still true that there is some loss of productivity but it brings a lot of joy and relaxation to workers. Being able to coordinate some personal issues via email, find the next vacation spot online, reserve tickets without having to drive down to a travel office. Let’s be honest, it saves us a lot of time and it improved our quality of life, happiness, and therefore, improve our ability to perform job better because overall, personal things are now easier to manage.
It was a paradigm shift back then as the social networks are right now. The thing is that most of us just didn’t found yet the best way to leverage them for day to day business.
With that said, we can’t use them inconsiderately, especially not at work. Although you might not be able to establish the value of social networks for your business yet, you might still decide to “please” your staff and allow the access and use of social network in the office. If you do so, make sure you train your staff to limit potential and/or negative impacts on your business.
To help you do this, the ENISA (European Network and Information Security Agency) has conducted a study and produced a report (available for download here) that establish 17 golden rules social network users should follow to insure an adequate level of security and act responsibly when using them.
Although it makes a lot of sense to security professionals, I have noticed that a lot of people do not see the potential issues with social networks. In a nutshell, the ENISA suggest that the users:
- Pay attention to what they post and upload
- Choose friends with care- Protect the work environment and avoid reputational risks
- Protect mobile phones (lots of mobile users out there)
- Respect other people’s privacy
- Get trained, get an understanding of the risks
- Protect their privacy using adequate privacy settings
- Report lost/stolen mobile ASAP
- Pay attention to location based services
There is much more to it than those simple recommendation topics in the report. A lot of the information can be re-use and integrate into your own security awareness training so please take the time to read it carefully.
All in all,some of the real risks of social networks from a business standpoint are:
- Cyber bullying and electronic harassment between employees or between your staff and your competitors staff??? (come on, we are not 12 year old anymore);
- The principle of “guilty by association”: When people privately belong to group or associations that do not represent well your overall corporate culture, standpoint or image;
- Leakage of privileged information. It is human nature to speak about what we do. Sometime, people get excited about a specific project or initiative they work on and starts discussing it online. This happen all the time over email and bulletin board and that risk is even more important with social network since you have to feed the beast once your in; and,
- Potential loss of control over corporate image: It happen when employee start defending corporate point of view based on their own interpretation of events or when they publicly complain about something that should be managed internally.
To conclude, private and work lives are to be kept apart. If you are to allow people to use social networks at work, clear boundaries are to be established between those two. I think it is important to define posting guidelines (with example of what is allowed and what is not allowed) and make them available to your staff.
PS: Watch out for the staff who travels a lot, many social networks user implement mobile components on their cell phone and it can crank up a bill pretty quickly!
Thanks for reading and have a great day,
Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security
February 5, 2010
ISO 27003:2010 Standard Now Available
Good afternoon everybody,
Last post for this week :) In case some of you didn't noticed, the ISO 27003 standard version 2010 was published this week.
This standard focus on the key elements and deployment activities necessary to successfully design and implement an ISO 27001 based Information Security Management System (ISMS).
It describes the various steps that you need to go through to specify, design, define and implement the requirements of the ISMS from it's inception to a "certifiable" status and provides guidance on how to plan the ISMS project and get management endorsement.
In the next trainings we will go in more details on this standard content and why it might appeal to you if you are responsible for implementing an ISMS within your organisation. For those of you who ever heard of the BIP documents from the BSI, you must be aware that the objectives are the same and that they are both similar in nature.
The 2010 official release is shorter (68 pages) than the 2007 originally planned draft who accounted for no less than 110 pages but in this case, quality comes before quantity.
Every ISO practionners and consultants should have their own copy! Don't forget that this is copyrighted material, every member of the project team should also have it's named copy unless your company or the client have a site license! It can be purchased in electronic or paper form from the ISO web site at a cost of 168.- Swiss franc plus shipping if applicable.
Have a great week end !
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
Last post for this week :) In case some of you didn't noticed, the ISO 27003 standard version 2010 was published this week.
This standard focus on the key elements and deployment activities necessary to successfully design and implement an ISO 27001 based Information Security Management System (ISMS).
It describes the various steps that you need to go through to specify, design, define and implement the requirements of the ISMS from it's inception to a "certifiable" status and provides guidance on how to plan the ISMS project and get management endorsement.
In the next trainings we will go in more details on this standard content and why it might appeal to you if you are responsible for implementing an ISMS within your organisation. For those of you who ever heard of the BIP documents from the BSI, you must be aware that the objectives are the same and that they are both similar in nature.
The 2010 official release is shorter (68 pages) than the 2007 originally planned draft who accounted for no less than 110 pages but in this case, quality comes before quantity.
Every ISO practionners and consultants should have their own copy! Don't forget that this is copyrighted material, every member of the project team should also have it's named copy unless your company or the client have a site license! It can be purchased in electronic or paper form from the ISO web site at a cost of 168.- Swiss franc plus shipping if applicable.
Have a great week end !
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
February 4, 2010
Privacy Protection – Swiss Made
Good morning,
Yesterday, I participated with 65 of my peers to an informational workshop on the “current state of affairs” with regards to the Privacy Protection laws and initiatives that are underway in Switzerland.
The “core” working group composed of the unit chief, the privacy commissioner and both legal councils exposed us over a two-hour period to various bits and pieces of information that I will try to resume in the current posting.
First, let me start by saying that although the Swiss regulation is not really aggressive in terms of retaliation against the privacy vandals and “neglector”, it is really well structured. Some might complain it is too much, but it is clear that all the relevant aspects are formally addressed in the regulation.
Currently, the mandate of this working group is to bring to the market a government approved way of certifying both product and services in terms of privacy protection compliance. This is quite unique for now since I am not aware of any formal “country driven” initiative. A lot of private and commercially driven privacy label exists but the Swiss government is attempting to formalize certification channels and to impose such exercise in the regulation.
This information session started with a presentation of the results from a survey that was conducted among the participants a few weeks before. The topic of the survey was service and product certification which is, in my understanding and opinion, important to determine if this vision corresponds to a market need and not only to a government wish. Roughly, over 75% of the response confirms a market demand which is great news for the core workgroup.
We were then presented with the current status with regards to legislative works, everything seems to be on track from that standpoint as well.
Then, Mr. Baumann, the Swiss Federal Privacy Commissioner (or Préposé Fédéral à la Protection des Donnée et à la Transparence) presented us his analysis of what is already available on the market in terms of service and product certification processes.
To resume, the Swiss government is currently looking at an ISO type of certification based on currently available standards such as ISO 27001 and ISO 20000 for service certification and ISO 15408 (Common Criteria) for product certification.
I personally agree with the approach. Simply said, there is no other way to go. Continuous improvement and independent certification of both service and product is necessary. Some elements still need to be cleared out: Which standards should be use, how to tackle the task and how does this fit in the more general framework / certification market?
To clear out those last questions, a workgroup involving the private sector is currently in the buildup. Work is scheduled to be started in March 2010 and deliverables are expected by mid-2011. My candidature is up, I will try to get involve in that workgroup for myself since I find this pretty interesting, but also on behalf of the CLUSIS.
To obtain further information on the regulation, I invite you to visit the commissionners' web site.
Have a great day and talk to you soon,
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
Yesterday, I participated with 65 of my peers to an informational workshop on the “current state of affairs” with regards to the Privacy Protection laws and initiatives that are underway in Switzerland.
The “core” working group composed of the unit chief, the privacy commissioner and both legal councils exposed us over a two-hour period to various bits and pieces of information that I will try to resume in the current posting.
First, let me start by saying that although the Swiss regulation is not really aggressive in terms of retaliation against the privacy vandals and “neglector”, it is really well structured. Some might complain it is too much, but it is clear that all the relevant aspects are formally addressed in the regulation.
Currently, the mandate of this working group is to bring to the market a government approved way of certifying both product and services in terms of privacy protection compliance. This is quite unique for now since I am not aware of any formal “country driven” initiative. A lot of private and commercially driven privacy label exists but the Swiss government is attempting to formalize certification channels and to impose such exercise in the regulation.
This information session started with a presentation of the results from a survey that was conducted among the participants a few weeks before. The topic of the survey was service and product certification which is, in my understanding and opinion, important to determine if this vision corresponds to a market need and not only to a government wish. Roughly, over 75% of the response confirms a market demand which is great news for the core workgroup.
We were then presented with the current status with regards to legislative works, everything seems to be on track from that standpoint as well.
Then, Mr. Baumann, the Swiss Federal Privacy Commissioner (or Préposé Fédéral à la Protection des Donnée et à la Transparence) presented us his analysis of what is already available on the market in terms of service and product certification processes.
To resume, the Swiss government is currently looking at an ISO type of certification based on currently available standards such as ISO 27001 and ISO 20000 for service certification and ISO 15408 (Common Criteria) for product certification.
I personally agree with the approach. Simply said, there is no other way to go. Continuous improvement and independent certification of both service and product is necessary. Some elements still need to be cleared out: Which standards should be use, how to tackle the task and how does this fit in the more general framework / certification market?
To clear out those last questions, a workgroup involving the private sector is currently in the buildup. Work is scheduled to be started in March 2010 and deliverables are expected by mid-2011. My candidature is up, I will try to get involve in that workgroup for myself since I find this pretty interesting, but also on behalf of the CLUSIS.
To obtain further information on the regulation, I invite you to visit the commissionners' web site.
Have a great day and talk to you soon,
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
February 3, 2010
Business Continuity Management System – NFPA 1600 2010 released
Good day everybody!
Before diving into the subject, I just want to inform everybody that the next video training will be available toward the end of next week. Now, lets get back to business :)
For many years now, a lot of people had been struggling with business continuity. First and foremost, it is often a question of language: business continuity, disaster recovery, resiliency, service availability… People use different terms and do not necessarily agree on the scope and meaning of those words.
With that said, whatever it means to you, from an ISO 27001 or BS 25999 perspective they all fall within one category: Business Continuity Management.
The reason why I think it is important to talk about this today, is that the National Fire Protection Association of the United States had just updated the 2007 version of the standard for Disaster/Emergency Management & Business Continuity Programs. The standard can be downloaded for free, right here!
The purpose of my posting is not to provide you with details about the changes between both versions but rather to expose you to the existence of the standard and its content to help you gain a better understanding of Business Continuity Management Systems.
Chapter 3 – Definition
It provides the reader with 24 definitions of words we commonly use when discussing BCMs.
Chapter 4 – Program Management
This section defines the requirement in terms of management commitment, roles and responsibilities, resource allocation and records management. For those of you who are already versed in ISO:27001 and BS:25999, you can see there are a lot of “clause 4 to 8” elements in there.
Chapter 5 – Planning
Focus on establishing the scope, understanding the constraints and requirements, conducting risk and business impact assessment and making decision in terms of preventive measures and possible mitigations.
Chapter 6 – Implementation
Talks about the various elements that needs to be put in place to make it happen such has emergency response, incident management, training, crisis communication, emergency operation centers and the various operational procedures.
Chapter 7 – Testing and Exercises
Document the requirements for testing, exercising, evaluating and insuring that the plan actually works.
Chapter 8 – Program Improvement
Again, much like the PDCA enforced by ISO standards, the NFPA clearly states how and why the program should improve and what needs to be done to insure adequacy of the program with regulatory changes and the evolution of the organization.
Annex A – Explanatory Material
Provides 15 pages of really useful supplemental information such as a mapping of the NFPA 1600:2010 standards to the Disaster Recovery Institute Professional Practices and a bunch of guidelines for many of the topics mentioned previously.
Annex B – Program Development Resources
Includes a list of supplemental reference and resources on the subject.
Annex C – Conformity Self Assessment
This is really a great section in this document! It provides the reader with a list of self-audit/self-assessment questions to go through to establish if you are doing your job in terms of business continuity and with regards to the management of the BCM program.
All in all, this is a great and free resource to get a better understanding of BCM. In comparison to BS:25999, it lacks a bit in terms of structure, components and workflow specifics to management systems and continuous improvement but the quality and depth of the information included as well as the practical aspects covered in there makes it a unique document that complements BS:25999 and which surely fills a lot of empty spaces left within ISO:27001.
As a conclusion, I just want to remind you how great Annex C is, although the standard is free, many people I know would have paid just to get that section!
Have a great evening and thanks for your time and comments !
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
Subscribe to:
Posts (Atom)