IT Governance Blog on IT governance, risk management, compliance and information security.

Following on from last week’s discussion ‘Which, Why and How is an ISO 27001 ISMS toolkit right for you‘, I thought we should take a closer look at the ISO 27001 implementation team and how our special January offer is the logical step that your organisation should take to implement ISO 27001.

Organisations that are serious about implementing ISO 27001, and successfully achieve certification, develop the in-house capability and skills through training.

They also take a risk based approach to develop the information security management System (ISMS), using our tried and tested ISO 27001 ISMS toolkits.

Buy any variation of the ISO 27001 ISMS toolkit before 31st January and get 15% off any ITG Training Course.

	No 3 ISO27001 Comprehensive ISMS Toolkit Price: £1,795 Buy before 31st January and get a 15% discount code for any ITG Training Course!

Our range of training courses offer a structured learning path from Foundation to Advanced level in ISO27001 and ISO27002 together with related topics that include PCI DSS, Data Protection Act and Digital Forensics.

Training the ISO 27001 implementation team:

• In any ISO 27001 project you will have a Lead Implementer that is capable of leading their organisation to successful certification. The ISO27001 Certified ISMS Lead Implementer Masterclass is the perfect course for this role.
• You will need a team of Internal Auditors to effectively audit compliance with the ISO 27001 standard and against the controls contained in ISO 27002. You should book multiple people onto our essential ISO27001 Certified ISMS Internal Auditor training course.
• An understanding of the best practice guidance as outlined in ISO27002 is essential to ensure the compliance to ISO27001 in any organisation. Information Security Foundation based on ISO/IEC 27002 serves as a practical guideline for all members of staff as they initiate, implement and maintain an information security programme.

Save 15% on any of these courses when you buy an ISO 27001 ISMS toolkit before the end of January!

Global research consultancy company, Illuminas, receives ISO 27001 certification after over a year’s worth of dedicated work.

John Ricketts (Director of IT and Information Security) and John Ricketts (Global COO)  comment, “We are delighted to achieve ISO 27001 at a time when data protection and data privacy are increasingly important in both the research industry and society generally.  ISO 27001 ensures there are clear benefits for clients and respondents, with personal information as well as client confidential material encrypted 100% of the time whilst on Illuminas systems. The standard is a systematic approach to managing the security of sensitive information covering people, processes, IT systems and policy. We believe all research companies should follow the guidelines of the standard given they are often entrusted with personal information.”

Source: Illuminas Press Release, PRWeb

Achieving ISO 27001 instills confidence within your customers on how you handle their data. ISO 27001 is the international standard for Information Security Management Systems (ISMS) and covers topics such as:

• Extensive risk management evaluation
• Business resilience planning
• Ensuring data security standards set by client companies are met

If you’re thinking about implementing ISO 27001 requrements, then take advantage of our Value Added ISO 27001 ISMS Toolkit Offer. This comprehensive toolkit will cost effectively accelerate your ISO 27001 project and help you to become certification-ready in no time!

Find out the the steps of standard approach towards implementation of an ISMS that is recommended by all international certification bodies>>

Before we get on the ‘which’, lets explore ‘why’ and ‘how’ the ISO 27001 ISMS toolkit range has helped hundreds of organisations across the world to achieve ISO 27001 certification readiness.

‘WHY’ choose an ISO 27001 ISMS toolkit?

The hardest part of achieving ISO 27001 certification is the documentation of the Information Security Management System (ISMS). The documentation that is necessary to create a conforming system can, particularly in more complex businesses, be up to a thousand pages.

A toolkit can accelerate your ISO 27001 project immensely. The key benefits of a toolkit are:

• A toolkit is cheaper than one days’ consultancy
• Provides clear guidance on the role of risk assessment
• Template documents are easy to edit and customise
• Template documents save you time on research
• Template documents save you time on procedure writing
• Makes you your own expert
• An after sales support service
• 12 months of automatic updates

Then there’s the ‘HOW to do it’ issue.

The resource, time and management implications of making all this happen are immense. But that’s where toolkits come in. Our toolkits are precisely tailored to the requirements of ISO 27001 and contain pre-written documents, which can be tailored to your organisation. Our unique document support service offers after sales support to answer your queries, and each toolkit includes 12 months of free updates

Importantly, you do not want hundreds and hundreds of policies, after all ISO 27001 only requires 7 policies. By purchasing a toolkit, you receive a set of policies and procedures that really enable you to implement ISO 27001.

And finally, ‘WHICH’ toolkit is right for you?

	No 3 ISO27001 Comprehensive ISMS Toolkit Price: £1,795 Buy before 31st January and get a 25% discount code for any ITG Training Course!

	Digital Forensics Foundation Training 2ndFebruary 2012 in London RRP: £595.00 Price: £416.50 You Save:£178.50 (30%) Last minute booking discount applies to the 2 February course only.

And our ISO 27001 series of courses …

ISO27001 Certified ISMS Foundation Training

ISO27001 Certified ISMS Lead Implementer

ISO27001 Certified ISMS Lead Auditor Training

Information Security Foundation ISO 27002

ISO27001 Certified ISMS Internal Auditor

No 3 ISO27001 Comprehensive Toolkit

It seems like every week we hear of a new news story where a company has been hacked, broken the Data Protection Act and/or fined. Although in these hacking stories the data of innocent people is often compromised, it seems like the blame is often being put upon the companies, when in fact it should be the hackers who are taking the blame.

After a data breach occurs, how much investigation goes into finding the hacker that committed the crime? Little? Or none? It is easier to blame the company where the attack occurred, issue a fine, and pronounce them incompetent of looking after your data. But is this really the case? Lee Howell, Managing Director at the World Economic Forum, stated that “it’s impossible to be completely secure online”. So if this is true, then why should the victims (companies) be put to blame? Yes, I agree that companies who manage sensitive data should take the necessary precautions to do everything they can to protect that data, but where does the justice lie for them if they did not commit the real crime?

Take it like this; if you were to lock your house up at night (doors, windows etc.) before you went to bed, and you were burgled during the night, should it then be you who faces prosecution for not protecting your house properly, or should the person who broke into your house be prosecuted?

Lee Howell talks about social norms in terms of cyber crime, concluding that “we do not yet fully understand how social norms are shaped in the virtual world. Why is it that many people who would be ashamed to admit stealing a DVD from a shop will happily discuss illegally downloading a movie?” This can be referenced to the point above about the current justice system for hackers and hacked companies.

It is important to note that one of the main reasons cyber criminals don’t get caught is because of the anonymity of it all. Hackers are often more technologically advanced than the people tracking them down, which can mean that most investigations come to a halt before they’ve even begun. You can find hacking software easily on the web, meaning that anyone can try their hand at it, which has thus been a major cause in the proliferation of hacking. Another main reason why hackers fail to get caught is the difficulty in cross-border policing. If you notice a computer attack that came from country X, tracking down that cyber criminal would be near-on impossible due to the different laws and regulations held between two different countries. Adam Segal from The Diplomat says, “It’s hard to deter if you can’t punish, and you can’t punish without knowing who is behind an attack.” With so much difficulty in tracking down hackers, they often get away with the crime, but does their anonymity give them the right to this?

More attention should be put on the hackers themselves (tracking them down and prosecuting them), rather than the companies who suffer data breaches because of them. A unified approach and shift in focus will lead to a more realistic deterrent for cyber criminals, hoping to break the cyber gang culture that is appearing across the web.

Food for thought anyway.

A recent report by Cisco shows frightening statistics that threaten to damage IT security as we know it.

The report found:

• 70% of young employees frequently ignore IT policies
• Two-thirds of young employees believe their companies policies need to be changed
• 61% said corporate IT security isn’t their responsibility, and that it should be that of their employer or the maker of their devices

This ‘casual’ attitude towards IT security may be a contributing factor to the fact that one in four people asked have been a victim of identity theft before the age of 30.

“The desire for on-demand access to information is so ingrained in the incoming generation of employees that many young professionals take extreme measures to access the Internet, even if it compromises their company or their own security,” the report said.

And when asked why 70% of young employees ignore IT policies, the reasons given were:

• They didn’t think they were doing anything wrong
• They needed to do it to get there job done
• They didn’t have time to think about policies while they were working
• The policies weren’t inforced in the first place
• Adhering to the policies was not convenient

This attitude towards IT security needs to change amongst young people, otherwise their employers could be in serious trouble. Leaving networks vulnerable to attacks could cause your system to be infiltrated by hackers, with the risk of losing sensitive data and suffering a data breach.

To ensure that all your employees are up to scratch on what, and what not to do on the Internet, take an Information Security Staff Awareness e-Learning Course.

This Information Security course recognises that information security awareness starts at home and then aims to help employees understand the organization’s information and compliance risks, thereby reducing the organization’s liability due to security failures. The course not only familiarises the learners with the basics of information security, including security threats via emails, the Internet and at the workplace, but also introduces the learners to the policies on incident reporting and responses. Having completed the 40-minute course, students can take a 20-question multiple-choice test.

This Information Security Staff Awareness course, which includes an online certificated test, is squarely based on the detailed guidance of ISO27002 and covers the following areas:.

• What has Information Security got to do with you?
• Where does your organisation fit in?
• Definitions: what is Information Security?
• Could this happen to you? (Scenarios and follow up questions).
• Information Security at home – potential weaknesses (Passwords, Phishing, Web 2.0, USB sticks, Sat Nat)
• Information Security at work
• Secure perimeters
• Tailgating
• Clear desk and screen
• Passwords
• Portable media
• Information classification
• Intellectual property
• Security incidents
• Business continuity
• Important documentation, with links to key policies and procedures

For more information on the Information Security Staff Awareness e-Learning Course, click here >>

Take advantage of the new year by creating a new you. If you’re tired of your current job or just want to add something valuable to your CV, then IT Governance can help.

There are a number of different qualifications and certifications out there available to you to better your career if you’re in the IT industry. Whether you’re involved with Information Security, IT Service Management, Project Governance, Data Protection or IT Governance there are various courses and certifications you can take to get yourself that step higher up the ladder.

Adding certifications and qualification to your CV/profile will increase your job prospects immensely. Ranging from individual to company certifications, you will be sure to find something that is applicable to you. 

View our training page to see what courses are on offer to you and what they can do for you.

New year, New You: Take one of our training courses that bests suits you, and improve your career prospects >>

The Internet security passwords at global intelligence company, Stratfor, were ‘too weak’ claims researchers at Utah Valley University.

Stratfor (aka Stategic Forecasting) was hacked shortly before Christmas by well-known cyber gang, Anonymous. The firewall systems were broken into and subscribers of Strafor’s details data was posted online for all to see. What makes this case so unique, is that Stratfor provides analysis of data security issues, holding sensitive data regarding the online security industry.

Utah Valley University analysed the stolen data, only to find that security measures such as username and passwords were not secure enough to ward off hackers. Subscribers to Strafor were put at risk as details of their accounts and card numbers were published by Anonymous.

IT director and professor for Utah Valley University, Kevin Young, said that Stratfor “should have known better” in order to protect themselves against such a thing happening.

So if a data security company can’t use strong passwords, then what hope does this leave for the rest of us? 

Make sure you and the rest of your staff use strong passwords to protect your confidential data. Take the ITG E-Learning Course: Information Security & ISO27001 Staff Awareness. The contents of this course covers these key points:

• What has Information Security got to do with you?
• Where does your organisation fit in?
• Definitions: what is Information Security?
• Could this happen to you? (Scenarios and follow up questions).
• Information Security at work
• Clear desk and screen
• Passwords
• Information classification
• Intellectual property
• Security incidents
• Business continuity
• Important documentation, with links to key policies and procedures
• Information Security & ISO27001 Staff Awareness – Online Test & Certificate

Make sure you and your staff are aware of information security and alert to the threats it brings.

Take this e-Learning course today >>>

With the growth and global acceptance of the ISO/IEC 27001:2005 as the default standard for Information Security Management, there has been an increased demand for qualified ISO27001 Lead Auditors. To ensure success as an ISO27001 Lead Auditor, you will need to gain a thorough knowledge of the standard and its audit procedures together with qualifications that are accredited by a respected independent organisation.

The ISO27001 Certified ISMS Lead Auditor training course has been designed to support the growing need for skilled and certified ISO27001 Lead Auditors. Delegates will learn how to plan and execute ISO27001 audits and upon successful completion of the course will be awarded the Certified ISMS Lead Auditor (CIS LA) qualification issued by the International Board for IT Governance Qualifications (IBITGQ).

	ISO27001 Certified ISMS Lead Auditor 23-27 January 2012 in London RRP: £1,995.00 Price: £995 You Save: £1000.00