IT Governance Blog on IT governance, risk management, compliance and information security.

What does effective cyber security look like?

The many standards and sources of best practice on cyber security tend to focus on delivery (the how).

PAS 555:2013 is the new Cyber Security Risk Governance and Management standard, and details what effective cyber security looks like (the what).

PAS 555:2013 Cyber Security Risk Governance and Management Price: £80.00

As someone working at an organisation which is ISO 27001 certified and has recently passed its annual surveillance audit, I have come to appreciate the role of the ISO 27001 ISMS Internal Auditor.

As a matter of fact, it’s hard to imagine that any organisation can succeed in achieving and maintaining ISO 27001 compliance without employing Internal Auditors. Our Internal Auditor for example, was instrumental in reviewing the effectiveness of the selected security controls and recommending suitable modifications where requirements weren’t met. In other words, he played a major role in our company passing the surveillance audit, which was not only necessary, but also a rewarding task.

Whilst smaller organisations can probably cope with just one ISO 27001 ISMS Internal Auditor, medium-sized and large organisations usually need to appoint a couple of Internal Auditors from various departments, e.g. HR, Finance, Sales, IT, etc. Appointing Internal Auditors by departments scales up the responsibility and reduces the risk for mistakes that could arise from under-resourcing. Appointing Internal Auditors by department also improves the integrity of the ISO 27001 CAPA (Corrective and Preventive Action) programme.

An ISO 27001 ISMS Internal Auditor is is very useful during the implementation phase of the ISO 27001 ISMS project, as they provide strategic guidance and set goals for the audit programme. They then play a major role after the completion of the ISMS project and once ISO27001-compliance has been achieved by reviewing and maintaining compliance.

Senior Managers make good candidates for Internal Auditors. For example, HR Managers can particularly benefit from qualifying as an Internal Auditors as they are used to ensuring policies are kept up-to-date with standards and acts, such as the Data Protection Act (DPA). Becoming part of the ISO 27001 ISMS team can make their job easier as they’ll already be up-to-speed with meeting the relevant requirements.

Becoming an ISO 27001 ISMS Internal Auditor provides professionals with generic auditing skills which can be used in different environments (not just in the context of ISO 27001 compliance). Internal Auditors are also valuable to an organisation for auditing third party suppliers and partners to ensure they have adequate security controls in place.

As the trainer for the ISO 27001 ISMS Internal Auditor Training Course, Nick Orchistron says he always aims to help delegates look beyond pure compliance as it’s important that they have their eyes set on improvement too. Nick provides his delegates with hints and tips on ways to approach auditing, both from an auditor’s perspective and that of an auditee to make the process simpler and more successful.

Appointing, or becoming, an ISO 27001 ISMS Internal Auditor will streamline the process and ensure compliance is withheld and maintained. The ISO 27001 ISMS Internal Auditor Training Course will prepare delegates for the job, provide them with useful hints and tips, whilst making the learning process enjoyable. Either way you look at it, appointing or becoming an ISO 27001 ISMS Internal Auditor is a win-win situation for both the individual and the organisation.

The (ISC)² CISSP certification is recognised as the premier qualification for a senior career in information security. At first sight, preparing for the CISSP exam seems straightforward although many find the huge amount of information associated with the 10 CBK Domains and a 6-hour examination a daunting prospect. Our training team regularly receive calls from desperate individuals who feel they have left their preparation too late!

CISSP Exam Preparation training courses were conceived to meet this need, but with so many courses available on the market, how can CISSP exam candidates choose one that will actually help?

At IT Governance, we launched our innovative CISSP Accelerated Training Programme about 18 months ago. Although we were not first to market, we started by talking to our customers about their CISSP experiences and reviewing the existing CISSP exam preparation books and courses. This confirmed that candidates who attended a pre-exam training course were more successful, particularly if the course focused on improving knowledge in the CBK Domains that they were struggling to understand.

By listening to our customers, we developed a training programme that includes a Pre-course CISSP Knowledge Assessment that determines the strengths and weaknesses of the each candidate’s current knowledge. Our trainer then uses this assessment to prepare an individual Pre Course Study Plan which is incorporated into the subsequent 5-day classroom training session.

>> Find out more about how our Pre-course Knowledge Assessment can help you achieve a first time pass in the CISSP exam 

As the frequency of information security breaches increases, cyber security is becoming a growing concern for business continuity professionals too.

During the past 12 months, even small businesses have experienced an average of 17 information security breaches and this rises to 113 in larger organisations.*

Cyber security and business continuity planning

When considering the potential disruption and cost of a serious information security breach, it’s perhaps not surprising that ISO27001, the information security standard has very close links with ISO22301, the business continuity standard. So close, that if you opt to comply with both standards you don’t need to duplicate the common elements – saving you a chunk of time!

With the right training and support, implementing ISO27001 or ISO22301 is much easier than you might think. As leading experts in ISO27001, our well established ISO27001 learning pathway has now helped over 700 professionals gain the skills required to implement this standard through classroom training.

By working with experienced Business Continuity Consultants, we’ve applied our expertise in ISO27001 training to develop a new ISO22301 learning pathway. This training pathway takes delegates from foundation level, through to developing the skills required to successfully implement and audit against the ISO22301 standard.

Organisations that have implemented both standards will certainly be sleeping well tonight, safe in the knowledge that the risk of a security breach has been minimised and if the worst should happen – their business continuity plan will keep them trading, when other, less prepared competitors may fail.

>> Find out more about ISO22301 training

>> Find out more about ISO27001 training

*2013 Information Security Breaches Survey

The recent ISBS survey commissioned by the Department for Business, Innovation and Skills dished up some eyebrow raising stats on the increasing number of information security breaches.

For example during the past year, large organisations reported an average of 113 security breaches (up from 71 in the previous year).

HR departments can play a key role in encouraging professional development amongst IT staff to counter this growing threat to information security.

Choosing the right training and qualifications

For HR professionals looking to support professional development our new, free ‘Information Security Qualifications – Fact Sheet’ provides a clear overview of a wide range of qualifications.

This straightforward paper will help you to decipher the difference between a whole range of qualifications, including CISA, CISM, CIS F, CIS LA and CIS LI.

Once clear on the qualification options, creating a professional development plan that builds in-house expertise, reduces the risk of security breaches and demonstrates a clear commitment to employee development will be a doddle.

>> Find out about the certifications available through our training courses

The US Department of Defense (DoD) has announced that military personnel can start using a hardened version of the Android operating system, Knox, on Samsung smartphones. Up until now, only BlackBerry devices were deemed to be sufficiently secure enough for military personnel to use.

In August 2011 it was reported that McAfee had found Android to be the least secure of all the mobile operating systems on the market. However, the decision by the DoD falls in line with their previously announced Mobile Device Strategy  in which the DoD aimed at opening itself up to the wider use of mobile technology.

Securing mobile devices is always going to be difficult, but even SMEs and private organisations can take steps to ensure Android and other devices are secure. Find out how to secure Androids in Android Security.

This book describes the fundamentals of Android Security, helping you protect your Android mobile systems.

Learn the fundamentals of Android security in this helpful book >>

IT security isn’t just a problem for the IT department; it’s a problem for the whole organisation.

With security being high on the senior management’s priority list, why is it that 87% of small businesses and 93% of large organisations across all sectors experienced a breach in the last year according to the 2013 ISBS report?

In an attempt to shine fresh light on how company directors, board members and IT Professionals perceive IT security we have created the Boardroom Cyber Watch 2013 Survey.

For your chance to win an Amazon Kindle Fire and to receive a free copy of the IT Governance report on company directors and IT Security, then please complete our short survey. It’s multiple-choice and should take just 2 minutes to complete.

This survey is open to Company Directors, Board Members and IT Professionals.

Your opinion counts – take part in the survey here:

www.surveymonkey.com/s/boardroomcyberwatch2013

Building cyber security knowledge, skills and capability is one of four key objectives outlined the UK Cyber Security Strategy. First launched in 2011, this government strategy was re-visited by Chloe Smith the Minister for Political and Constitutional Reform in her recent key note speech at Infosec 2013.

The Minister’s speech included reference to new initiatives designed to boost cyber security skills in the workforce. These include the establishment of Academic Centres of Excellence in Cyber Security in 11 UK Universities and improving coverage of cyber security skills at GCSE and A-Level.

A boost in skills is necessary to meet the anticipated demand for appropriately qualified professionals in the growing cyber security sector – growth which the government is very keen to ‘encourage and nurture’.

Build your knowledge, skills and capability

With the future looking rather rosy for employment opportunities in the cyber security sector, it’s a great time to think about building your own knowledge, skills and capability in this area.

As the first organisation to develop a full programme of certificated ISO 27001 education, IT Governance is well-placed to help you develop your cyber security management skills.

Our ISO 27001 training courses also provide opportunities to gain industry-standard IBITGQ qualifications. With these on your C.V. you’ll be in a great position for grabbing the best career opportunities in this growing sector.

>> Find out more about ISO27001 training

CRISC (Certified in Information Systems and Risk Controls) is an enterprise risk management qualification for IT professionals from ISACA. Gaining the CRISC qualification demonstrates verified knowledge and experience of:

1. IT/business risk and controls
2. Risk identification
3. Implementation of proven IS (information system) controls

Additionally, it demonstrates you have what it takes to manage the ongoing challenges of enterprise risk and design risk-based IS controls, delivering significant value for your organisation.

Those looking to take the CRISC exam can do so by attending an ISACA exam event in either June or December of each year. More information about and when to take these exams can be found on hte ISACA website.

ISACA provide manuals to aid your CRISC studies and pass the exam, all of which are available at the IT Governance Webshop:

• CRISC Exam Passport 
• CRISC Review Manual 2013 
• CRISC Review, Questions, Answers and Explanations Manual 2013 

By gaining a CRISC qualification, you will

1. Earn more money as enterprise risk management professional
2. Secure a new job or higher position as an enterprise risk management professional
3. Increase your enterprise risk and IS control knowledge so that tasks are done more efficiently and effectively.

CRISC – the enterprise risk management qualification you need!

Buy the official manuals today >>

It’s fair to say that within business, it’s easy to assume that your customer knows everything. I think the customer may even go as far to say that they know everything too. However, one thing that was clear to me whilst at this year’s #infosec13, was a lack of understanding what is meant by Data Classification.

What is Data Classification?

There are a number of definitions to Data Classification provided by Wikipedia which are:

• Data classification (data management)
• Data classification (business intelligence)
• Classification (machine learning), classification of data using machine learning algorithms
• Assigning a level of sensitivity to classified information

If you take a look at these you will see that there is relevance to all of it but at Boldon James we want to draw your attention to the fourth point, ‘Assigning a level of sensitivity to classified information’, and more specifically:

‘Some corporations and non-government organizations also assign sensitive information to multiple levels of protection, either from a desire to protect trade secrets, or because of laws and regulations governing various matters such as personal privacy, sealed legal proceedings and the timing of financial information releases.’

We tend to think of ‘Top Secret’ classified information being a military thing only. Well, it really isn’t. All of the content that we create on a daily basis has some form of sensitivity to it. This could be the spread sheet with your company’s sales figures and customer details on it, it could be your project plan when releasing a new product to the market or it could be the medical records your doctor holds. All of this information is crucial to your business and it’s up to the content creators (i.e. you and me) to ensure the integrity of your data.

This was an eye opener for me at Infosec13. I realised this is something that needs to be addressed and understood by all content creators, especially as more of us are creating new content every day which adds to your business risks.

Overall, the #Infosec13 show was a great experience and much bigger than I thought it would be. Congratulations go to Peter Nash @reallygrumpidad for winning £100 voucher from our channel partners @ITGovernance in the Boldon James sweater competition. It was also a very fruitful experience for me winning a Nexus 7 from our technology Partners, Egress. Thanks all and I look forward to next year’s event and many more events this year.

Tweet @waylum_99

View more information on data classification software and find out what it could do for your business.