IT Governance Blog on IT governance, risk management, compliance and information security.

In austere times, IT leaders need to be more radical if their organisations are to succeed – this book helps you change the IT Leader’s mindset.

Changing the IT Leader’s Mindset (eBook) Successfully balance Transactional and Transformational Leadership Understand the IT Leader stereotype and how to alter its perception Utilise tools like action learning and co-creation.

By employing key steps and reflective points, this book provides useful tools and sound advice to help you get to grips with balancing soft skills with hard techniques, letting you break out of the IT stereotype and bring innovation into the inner sanctum of your organisation.
(more…)

ISO27001 requires you to develop your ISMS, taking ‘into account business and legal or regulatory requirements, and contractual security obligations’ (Clause 4.2.1 b. 2).

The only cost-effective way to meet this requirement is with the ITG ISO27001 Compliance Database and Update Service – which also helps you comply with five key Annex A controls.

ITG ISO27001 Compliance Database and Update Service

Launch Date: 1 September 2010 – Early Adopter Pricing applies through 31 August 2010

The ISO27001 Compliance Database and Update Service provides plain-English ‘real world’ guidance, rather than a prescriptive, detailed legal review and update service; this is THE compliance service for the ISMS project manager and, where it is appropriate to take your own professional advice, this service will enable you to manage professional legal costs very effectively!

Easy-to-Deploy

The ISO27001 Compliance Database is in Microsoft Access format, which can be deployed directly onto a desktop or onto a SharePoint Server. The licence for this product covers one or multiple users within a single ISMS. The current version of this product is primarily suitable for oganisations that are based in, or have to comply with the laws of, England and Wales.

Database of All Critical Statutory & Regulatory Documents

Find all the critical statutory and regulatory documents in one place – saving you the time, hassle and expense of trying to track them down and make sense of them all yourself.

Subscribe to this service before the end of August to save 10%.

Enter AUGCOMPLIANCE at the checkout for 10% discount!

ITG ISO27001 Compliance Database and Update Service >>

CISA & CISM are top qualifications for career minded Information Security Professionals.

Secure your career and your company with a December 2010 CISA or CISM Certificate – but act now: exam registration closes soon!

The bi-annual Certified Information Systems Auditor (CISA^®) and Certified Information Security Manager (CISM^®) Exams will take place on 11th December and it’s looking likely that exam spaces may sell out fast. With austerity creating a challenging business environment, you could be competing for work with more people than ever, employers will base their recruitment decisions on qualifications as well as experience. This will lead to a massive influx of candidates wanting to take the December 2010 Exams.

Three steps to guarantee you sit and pass the exam

(more…)

Coming to a standards office near you is ISO 50001. Due to be published in early 2011, this will be the definitive Energy Management Standard. Currently, the de facto standard for energy management is EN 16001:2009 ‘Energy management systems. Requirements with guidance for use’. This standard is intended to help all organisations irrespective of their size, geographical location, products, services or marketplace to establish the processes and systems necessary for managing and improving energy efficiency. In turn, this helps reduce emissions and green house gases.

Having an EN16001 Energy Management System will enable any organisation to:

• Improve energy use performance in a systematic way
• Establish an energy management system
• Ensure energy management conforms with stated policy
• Demonstrate to stakeholders and others the organisation’s commitment to energy use improvement
• Allow certification of the Energy Management System by an accredited third party.

EN 16001 is currently a European standard (the EN designator indicating it is a ‘European Norm’). However, the International Standards Organisation (ISO) has taken up this standard and is planning to publish the international version as ISO 50001 and, surprise, surprise, will also be called “Energy management systems — Requirements with guidance for use”. Currently, the international standard version is in the voting stage as a Draft International Standard. If all goes well expected publication will be in early 2011. Thus, certainly for a while EN 16001 and ISO 50001 will sit alongside one another. Those of you who have already started on EN 16001 programmes fear not: one of the prime aims in writing the international version has been to retain compatibility between EN 16001 and ISO 50001 thus ensuring early adopters of the former standard will not lose out. It is anticipated that those certifying to EN16001 should have only minimal transitional requirements to achieve ISO 50001 status.

Confused? You certainly should be. Well after reading this hopefully it will clarify the situation and remove doubt. If you still are in need of succour why not call IT Governance (+44(0)845 070 1570) and talk it through.

The contents of EN 16001 are:

(more…)

Our Training schedule for September 2010 is outlined below and I thought you should see it as early as possible. Spaces on these courses are limited and sell-out very quickly, in fact, a few of these courses have just been added to meet demand as we have turned people away from previous course dates!

Why book an IT Governance Training Course?

• Strength of experience: Our trainers are subject matter experts who have unrivalled experience within their field
• Association with a leading brand: Align your organisation, and your career, with the leading name in governance, risk and compliance. Receive a training certificate from a name that will be recognised globally
• Ease of booking: Speak to one of our advisors directly on 0845 070 1750, email servicecentre@itgovernance.co.uk or simply book online via our website at www.itgovernance.co.uk/training.aspx
• Quality course material: Receive practical tools and resources to use throughout your learning
• Specially selected training venues: Learn in a comfortable training environment. Our training locations are selected based on facilities and standards of service and ease of access.

Call 0845 070 1750 to discuss your requirements or to book today!

See our full range of training courses >>

Are you still confused about Penetration Testing? Many organisations know they need a test to evaluate the security of their IT system but remain unclear on what should be tested.

All elements of your information technology system can be tested, including any method that your organisation uses to capture, store, process or communicate information. It also includes the most important elements of your system (and the highest security risk!), which are your administrators and users.

Examples of what can be tested include:

• External & internal access to the network
• Hardware & software network infrastructure
• Software; including operating systems, applications and databases
• Wireless (WIFI, Bluetooth, etc.)
• IP Telephone systems
• Staff screening and assessment.

But what should be tested?

(more…)

As the technical manager responsible for Information Security in your organisation you will have already taken a number of measures to secure your system from the risks of external and internal attack. But how can you ensure that your security is adequate, functional and fully meets the needs of your organisation?

Effective Penetration Testing of your system is the only way of establishing that your networks and applications are truly secure.

Why should you conduct a Penetration Test?

• Identify vulnerabilities and quantify their impact and likelihood;
• Propose corrective measures and implement remedial actions;
• Ensure compliance to compulsory standards which include PCI DSS and ISO27001;
• Prevent financial loss through fraud or lost revenue due to unreliable business systems;
• Protect your company reputation by avoiding loss of customer confidence and reputation.

How do you choose a supplier from the increasing number of companies who offer this service?

IT Governance has a long and distinguished history in the provision of information security expertise and solutions and is widely known for its work in helping organisations achieve compliance with the PCI DSS and ISO/IEC 27001:2005 standards. Our Penetration Testing service builds on this foundation to provide the highest quality security testing of your IT networks and applications.

Why should you choose IT Governance for your penetration testing service?

• Qualified Certified Security testers employing the latest ethical techniques;
• Best practice OSSTMM methodology, developed and published by ISECOM;
• Confidential service underpinned by Non Disclosure Agreement (NDA);
• Comprehensive testing report outlining all remedial actions.

Please take the opportunity to contact us directly to discuss your requirements and find out how you can book your Penetration Testing Service. Our Customer Service team will be delighted to hear from you and if required can arrange for one our Consultants to call you for a no-obligation chat.

For further information, please email servicecentre@itgovernance.co.uk
or call on 08450 701750.

PS: Did you know that if you provide services to the UK Department Work and Pensions (DWP), your company is required to have a Security Plan in which a pen test is mandatory!

Penetration Testing Services from ITG Security Testing Ltd

Last month we launched five new toolkits – all of which help organisations to implement specific frameworks or standards. I want to talk to you about two of these toolkits as I think they will be of particular interest to your organisation:

SharePoint Governance Toolkit Microsoft Office SharePoint Server (MOSS) is an immensely useful colloboration and information sharing tool for organisations, teams and workgroups. Poorly governed SharePoint deployments can create significant holes in organisational information structures as well as exposing the organisation and its information to a wide range of risks.

(more…)

This week we are launching three new toolkits at InfoSec Europe 2010 (at Earls Court). For live updates from the show follow our Twitter feed Twitter.com/ITGovernance.

As you’re reading this, you are among the first to hear about the new toolkits we’re launching or have recently launched:

Manage Social Media in your organisation

Social Media Governance Toolkit Brand New! The ITG Social Media Governance toolkit helps organisations create an effective governance structure around their social media activies. Social media is, for many organisations, a critical part of how they speak to customers, partners and stakeholders; for others, social media are a dangerous distraction. Dealing effectively with social media requires a joined-up approach that is aligned with the objectives and risk appetite of the business – a governance approach.

Manage Sharepoint Effectively

SharePoint Governance Toolkit Brand New! Microsoft Office SharePoint Server (MOSS) is an immensely useful colloboration and information sharing tool for organizations, teams and workgroups. Poorly governed SharePoint deployments can create significant holes in organizational information structures as well as exposing the organization and its information to a wide range of risks. Maximising value from your SharePoint deployment requires a joined-up approach that is aligned with the communication objectives and risk controls of the business – a governance approach.

Achieve DPA compliance with BS10012

DPA Compliance with BS10012 – Documentation Toolkit Brand New! The new DPA toolkit contains all the documentation necessary for an organisation to use BS10012 for compliance with the DPA. The new toolkit will be capable of integrating into an ISO27001 ISMS and will also contain all the core DPA compliance documents, from a fair processing notice through to a procedure for handling Subject Access Requests.

Environmental Management System

ISO14001 (ISO 14001) EMS Environmental Management System Documentation Toolkit New! This unique toolkit contains a full suite of documentation templates that will help you prepare for and implement an environmental management system (EMS) that complies with ISO14001, the environmental management system standard. There are also two valuable eBooks, whose content and guidance will be essential in the development of your ISO14001 (ISO 14001) EMS.

QMS Quality Management System
	ISO9001 (ISO 9001) QMS Quality Management System Documentation Toolkit New! This unique toolkit contains a full suite of documentation templates that will help you prepare for and implement a quality management system (QMS) that complies with ISO9001, the quality management system standard. Suitable for all organisations.

Here are some of our other best selling toolkits:

• ISO27001 ISMS Documentation Toolkit
  (There are a number of veriants of this toolkit available)
• Corporate Toolkit: Securing Wireless on the road
• IT Governance Framework Toolkit
• PCI DSS Documentation Compliance Toolkit
• BS25999 BCMS Implementation Toolkit

Join hundreds of organisation around the world – Fast-track your compliance project, avoid trial and error dead ends, save time and money!

Browse the entire range of toolkits today >>

The ICO’s new powers to issue monetary penalties came into force on 6 April 2010, allowing the Information Commissioner’s office to serve notices requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act.

The data protection powers of the Information Commissioner’s Office are to:

• Conduct assessments to check organisations are complying with the Act;
• Serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
• Serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
• Prosecute those who commit criminal offences under the Act;
• Conduct audits to assess whether organisations processing of personal data follows good practice; and
• Report to Parliament on data protection issues of concern.

(more…)