Article store

SECURITY PROCESS

blogsmy — Fri, 01 May 2009 10:13:20 +0000

Action Summary
Financial institutions should implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board
of directors, management, and employees.
OVERVIEW
The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage, and control the risks to system and data availability, integrity, and confidentiality, and to ensure accountability
for system actions. The process includes five areas that serve as the framework for this booklet:
􀂃 Information Security Risk Assessment—A process to identify and assess threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.
􀂃 Information Security Strategy—A plan to mitigate risk that integrates technology, policies, procedures, and training. The plan should be reviewed and approved by the board of directors.
􀂃 Security Controls Implementation—The acquisition and operation of technology,the specific assignment of duties and responsibilities to managers and staff, the deployment of risk-appropriate controls, and the assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.
􀂃 Security Monitoring—The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These methodologies should verify that significant controls are effective and performing as intended.
􀂃 Security Process Monitoring and Updating—The process of continuously gathering and analyzing information regarding new threats and vulnerabilities,actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one-time event.Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution’s management of the risks requires an ongoing process.
GOVERNANCE
Governance is achieved through the management structure, assignment of responsibilities
and authority, establishment of policies, standards and procedures, allocation of resources,
monitoring, and accountability. Governance is required to ensure that tasks are
completed appropriately, that accountability is maintained, and that risk is managed for
the entire enterprise. Although all aspects of institutional governance are important to the
maintenance of a secure environment, this booklet will speak to those aspects that are
unique to information security. This section will address the management structure, responsibilities,
and accountability
MANAGEMENT STRUCTURE
Information security is a significant business risk that demand engagement of the Board
of Directors and senior business management. It is the responsibility of everyone who
has the opportunity to control or report the institution’s data. Information security should
be supported throughout the institution, including the board of directors, senior management,
information security officers, employees, auditors, service providers, and contractors.
Each role has different responsibilities for information security and each individual
should be accountable for his or her actions. Accountability requires clear lines of reporting,
clear communication of expectations, and the delegation and judicious use of appropriate
authority to bring about appropriate compliance with the institution’s policies,
standards, and procedures.
RESPONSIBILITY AND ACCOUNTABILITY
The board of directors, or an appropriate committee of the board, is responsible for overseeing
the development, implementation, and maintenance of the institution’s information
security program, and making senior management accountable for its actions. Oversight
requires the board to provide management with guidance; approve information security
plans, policies and programs; and review reports on the effectiveness of the information
security program. The board should provide management with its expectations
and requirements and hold management accountable for
􀂃 Central oversight and coordination,
􀂃 Assignment of responsibility,
􀂃 Risk assessment and measurement,
􀂃 Monitoring and testing,
􀂃 Reporting, and
􀂃 Acceptable residual risk.

ISO/IEC 17799:2005 Information technology

blogsmy — Fri, 01 May 2009 08:10:04 +0000

Security techniques – Code of practice for information security management

Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity,

information is now exposed to a growing number and a wider variety of threats and vulnerabilities (see also OECD Guidelines for the Security of Information Systems and Networks).

Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be

appropriately protected.

Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.

Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure

that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes.

ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:

* security policy;
* organization of information security;
* asset management;
* human resources security;
* physical and environmental security;
* communications and operations management;
* access control;
* information systems acquisition, development and maintenance;
* information security incident management;
* business continuity management;
* compliance.

The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

Myths & Realities of Data De-Dup

blogsmy — Thu, 30 Apr 2009 10:47:15 +0000

Data Deduplication
Data deduplication is a method of reducing storage needs by eliminating redundant data. Only one unique instance of the data is actually retained on storage media, such as disk or tape.
Unified Threat Management (UTM)
This is basically a new technology that combines all security solutions into one single solution i.e that has many features in one box, including e-mail spam filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall.

Hello world!

blogsmy — Thu, 30 Apr 2009 07:45:18 +0000

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!