Attorneys Create New Control Framework The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released a new control model to help organizations interact with outside parties when dealing with sensitive information. This is among the many new business domains areas where vendor risk management has become a key issue. […]
Category Archives: ISO 27002 Compliance
The completion of an information security risk assessment is a key requirement in all information security frameworks, including ISO 27002, NIST 800:53, HIPAA and PCI-DSS. A recent analysis of regulatory enforcement under HIPAA identifies risk assessment as a key area of weakness. While risk assessments are required, the specifics for how to perform a risk […]
In February 2014, NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cyber-security. The frameworks is intended to be a "voluntary" set of standards that can help small and medium sized businesses develop an information security program. (Part of the problem, of course, is that we don't need another framework - but a [...]
The British Standards Institute (BSI) recently released an updated version of ISO/IEC 27002 – Code of Practice for Information Security Controls. This was the first major update since the 2005 release. Many organizations are interested in how the changes will impact their information security program. What Really Changed? In our review, very little in the […]
Divergent Directions: Looking back over the last 30+ years of my work in information security, I see two diverging trends when it comes to defining the information security-related standard of due care. By the “standard of due care,” in this column I mean the actions that management needs to take (for instance the controls that [...]
Security Quality Control: There is much to recommend about the ISO 9000 quality control approach as it is applies to the discipline of information security. In fact the ISO 27001 standard, entitled Information Security Management System (ISMS), in large measure reflects that same methodology. In other words, ISO 27001 suggests a continuous improvement approach to [...]
There are many security and privacy regulations that are very specific about the proper assignment of security responsibilities. Yet in many organizations, the information security effort is not managed with the same precision as other disciplines. There are a variety of reasons for this, not the least of which is that information security is a [...]
The paper discusses the importance of information security policies within an information security management system (ISMS), including the benefits of using Information Shield publications in obtaining certification against the new ISO 27001 standard. Information Security Policies and ISO 27001 certification
Some organizations still receive little management support or funding for a sound information security policy program. Within the last several years, however, numerous federal, state and international regulations have been passed that require the protection of information. Many organizations are now enhancing their information security policies in response to legal and regulatory requirements. In some […]
Many organizations just getting started with information security policies ask us the question: Should we use ISO 17799 (now ISO 27002) or COBIT? The answer, of course, is that it depends on what you are trying to accomplish. In fact, they are not mutually exclusive, but can be used together. The basic difference between COBIT […]