InfoSecMinds

For like-minded people

Service Asset – A Requirement or Duplication

Jul 5

Posted by Vinod Puthuseeri in ISMS, ISO 27001:2005, Information Security Risk Assessment, Risk Assessment | 2 Comments

It just came up recently while discussing with one of my friend, the need for capturing service assets as a part of asset inventory which will be used further for risk assessment exercise.

In a normal scenario, everyone uses a template that captures assests under different cateogories, viz

  • Information Asset – deals with electronic and paper based data
  • Hardware Asset – includes all your hardware, cupboards, safe, etc
  • Software Asset – includes all software’s used or implemented in the organization.
  • Service Asset – services that a department avails from the organization
  • People Asset – talks about people / employees

 Now the discussion went like this:

Read the rest of this entry »

Tags: , ,

Depth of Control Implementation

Mar 10

Posted by Vinod Puthuseeri in ISMS | No Comments

Discussing with various personnel it is quite amazing to see each one come up with their own way of interpreting controls and to what depth each control need to be implemented. I would like to illustrate a discussion that I had recently. The standard too does not talk about this and it is left to the person who implements and to the auditor on how they want to look at the implementation effectiveness.

Up until now some of the aspects that we look into while implementing a control is as mentioned below; 

  1. Is the control implementation cost less than or equal to loss of the damage a threat could cause to an organization?
  2. Does the control implementation enable process improvements?
  3. Is the control implementation required as a part of legal, regulator or contractual requirements?

Read the rest of this entry »

Tags: , , ,

Security Breach – Who's responsible?

Jan 27

Posted by Vinod Puthuseeri in ISMS, ISO 27001:2005, Information Security, Information Security Risk Assessment, Risk Assessment | No Comments

The very first lesson taught to me in my computer classes where “A computer is as smart as you are” and this statement holds good even today. For the computer would do only that a person would want it to do. The only advantage a computer has over human is that of speed and storage capacity.

While looking at various aspects of data loss, the end reason always point to “PEOPLE”. The above statement holds good not only because there are data loss (which is now the high rated security risks), even if you look at any frauds that has happened in the recent past, everything has been manipulated by “HUMAN”. No matters what standards are adopted, what stringent rules are set in an organization, frauds still happen.

Read the rest of this entry »

Tags: , ,

ISMS Implementation – The bottom-Up approach

Oct 23

Posted by Vinod Puthuseeri in ISO 27001:2005, Information Security | 1 Comment

All the while we have been hearing and believing that ISMS implementation in any organization requires management approval without which it would be a failure. True!!!

For any project in an organization for that matter, management approvals are a must cause for a project to kick-start and complete with desired results, requires resources, budget, tools etc. These can be achieved only if the project manager shows the management that there is value created by doing this project which could favor the organization. The value could be of many ways which ultimately boils down to making profits or avoiding monetary/image loss.

Read the rest of this entry »

Tags: , ,

Vulnerability Management Program

Oct 10

Posted by Praveen Reddy in Information Security | 2 Comments

Introduction

It is quite obvious that, every organization want to serve its clients with out any interruptions. If not handled properly, sometimes, presence of a small vulnerability in a system or in the network may lead to interruption of the services offerings to clients. This may result in losing the trust of clients or loss of revenue.

Vulnerability assessment is a simple process of identifying and reporting vulnerabilities.

It provides a way to detect and resolve security problems before someone or something can exploit them. By conducting periodic vulnerability assessments, management could validate the security measures they have deployed.

Read the rest of this entry »

Tags: , , , , , , ,