2 years ago


standards TIME FOR A

standards TIME FOR A DEEP HEALTH CHECK IN OUR HYPER-CONNECTED, TECHNOLOGY-DRIVEN WORLD, DATA BREACHES AND CYBER-ATTACKS REMAIN A SIGNIFICANT THREAT TO ORGANISATIONS AND A LACK OF AWARENESS OF THE RISKS IS OFTEN TO BLAME. A NEWLY REVISED STANDARD MAY HELP Edward Humphreys: the updated standard is a key tool in the ISO/IEC 'cyber-risk toolbox'. Protecting the security of a company's information - whether that might be commercially sensitive or the personal details of their clients - has never been more under the spotlight. New legislation such as the European GDPR means organisations are under even greater pressure to ensure their information is secure. But having the most appropriate technologies and processes can be a minefield. The newly revised ISO/IEC 27005:2018, Information technology - Security techniques - Information security risk management, provides guidance for organisations on how to wade through it all by providing a framework for effectively managing the risks involved. Complementary to ISO/IEC 27001:2013, which provides the requirements for an information security management system (ISMS), ISO/IEC 27005 has recently been updated to reflect the new version of ISO/IEC 27001 and thus ensure it is best equipped to meet the demands of organisations of today. It provides detailed risk management guidance to help meet related requirements specified in ISO/IEC 27001. Edward Humphreys, convener of the ISO/IEC working group that developed both ISO/IEC 27001 and ISO/IEC 27005, says the updated standard is a key tool in the ISO/IEC 'cyber-risk toolbox'. "ISO/IEC 27005 provides the 'why, what and how' for organisations to be able to manage their information security risks effectively in compliance with ISO/IEC 27001," he says. "It also helps to demonstrate to an organisation's customers or stakeholders that robust risk processes are in place, giving them confidence that they are good to do business with." ISO/IEC 27005 is one of more than a dozen standards in the ISO/IEC 27000 series that make up the cyber-risk toolkit, led by the flagship ISO/IEC 27001, Information technology - Security techniques - Information security management systems - Requirements. Others in the series include those for protecting information in the Cloud, information security in the telecoms and utility sectors, cybersecurity, ISMS auditing and more. ISO/IEC 27005 was developed by working group 1 Information security management systems of technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT Security techniques, the secretariat of which is held by DIN, ISO's member for Germany. INFORMATION SECURITY RISK MANAGEMENT - THE BENEFITS Effective information security risk management should contribute to the following: Risks being identified Risks being assessed in terms of their consequences to the business and the likelihood of their occurrence The likelihood and consequences of these risks being communicated and understood Priority order for risk treatment being established Priority for actions to reduce risks occurring Stakeholders being involved when risk management decisions are made and kept informed of the risk management status Effectiveness of risk treatment monitoring Risks and the risk management process being monitored and reviewed regularly Information being captured to improve the risk management approach Managers and staff being educated about the risks and the actions taken to mitigate them. 34 computing security July/August 2018 @CSMagAndAwards

GDPR GAP ANALYSIS – An Approach to Get You Started/Assess Your Progress to Date – DPG Can Help GDPR came into force on May 25th 2018 and despite being given plenty of notice there are many organisations still struggling to create a coherent GDPR position. Not being compliant, for whatever reason, is unlikely to be viewed sympathetically by either the regulator, nor by your stakeholders, who will point to the notice period. The immediate challenge, therefore, is to strive towards compliance, in as short a time as possible, with the date now just weeks away. If you are compliant with the 1998 Data Protection Act, you might be managing the many GDPR requirements with some confidence, and just require some extra help to augment the extra requirements of the legislation. At this stage activity needs a significant uplift and hopefully you’ve realised that there is much more to this than just having Records of Processing Activity. This is where DPG comes in. DPG are innovators in the data protection field through viewing data protection as a layered process within an organisation, as opposed to a single departmental responsibility. The DPG approach identifies inter-operable and interdependent activities, which taken individually can undermine the data protection processes and countermeasures in place at an organisation DPG offers a comprehensive risk assessment framework to assess an organisation’s ability to meet regulatory data protection requirements and protect their data throughout all business operations. Deployed via simple to use software called Pathfinder ® , DPG interrogates key business areas including processes, policies and systems to provide an organisational gap analysis that is mapped directly to the requirements of, in this instance, the GDPR. This information capture is the most extensive and valuable assessment of how data, infrastructure and relationships are managed to ensure they meet data protection requirements and help decrease the likelihood of a data breach, regulatory non-compliance and business process failure. The framework is underpinned by security science that provides indepth analysis, alongside hierarchical and business understanding, weakness criticality conjoined with threat and risk profiles to produce a complete remediation report. The report details obvious vulnerabilities, areas for concern, as well as strengths, from whole process failures to individual weaknesses within a particular process, enabling organisations to have absolute clarity as to the scope of each remediation activity required. DPG’s approach enables any organisation to not only evidence their existing aspects of compliance with the GDPR, but also to demonstrate well-defined improvements with the completion of concise remediating actions. The same applies for those organisations already well along the path towards compliance. DPG’s framework enables the organisation to independently review their compliance undertakings and evidence their accountability, but moreover to demonstrate a clear return on investment and evidence meeting success criteria. DPG operates a standard subscription model, alongside consulting expertise that provides organisations not only with a robust pathway to compliance, but more importantly the ability to meet the sustainability of data protection that is the essence of the GDPR, through the development of an organisational data protection ecosystem. Make no mistake, GDPR is but one requirement of data protection, and the corporate objective is to protect the very asset that it holds most dear; data. For further information on how DPG can work with your organisation to address the requirements of the GDPR and to create a broader Data Protection strategy please contact DPG on +44 207 998 3531 or DATA PROTECTION GOVERNANCE