Close Panel

19

Jun

2010

DoD 8750 Directive

By IPSECS Admin. Posted in Management | No Comments »

The Department of Defense (DoD) is currently undergoing an organizational process involving Information Assurance (IA) standardization.

DoD 8570 seeks to accomplish the following objectives:

1. Create standards whereby IA Workfoce personnel, at all levels and fuctions, obtain a uniform level of competency with regard to DoD information and networks.
2. Establish a minimum skill level for all IA Workforce personnel throughout the DoD.
3. Provide qualified IA Workforce members to the soldiers that need them.
4. Creation of a set of formal training requirements and establishment of certification programs.
5. Add to the knowledge base of every IA Workforce team member through education or experience.

DoD 8750 document can be found here while DoD 8750 training and assessment can be reached at GIAC/DoD8750.

This article is ripped and modified from http://dod8570.net/

 

26

May

2009

Introduction to ISO 20000 (BS 15000)

By IPSECS Admin. Posted in Management | No Comments »

ISO/IEC 20000 is the first international standard for IT Service Management. It is based on and is intended to supersede the earlier British Standard, BS 15000.

Formally: ISO 20000-1 (‘part 1′) “promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements”. It comprises ten sections:

  • Scope
  • Terms & Definitions
  • Planning and Implementing Service Management
  • Requirements for a Management System
  • Planning & Implementing New or Changed Services
  • Service Delivery Processes
  • Relationship Processes
  • Control Processes
  • Resolution Processes
  • Release Process.

ISO 20000-2 (‘part 2′) is a ‘code of practice’, and describes the best practices for service management within the scope of ISO 20000-1. It comprises the same sections as ‘part 1′ but excludes the ‘Requirements for a Management system’ as no requirements are imposed by ‘part 2′.

ISO 20000, like its BS 15000 predecessor, was originally developed to reflect best practice guidance contained within the ITIL (Information Technology Infrastructure Library) framework, although it equally supports other IT Service Management frameworks and approaches including Microsoft Operations Framework and components of ISACA’s CobIT framework. It comprises two parts: a specification for IT Service Management and a code of practice for service management. The differentiation between ISO 20000 and BS 15000 has been addressed by Jenny Dugmore.

The standard was first published in December 2005.

Taken From : http://en.wikipedia.org/wiki/ISO_20000

 

3

May

2009

An Introduction to ITIL and CobiT

By IPSECS Admin. Posted in Management | Comments Off

CobitIn the bowl of alphabet soup that feeds our industry lurk two acronyms that actually have little to do with technology, and everything to do with how we use it: ITIL (the IT Infrastructure Library) and CobiT (Control Objectives for Information and related Technology).

These two complementary sets of best practices deal, respectively, with service management and with governance in IT organizations. Between them, the ITIL and CobiT provide guidelines to help companies cut support costs, increase IT efficiency, and meet regulatory requirements.

The ITIL was developed by the British government in the 1980s as a best practice framework for IT service management. It is vendor-independent, and the Crown still holds copyright to ensure no organization can hijack the framework for its own purposes. It really is a library, too, originally consisting of over forty individual volumes, each one dedicated to a separate area of service management. ITIL Service Management is currently embodied in the ISO 20000 standard (previously BS 15000).

Read more »

 

2

May

2009

Comprehensive Computer Network Security Assessment

By IPSECS Admin. Posted in Management | Comments Off

Introduction

How secure is your company’s information? In this age of distributed computing and of client-server and Internet-enabled information access, computer security consistently rises to the top of most “important issues” lists.

To answer this question with certainty is difficult. There are no absolutes with security. An important first step for most corporations is a security policy that establishes acceptable behavior. The next, and more critical step, is to enforce that security policy and measure its effectiveness. A security policy is in tension with user convenience, creating forces that move security practices away from security policy. Additionally when new machines or applications are configured the security related issues are often overlooked. Therefore the gap between central policy and decentralized practice can be immense. These are significant tasks, as are identifying problems and taking corrective action on a constantly changing network. Many enterprises typically fall back on blind faith rather than wrestle with the fear of the unknown.

Sources of Risk

In order to assess your true security profile, you must first understand the sources of risk. The most infamous risk is embodied by the external hacker accessing a corporate information systems via the Internet. Traditionally these hackers view breaking into a system as

Comprehensive assessment

mountain climbers view scaling a cliff, for them its the next great challenge. However, as ever increasing numbers of corporations interconnect their information systems successful break-ins become commercially rewarding. Practitioners of industrial espionage now view the computers on the Internet as valuable potential sources of information. Often these “professionals” masquerade as the traditional hacker to disguise their true purposes.

Although the threats from external attacks are real, they are not the principle source of risk. FBI statistics show that more than 60% of computer crimes originate inside the enterprise. These risks can take multiple forms. Unscrupulous employees may be searching for organizational advantages. A disgruntled employee may be co-opted by an industrial espionage agent. Increasingly corporations are turning to contractors for specialized skills or to absorb temporary increases in work-load. These contractors are often given access to the corporate information system and thus they can also present a risk to corporate information.

Lines of Defense for the Corporate Information System

  • Firewalls

Many enterprises erect a firewall as the first and often only line of defense for their information systems. A firewall is a device that controls the flow of communication between internal networks and external networks, such as the Internet. Many corporations assume that, once they have installed a firewall, they have reduced all their network security risks.

Read more »

 

30

Apr

2009

Building and Deploying Effective Security Policies

By IPSECS Admin. Posted in Management | Comments Off

Defining Effective Security Policies

First, we must define what we mean when we say policies are “effective.” One way to build this definition is by looking at the ways organizations feel their policies are not effective. For this discussion, we use the following criteria:
1. Effective policies adequately define the high-level security goals of the company to reduce operational risk.
2. Effective policies adequately protect an organization against legal action for possible violations.
3. Effective policies are read and understood by all employees and contractors in various roles within the organization.

security policy

Criteria #1 is based on the need for policies to be complete. An organization’s policies must adequately cover the topics of an effective security program, including compliance with regulations.

Criteria #2 reflects the organization’s fear of damaging lawsuits, including possible violation of legislation. In fact, these fears are justified. Recent court cases are establishing precedents that would in fact hold most organizations liable.

Criteria #3 reflects most organizations highest concern when it comes to security. In fact, these three criteria are intricately related, and it is virtually impossible to adequately satisfy one without the other two.

Read more »

 

30

Apr

2009

Introduction to ISO/IEC 27002

By IPSECS Admin. Posted in Management | Comments Off

ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the ‘ISO/IEC 27000 series’ is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled Information technology – Security techniques – Code of practice for information security management. The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.

ISO 27002 introduction

ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:

Read more »