Monday, September 26, 2011

Risk Management - two new standards

ISO 27005:2011

The newly released international information security risk management standard, is now available for everyone.

ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001, it is designed to assist the satisfactory implementation of information security based on a risk management approach.
The standard is now fully aligned with the International Standard for risk management, ISO 31000. ISO 31000 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization, generally known as enterprise risk management.

ISO 27005:2011 ISRM, can be downloaded from the IT Governance web site. .

NIST Special Publication 800-30

NIST relesed a draft guide for conducting risk assessments.

"The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action to take
in response to identified risks. In particular, this document provides practitioners with practical
guidance for carrying out each of the three steps in the risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment) and how risk assessments and other organizational risk management processes complement and inform each other."

This standard is in a public comment stage, all are welcome to comment on this standard.

The standard can be downloaded from the below NIST web site.


Thursday, September 1, 2011

New PCI Document - Identifying and Detecting Security Breaches

PCI council has published a new document titiled "Identifying and Detecting Security Breaches". The topics include:

  • Common Vulnerabilities and Malware
  • Signs of an Incident
  • How to Detect a Security Incident
  • Implementing and Reviewing Logs
  • Logs and PCI DSS Compliance
  • Basics of Incident Management
  • Top Challenges
  • Visa’s “What To Do If Compromised” Procedures

The document link is below: