14.6 C
London
Tuesday, September 26, 2017
Home Tags ISO 27000

Tag: ISO 27000

With cloud computing changing the way applications are licensed, developed and deployed, Microsoft Office general manager Julia White discusses the impact on users. In the past days of on-premise Office, Microsoft would add new features with each major release, which would lead to the company being accused of releasing bloatware. People often only used about 20% of the product's overall functionality and there was a huge learning curve associated with getting new functionality adopted. The situation is now worse in the age of software delivered as a service, where products are continually developed and new updates are rolled out frequently. The challenge for software-as-a-service (SaaS) companies is in trying to make their products compelling, while competing on price. Unless SaaS companies can get users to adopt the new features their products offer, they end up competing purely on price. Google has been aggressively targetting Microsoft Office users with its enterprise product, which offers cloud-based collaborations, office productivity and email. Those organisations that have switched from Microsoft to Google speak about good-enough functionality, over the feature-rich Microsoft Office alternative, and the lower cost. However, unlike its Google rival – which offers a free version – all Office365 versions require a subscription. Office 365 security Security is the frontline from a competition perspective. Microsoft Office 365 supports European Union (EU) model clauses and the ISO 27000 standard, among others. Data held in Office 365 is held securely and encrypted at rest. In an interview with Computer Weekly at Microsoft's TechEd 2014 conference in Barcelona, general manager of Microsoft Office Julia White discusses how the company balanced security and usability.  "For decades we have had technology to lock things down, but people can't get their jobs done," she says. "Now, with consumer cloud apps like Gmail or DropBox, people work around security. Our philosophy is to give customers the full range of security controls, but we want to do it in a way that doesn't disrupt productivity." According to White, once a user circumvents IT, the organisation becomes less secure. Microsoft uses policy tips that alerts the user they may be infringing an IT security policy. "Behind this, IT pros can apply a range of policies, such as digital rights management and host-side encryption," she says. Simplifying Office 365 Microsoft updates Office 365 regularly, which can mean users do not know what is happening with the product in terms of new functionality. "The things we roll out every day are not just new features. Some are new experiences," says White. She agrees there is so much happening in product development users can easily get lost with what they actually have and how to make the most of the new bits.  "We are moving so quickly that we are actually ahead of customers. I am most concerned about what we deliver to customers and closing the gap to help them keep up" she says. I believe machine learning personalisation intelligence will define the future experiences of the user Julia White, Microsoft Office It is an area Microsoft is spending a lot of time researching, according to White: "This is where we are doing some of our most innovative work. Around things like machine learning. It is no longer neccessary to clean an email inbox, for example – we can use machine learning to clean an inbox."  Another feature, TellMe, can be used to direct the user to the command to perform a task they wish to accomplish, such as inserting a table. "It takes you to the command so you don't have to worry about where it is," says White. The aim is to surface the commands to the user in a way that makes sense to them, White explains.  "We are trying to switch from offering lots and lots of features to providing the user with the ones most useful to them at the time they need them," she says. Combining cloud computing with the power of its Bing search engine allows Microsoft to gain a better understanding of what the user wants to achieve, says White.  "The Office Ribbon was our first attempt at trying to surface features in a logical way. The next step is for the user to tell us what they want, and we will bring it to you,” she says.  This is the type of technology that is appearing in Microsoft's speech engine, Cortana, where the user tells it what they want. "I believe machine learning personalisation intelligence will define the future experiences of the user," concludes White. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
The IT security community and industry has welcomed the UK government's latest report on the progress of its National Cyber Security Programme. The UK is meeting its objectives of the national Cyber Security Strategy, Cabinet Office minister Francis Maude has old parliament. The notable achievements of the past two years are highlighted in an official report published today, which also sets out government’s cyber security plans for the coming year. These include the introduction of an industry kitemark that will allow businesses to state publicly to prospective clients that they supply government with cyber security products and services. 2014 will also see the introduction of an industry-led organisational standard, based on ISO 27000 series to give industry a clear baseline to aim for. Mark Brown, director of information security at Ernst & Young, said: “It definitely feels like the UK is getting to grips with cyber security and finally moving towards a pro-active stance on this growing international threat.“From a business perspective, the government is demonstrating another step in the right direction by agreeing an organisational standard on cyber security which will raise the bar not only in central government but more widely in UK plc. “Specifically, this standard will tackle the threats occurring in the supply chain where the benefits realised by companies in raising their internal bar on cyber security postures are being undermined by failures throughout their supply chain, and will therefore provide a mechanism for businesses to ensure they address delivery risks throughout their extended enterprise.“However, the government runs the risk of being accused of back-door legislation. Ideally, we would expect government to be offering UK plc tangible incentives to put in place standards on cyber security. Only then, will the UK truly become one of the safest places to do business in the world,” said Brown. While welcoming the government’s efforts, Richard Archdeacon, head of security strategy at HP Enterprise Security Services, also urged caution. “It should however be noted that while the introduction of an industry-led organisational Standard for Cyber Security is laudable, businesses should only regard this as the bare minimum. “Furthermore, as these measures are well documented and indeed known by our adversaries, companies need to go above and beyond in order to truly secure their critical data,” he said. These initiatives will undoubtedly better prepare UK businesses and raise awareness of cyber crime Ross Brewer, LogRhythm Ross Brewer, vice-president and managing director of international markets at LogRhythm, said the government’s plans for 2014 clearly show how big a priority cyber security is becoming. “These initiatives will undoubtedly better prepare UK businesses and raise awareness of cyber crime, which is key when faced with today’s sophisticated threats. “By building skill sets and tightening standards, it will hopefully stimulate the much-needed adoption of even basic threat-detection steps,” he said. Brewer said all organisations should follow the government’s example of taking measures to protect itself from financial and reputational damage. “Essentially, more businesses need to make the most of the resources available to them – after all, they are the ones who will ultimately suffer should they fall victim to an attack because of inadequate defences,” he said. With breaches and attacks being reported on an almost daily basis, Brewer added that organisations must ensure they are actively addressing their existing security strategies so that they are fully aware of what is happening on their networks at all times. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
The UK government plans to concentrate on expanding partnerships around cyber security with the private sector in 2014 as part of the National Cyber Security Strategy (NCSS). This includes introducing a cyber security kitemark for firms that do business with the government, to help boost UK cyber exports and a cyber security baseline standard. The announcements coincide with the publication of the government’s progress report on the NCSS, two years after it was launched in November 2011.  The NCSS is supported by £860m funding from the National Cyber Security Programme for delivering projects as part of the government’s response to growing threats in cyberspace. Francis Maude, minister with oversight of the Cyber Security Strategy (pictured), said two years of “solid work” by government – in partnership with the private sector and academia – ensured the UK’s cyber resilience, awareness, skills and capability grows across the board.   “Our initiatives are ensuring the UK is one of the safest places to do business in cyberspace as well as providing a solid platform for economic growth,” he said. Cyber attack remains serious threat Looking to the future, Maude said although the government is already working closely in partnership with the private sector, he wants to see that relationship grow even stronger to “mainstream cyber security” and raise awareness.  “We know this is important now, but this is also vital for our economic growth in the coming years.  It will remain an absolute priority as we move to year three of our strategy,” he said. Maude said cyber attack will remain a serious threat to UK national security.  “That is why our work with other sectors, such as academia and R&D, will continue to benefit strongly from secure government funding.  “As a result of the 2013 spending review we have directed an additional £210m investment to this area, making £860m of sustained government investment on cyber to 2016,” he said.   Cyber security exports Maude said there remained work to be done, but investment, partnerships, skills, resilience and awareness are in a far stronger position today than before the National Cyber Security Programme was launched. In 2014, the government plan to establish a Cyber Security Suppliers’ scheme, developed through the Cyber Growth partnership.  This will allow businesses to state publicly to prospective clients that they supply government with cyber security products and services. Government’s aim is to more than double annual cyber exports from the UK to £2bn a year by 2016. Security standard sets baseline 2014 will also see the introduction of an industry-led organisational standard, based on ISO 27000 series to give industry a clear baseline to aim for. This is aimed at ensuring a focus on basic cyber hygiene and protection from low level cyber threats, according to a senior government official. “This standard will be adopted by government in its procurement where proportionate and relevant to encourage uptake and give companies a demonstrable competitive edge,” he said. To further raise awareness of cyber security, the government believes internet service providers (ISPs) have an important role to play. ISPs and the government have co-developed a series of Guiding Principles to improve the online security of customers and limit the rise in cyber attacks. Cyber security research and training By summer 2014, the government plans the introduction of a “Massive Open Online Course” in cyber security for the Open University.  “The course will potentially reach 200,000 students both domestically and overseas.  The course will be available free of charge to anyone who has access to the internet,” said a senior government official. In 2014, the government plans to set up a third research institute to focus on trustworthy industrial control systems for critical national infrastructure. “This directly supports national infrastructure, building capability, finding new innovative ways to protect the industrial technologies that support our key services,” said a senior government official. “As more vital infrastructure goes online, the cyber threats are likely to increase unless we take steps to ensure we can manage them,” he said. The first research institute for the science of cyber security was set up in 2012 and the second to find new ways of analysing software to combat cyber threats was set up in 2013. The government plans to increase funding for the UK Cyber Security Challenge to expand the pilot schools competition regionally and nationally.  Since its launch 562 schools nationally have become involved.  This programme gives school children the opportunity to develop their cyber skills and to demonstrate them in a competitive environment. Finally, the government plans to increase its partnership with Chevening, Commonwealth and Marshall Scholars from Africa, Asia, and America.  “These scholars will take their knowledge and expertise back to their home countries, where strengthened cyber security will help tackle cyber threats to the UK at source, and where they will reinforce the UK’s reputation as a world leader in cyber,” said a senior government official. Responding to government’s plans for a cyber security kitemark, cyber security firm Check Point welcomed the move.  “Our 2013 security report found that 63% of large organisations were infected with bots – stealthy agents which quietly siphon data from networks – so raising awareness of these issues and setting security benchmarks is an important step,” said Keith Bird, Check Point’s UK managing director. “However, threats are continually evolving, so the benchmarks will need to be regularly reviewed and updated in order to keep pace and ensure they deliver a real foundation for protection,” he said.   Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Since 2005, ISO 27001 has provided a framework for the secure retention of data with a six-part process based around generating policies, identifying risks and developing control objectives.  But this year the standard was updated, with ISO 27001: 2013 recognising changes in security threat vectors and changes to how we interact with devices, such as the onset of bring your own device (BYOD) as a mainstream phenomenon. Overall, the emphasis for ISO 27001 compliance has shifted to one focused on risk and mapping risk with regard to your IT assets.

Also, in practical terms the structure of the standard has been altered. In this podcast, Computer Weekly storage editor Antony Adshead talks with Vigitrust CEO Mathieu Gorge about the key changes in ISO 27001 and the implications for storage and backup. Antony Adshead: What is ISO27001: 2013 and how does it differ from previous iterations? Mathieu Gorge: ISO27001 and the 27000 series altogether is a suite is a suite of standards that allow people to manage information security to ensure that any type of sensitive information is protected from a confidentiality, integrity and availability perspective. ISO has its origins in terms of security in British Standard 7799, which was then adopted by ISO as ISO 17799.

And then in 2005, the latest series of ISO 27000 series of standards was produced. It is important to note that while a lot of people only talk about 27001, there are a number of standards in the ISO 27000 series. ISO 27001 is really the management structure for managing information security. ISO 27002 is a suite of suggested controls and how to implement controls. ISO 27005 is about risk management.

And there are other standards within the suite. In 2013, ISO 27001: 2013 was enacted, and I think it’s important to understand the changes between the 2005 version and the 2013 version.

The key drivers for the change, I suppose, came from the fact the attack vectors have changed, the way we use computing has changed, with the advent of cloud computing and big data and the implications this has for data security and data storage. The key drivers for the changes in ISO 27001: 2013 came from the fact the attack vectors have changed and the way we use computing has changed Mathieu Gorge, Vigitrust In terms of the major changes, there is a lot more focus on leadership and how you manage the information security management system.

There’s more focus on commitment, performance evaluation, which really is all about continuous compliance.

And you find it in other standards in the industry, such as PCI-DSS version 3.0 which came out this year talking about making security business-as-usual, and this is the same idea. There are also changes around managing risk and managing assets; for example, in changes in terminology in ISO 27001: 2013, an asset owner in the 2005 version is now the risk owner, so we’re looking at risk. It’s also important to understand the changes in structure. ISO used to have 15 sections; it now has 18 sections.

The first four sections remain sections that deal with the actual infrastructure or structure of the standard and how you manage the documentation set that you produce and the associated controls. So, in the 2005 version you had all the controls in annexe A – 15 sections with 133 controls and 39 controls objective.

In the 2013 version we have moved to 18 sections instead of 15, but with fewer controls – 114 – and only 35 control objectives.

The overall size of the document has gone down from 34 pages to 23 pages. So, there’s going to be the issue of mapping the old version to the new version.

There are already some good mappings in the public domain. Some of them have been published by BSI and they clearly map sections 5 to 15 in 2005 to sections 5 to 18 in 2013. There’s also a transition period and some advice on how to prepare for the transition, bearing in mind that some controls have been updated, some have been deleted, some requirements have been deleted, but all of it is mapped. If you use those mappings you’ll be able to protect your data, especially with regards to confidential data and data in storage. Adshead: What implications for data storage and backup result from the changes in ISO 27001: 2013? Mathieu Gorge: The new version, not unlike the previous version, puts emphasis on mapping risk and mapping assets.

The assets, obviously, would be any type of systems or processes that you use, but also any type of data you have to protect. So, it’s all about performing a risk management process/discovery process that allows you to map where the data is, where it’s going and where it might actually be stored. What’s interesting is that ISO 27001: 2013 continues to use the four-tier structures of ISO, which essentially starts with a policy setting up high-level objectives, procedures setting up guidance about how to achieve the objectives, work instructions that are essentially user manuals for the assets that you use to manage the information and the security of that information, and finally reference documents that allow you to trace the lifecycle of the document and mostly to trace any kind of change management. So, you find in the new version that it’s especially interesting with regard to data storage because there are a lot of hints about how to comply in a cloud computing environment, whether infrastructure as a service, software as a service or platform as a service, and there are also references to big data with regard to the fact you end up with a mix of structured and unstructured data, some of which you need to keep from a compliance perspective and some of which you need to protect from a security perspective. ISO 27014 is in draft at the moment and it’s [being framed] around information technology and security techniques for storage security Mathieu Gorge, Vigitrust The major change we are looking to see in the industry is really a version of ISO for storage security.

The good news is that ISO 27014 is in draft at the moment and it’s [being framed] around information technology and security techniques for storage security. The purpose of that version of the ISO 27000 standard is to draw attention to common information security risks that might be associated with protecting the integrity, confidentiality and availability of the information on various data storage technologies. So, it looks at best practice with regards to storage security design principles; data reliability, availability and resilience on storage systems; data retention, data confidentiality and integrity for the systems; and looking into virtualisation and virtualisation security, then applying this to traditional storage networking, storage management, the NAS, the SAN, file-based storage and cloud-based storage. A draft version is likely to be approved at some stage in 2014. It was expected in 2013, but that version that really deals with storage security will be integrated into the 27000 suite and so therefore the advice is to familiarise yourself now with the structure of ISO 27000 and be ready to be provided with some good controls to implement, to manage your storage security at some stage in 2014, with that latest version of ISO on storage security. Read More Related content from ComputerWeekly.com This was first published in December 2013
The Government Digital Service (GDS) has begun testing a system that will allow citizens to securely prove their identity when accessing online public services. The new system, called “the hub”, is part of the identity assurance programme, which will set up competing companies that citizens can register with to access digital services. The concept is similar to web users using their Facebook or Google accounts to sign in to third-party services. According to a post on the GDS identity assurance (IDA) blog, the hub has now entered the beta test phase of its development. “The hub will manage communications between users, identity providers and government service providers. It will allow users to select and register with an identity provider, and then use their assured identity to access digital services,” wrote Steve Wreyford, the head of communications and marketing for the IDA programme. Eight companies were selected last year to provide IDA services - The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, Paypal and Verizon. “Initially we will be connecting the first of our identity providers and testing that users can prove their identity to a mock-up of a government service. Once we’ve done that we will connect our first ‘exemplar’ government services and run further small-scale tests before rolling out the full service,” wrote Wreyford. The “exemplar” services are 25 of the most frequently used government transactions, ranging from visa applications to benefit claims to booking prison visits. GDS is working on a 400-day programme that started earlier this year to make all 25 services “digital by default”. Citizens wishing to use the online services will first register with an IDA provider, then use that identity to securely log into the relevant government website. Longer term, IDA identities could be used to access local government services and even commercial websites. Wreyford stressed the importance of security in the development of the hub. “The identity providers will also need to be international standards (ISO 27000) compliant and certified by an independent, certification organisation (tScheme) as meeting the identity proofing and credential management requirements set out in our Good Practice Guides.

If the providers fail to pass the gates or not achieve certification, they will not be able to offer a fully live service,” he wrote on the GDS blog. Universal Credit, the government’s flagship welfare reform programme, was originally expected to be the first service to use IDA, but major problems with the IT development underpinning the scheme led to it being dropped from the initial roll-out. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com