Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Understanding ISO 27001
Is my fear true?
Answer: ISO 27001 is a management standard, so most of its requirements are about roles and responsibilities, and how process should be planned, implemented, controlled and improved, with only minimal requirements regarding technical issues like networking and penetration testing (basically what someone in management position should require from his technical staff). So a non technical education wouldn't be a problem to learn ISO 27001.
This material will also help you regarding ISO 27001:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Incident vs. Service Request
Answer:
If Incident was submitted as Service Request (or vice versa) it should be re-routed right at the beginning i.e. before further activities take place. This means that, usually Service Desk staff or technician who took over the ticket, should change Incident into Service Request (or vice versa) and "send" it to the right process.
Here are few articles that can help you:
"Managing Service Requests in ITIL/ISO 20000 using the Service Request record" https://advisera.com/20000academy/blog/2017/02/28/managing-service-requests-in-itiliso-20000-using-the-service-request-record/
"Incident Management in ITIL – solid foundations of operational processes" https://advisera.com/20000academy/blog/2013/05/21/incident-management-itil-solid-foundations-operational-processes/
"Incident Record – you can’t live without it" https://advisera.com/20000academy/blog/2014/07/01/incident-record-cant-live-without/
"All about Incident Classification" https://advisera.com/20000academy/knowledgebase/incident-classification/ -
Capacity Plan, Availability Plan
Answer:
Yes, both plans are stand-alone documents in our toolkit:
- Capacity Plan https://advisera.com//wp-content/uploads//sites/6/2015/06/App_1_Capacity_Plan_Premium_EN.pdf
- Availability Plan https://advisera.com//wp-content/uploads//sites/6/2015/06/App_1_Availability_Plan_Premium_EN.pdf
Also, these articles can help you further:
- "ITIL Capacity Plan – A document you need, but probably don’t have" https://advisera.com/20000academy/knowledgebase/itil-capacity-plan-a-document-you-need-but-probably-dont-have/
- "ITIL Availability Plan – A document you need, but probably don’t have" https://advisera.com/20000academy/blog/2015/05/19/itil-availability-plan-a-document-you-need-but-probably-dont-have/ -
Protecting a network
What I understood, having a separate switch/network is not an option right now. Do you have any suggestions on what we can do to minimize or eliminate this risk?
Answer: If you do not have access to the switch and having a separate switch/network is not an option at the moment, your options are very limited.
If you want to treat the risk you could try to:
- Implement cryptography to protect communication between the computers in your network and to protect you files.
- Implement access control into the shared folders in your network.
- Make an agreement with company that controls the switch and specifying the security controls they need to implement.
Other alternatives in terms of risk management are accept the risk (and do nothing), and avoid the risk (e.g., by stopping using the switch).
This article will provid e you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Management representative in ISMS
Answer: The Management Representative is not a required role in the ISMS by ISO 27001, but an organization can assign one if it understands it can make its ISMS work better (for some scenarios, a person dedicated to the specific activities of the management system can better ensure and improve its results).
A CISO can assume the role of MR in an ISMS in case of need (if you have only ISO 27001 our recommendation would be to have only CISO.), but in organizations with multiple ISO management systems, maybe it is better to have CISO and MR as separated roles, because as MR must be competent on the requirements of the multiple management systems the organization has, the CISO is specialized in Information Security, and maybe overwhelmed by activities regarding other managements systems.
Thiese articl es will provide you further explanation about Management Representative and CISO:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- What will be the destiny of the management representative in the new ISO 9001:2015? https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/ -
Maximum Allowable Outage
Answer: When dealing with business continuity planning, you always must consider the worst case scenario to make a decision, taking in account not only technical and financial issues, but any other issue considered relevant to the organization. So in your scenario, the Maximum Allowable Outage (MAO) should be based on the time that an financial impact would take to be so great that it would compromise business survival.
This article will provide you further explanation about Maximum Allowable Outage:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding Maximum Allowable Outage:
- Book Becoming Resilient: T he Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Context, risks and preventive actions
Answer:
1. ISO 9001:2015 requires that an organization determines the internal and external issues that can affect its intended results. The other word for the external issue is: context. ISO 9001:2015 does not prescribe any method to determine context. You can use, for example: Opportunities and threats taken from the SWOT analysis and/or you can brainstorm external issues using the PESTEL framework.
2. If you check the ISO definition for risk, “effect of uncertainty on an expected result”, you can start by determining what are the expected results from your management system, from your products and services and from your processes. Then, for each determined expected result, you can start listing positive (opportunities) and negative (risks) deviations that can occur because of the uncertainty that exists in the world
3. Here, I can just give you my guess. According to my experience organizations had some difficulties in developing preventive actions. I believe that the risk-based approach makes it easier:
to look forward and think about what can happen and if we should do anything about it;
to apply preventive actions at a more strategic level of an organization
The following material will provide you information about the risk-based approach and the context of an organization:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
La Política de Seguridad de la Información
Gracias por tu respuesta Antonio, efectivamente la duda fue aclarada, es mejor definir una Sola política de alto nivel y varias políticas específicas o detalladas, en realción al documento me parece muy completo, pero no aborda la parte de Sanciones en caso de incumplimiento de la Política, como aseguramos que se cumpla si no establecemos Multas y sanciones para que los empleados tomen conciencia de las buenas practicas. -
Security Framework
Answer:
The EU GDPR does not require you to hold any certification in terms of security. Article 32 of the EU GDPR, however, requires you to implement “appropriate” technical and organizational measures to ensure : “ ongoing confidentiality, integrity, availability and resilience of processing systems and services”, “ability to restore the availability and access to personal data in a timely manner” (https://advisera.com/eugdpracademy/gdpr/security-of-processing/).
You can use ISO 27001 as a suitable framework to protect your personal data. If you require more information on ISO 27001 and EU GDPR you can check out our article Does ISO 27001 implementation satisfy EU GDPR requirements? (https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/) . -
Pseudonymization
Answer:
First of all the pseudonymization “strength” depends on the data you want to protect, so it is a risk based approach - higher the risk to the data subject stronger the pseudonymization technique.
Article 29 Working party refers to the following pseudonimyzation techniques as being most popular:
· Encryption with secret key: in this case, the holder of the key can trivially re-identify each data subject through decryption of the dataset because the personal data are still contained in the dataset, albeit in an encrypted form. Assuming that a state-of-the-art encryption scheme was applied, decryption can only be possible with the knowledge of the k ey;
· Hash function: this corresponds to a function which returns a fixed size output from an input of any size (the input may be a single attribute or a set of attributes) and cannot be reversed; this means that the reversal risk seen with encryption no longer exists. However, if the range of input values the hash function are known they can be replayed through the hash function in order to derive the correct value for a particular record. For instance, if a dataset was pseudonymised by hashing the national identification number, then this can be derived simply by hashing all possible input values and comparing the result with those values in the dataset. Hash functions are usually designed to be relatively fast to compute, and are subject to brute force attacks. Pre-computed tables can also be created to allow for the bulk reversal of a large set of hash values. The use of a salted-hash function (where a random value, known as the “salt”, is added to the attribute being hashed) can reduce the likelihood of deriving the input value but nevertheless, calculating the original attribute value hidden behind the result of a salted hash function may still be feasible with reasonable means;
· Keyed-hash function with stored key: this corresponds to a particular hash function which uses a secret key as an additional input (this differs from a salted hash function as the salt is commonly not secret). A data controller can replay the function on the attribute using the secret key, but it is much more difficult for an attacker to replay the function without knowing the key as the number of possibilities to be tested is sufficiently large as to be impractical;
• Deterministic encryption or keyed-hash function with deletion of the key: this technique may be equated to selecting a random number as a pseudonym for each attribute in the database and then deleting the correspondence table. This solution allows diminishing the risk of linkability between the personal data in the dataset and those relating to the same individual in another dataset where a different pseudonym is used. Considering a state-of-the-art algorithm, it will be computationally hard for an attacker to decrypt or replay the function, as it would imply testing every possible key, given that the key is not available;
· Tokenization: this technique is typically applied in (even if it is not limited to) the financial sector to replace card ID numbers by values that have reduced usefulness for an attacker. It is derived from the previous ones being typically based on the application of one-way encryption mechanisms or the assignment, through an index function, of a sequence number or a randomly generated number that is not mathematically derived from the original data.
You can check out Article 29 Working Party opinion here : https://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.