The following is a list of articles written by both Lateral Security staff and our clients:
Changes to ISO 27001/2 2013
ISO 27001:2013 is an information security standard that was published on the 25 September 2013. It cancels and replaces ISO 27001:2005. It is a specification for an information security management system (ISMS).
The major points of change to note are:
- Annex A changes include:
- 2005 version had 133 controls in 11 sections;
- 2013 version has 114 controls in 14 sections;
- The new Annex A is a simplified set on controls that are more easily understood.
- Internal auditors are now allowed to audit their own work as long as they remain objective and impartial;
- The ISMS policy becomes Information Security Policy;
- Risk Management aligns to ISO 31000 instead of ISO 27005;
- Risk assessment procedure no longer uses the asset-threat-vulnerability approach;
- Some controls have been removed completely, new controls have been added and others have been merged:
- Combined example: malicious and mobile code are now considered Malware (new A.12.2.1);
- Communications and Operations Management (A.10) split into two;
- A.12 Operations security;
- A.13 Communications security;
- A separate section on Cryptography has been made (A.10);
- Business Continuity has undergone significant change;
- Annex B no longer references OECD and no longer prefers the PDCA (plan, do, check, act) model;
- Annex C dropped entirely;
- New certifications can choose to certify to the 2005 version until September 2014;
- Currently certified organisations have until September 2015 to transition.
The specific new controls are:
- A.6.1.5 Information security in project management
- A.12.6.2 Restrictions on software installation
- A.14.2.1 Secure development policy
- A.14.2.5 Secure system engineering principles
- A.14.2.6 Secure development environment
- A.14.2.8 System security testing
- A.15.1.1 Information security policy for supplier relationships
- A.15.1.3 Information and communication technology supply chain
- A.16.1.4 Assessment of and decision on information security events
- A.16.1.5 Response to information security incidents
- A.17.2.1 Availability of information processing facilities
Lateral Security works in both the advisory and technical testing space. As such we are in a position to help organisations to align with and be certified to ISO 27001. In particular we offer the following services that can help:
- ISO 27001/2 Gap Analysis;
- Risk assessments;
- Transition planning from 2005 to 2013 standard;
- Development of a Statement of Applicability (SoA);
- Documentation review and development;
- ISMS framework development;
- Policy and procedure creation and review;
- Annual staff security awareness training;
- Incident response planning;
- Technical penetration testing as needed.
PCI DSS V3 Changes
The PCI Council recently released an update to the PCI Data Security Standard. Version 3 of PCI DSS and PA-DSS 3.0 was published on 7 November 2013. All businesses that store, process or transmit cardholder data have a compliance requirement to ensure the protection of cardholder data. The following are highlights of the changes to come and should be noted by all businesses with a PCI compliance requirement:
- The core 12 security areas of the DSS will remain the same, but several new sub requirements that did not exist previously will be in place;
- To allow for gradual change some of these sub requirements will be best practices only until 1 July 2015;
- Version 2.0 will remain active until 31 December 2014;
- Security policy and operational procedures to built into each requirement;
- There will be increased flexibility and education around password strength and complexity;
- New requirements for point-of-sale terminal security;
- More robust requirements for penetration testing and validating segmentation;
- Considerations for cardholder data in memory;
- Enhanced testing procedures to clarify the level of validation expected for each requirement;
- Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modelling.
Lateral Security works in both the advisory and technical testing space. As such we are in a position to help merchants and service providers to achieve and maintain PCI compliance. In particular we offer the following services that can help and in some cases are directly required by the standard:
- Wireless access point penetration testing (11.1);
- Quarterly ASV scanning of your external IT perimeter. Lateral Security partner with Qualys the world’s largest ASV to offer compliant scans for clients (11.2);
- Annual internal and external network penetration testing (11.3);
- Annual application penetration testing (11.3);
- Policy and procedure creation and review (12.1);
- Annual staff security awareness training (12.6);
- Incident response planning (12.9)
- PCI DSS Gap Analysis (not required but a good idea to do in preparation for an audit).
A complete run through of the changes can be found on the PCI Council website here:https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf.
Chief Executives & IT Security
Article One - Peter Baynes is a former Chief Economist of the National Bank and CEO of Tower Trust Services Ltd, Jacques Martin (NZ) Ltd and Perpetual Trust Limited. He is now a senior business consultant working with CEOs in restructuring and capital raising.
CEOs tend to have a very varied life. Indeed, apart from the high salary, it’s the range and variety of challenges that attract a lot of high-flyers. With that variety come choices and challenges, and with them the need to manage priorities to achieve the objectives set by the company’s Board.
In my 25+ years’ experience as a CEO in the financial sector the ‘red light’ priorities for me on joining a company have been as follows;
- Profitability. No matter how much time new CEOs are told that they have to ‘fix things’, unless deficient profitability is addressed immediately they will find it hard to obtain the Board support that they will need to implement their strategies.
- Ensuring the company is structured for success. In my experience most companies are poorly structured, often because of misguided attempts by previous CEOs to retain senior people by structuring the organisation around them. Structure is too important to be shaped around individuals.
- Ensuring the senior management are the right people and that they are in tune with what they need to achieve. In the right structure, good operational leaders who are well-motivated and well-led can achieve anything. The right people have to be hired and the wrong ones removed – quickly, before the paint dries.
- The general ‘atmosphere’. The employees of any company have to believe that the new CEO will make a difference – and they won’t believe that just because the new CEO tells them that he/she will! Early changes that demonstrate the CEO’s commitment can achieve miracles in motivation and company performance.
None of these ‘red light’ priorities is concerned with information systems generally or data security specifically. Like most incoming CEOs I have always expected the Information Systems Manager to tell me that there are imminent risks of hardware and software failure and, like most incoming CEOs, I have generally taken the view that these should be addressed in a medium term context after due consideration.
There will always be more pressing priorities for an incoming CEO than information systems and data security. The risk is that things stay that way with data security in particular being left entirely to the IS Division of the company and with limited resources applied to what, for some, will be seen as just another growing compliance cost. That seems unlikely to change until we see one or more spectacular company failures that directly result from poor data security. At that point CEOs will, no-doubt, experience a rapid re-ordering of their priorities.