| In today's high technology environment, organizations | | | | account information to prevent access by or |
| are becoming increasingly dependent upon their | | | | disclosure to any unauthorized party. PCI also covers |
| information systems. Information is widely regarded | | | | effective deletion of unnecessary data. Companies |
| as the life blood of the modern enterprise. And, | | | | that store, process or transmit credit card holder |
| consequently, the security controls surrounding these | | | | data must follow PCI.o COBIT is an IT governance |
| systems are becoming the differentiating factor in | | | | framework and supporting toolset that allows |
| customer choice. With data being held on many of | | | | managers to bridge the gap between control |
| the most sensitive aspects of the business, including | | | | requirements, technical issues and business risks. |
| key third party stakeholders, information security | | | | COBIT enables clear policy development and good |
| integrity has become a focal point of all business | | | | practice for IT control throughout organizations. |
| initiative. The protection of information assets - | | | | COBIT emphasizes regulatory compliance, helps |
| information security - is therefore overtaking physical | | | | organizations to increase the value attained from IT, |
| asset protection as a fundamental corporate | | | | enables alignment and simplifies implementation of the |
| governance responsibility. | | | | COBIT framework. |
| Organizations are facing a flood of threats to their | | | | ISO27001 provides a single coherent and over-arching |
| information, with new challenges emerging almost | | | | framework for compliance with all the regulations and |
| daily. Any breach to security can have a severe | | | | standards laid out above, while also actually providing |
| effect on the operational running, reputation, or legal | | | | a risk assessment-based approach to information |
| compliance of the organization. Damage to any one | | | | security. Nonetheless, in order to achieve a risk |
| of these areas can be measured by its impact on the | | | | assessment that is completed methodically, |
| bottom line, in both the short and long term. It is | | | | systematically and comprehensively an appropriate |
| self-evident that organizations should, therefore, take | | | | software tool is a must. It is practically impossible to |
| appropriate steps to secure and protect their | | | | carry out and maintain a useful risk assessment for |
| information assets. This is now particularly relevant | | | | an organization that has more than about four |
| with the web of legislation and regulation to conform | | | | workstations without using such a tool that contains |
| too, making firms criminally liable, and in some | | | | fit-for-purpose databases of risk threats and |
| instances making directors personally accountable for | | | | vulnerabilities. This is because the risk assessment is a |
| implementing and maintaining appropriate risk control | | | | complex and data-rich process. And for an |
| and information security measures. No longer is it | | | | organization of any size, the only practical way to |
| enough to find and fix vulnerabilities on an ad-hoc | | | | effectively undertake the project is to create a |
| basis. Only a comprehensive, systematic approach will | | | | database that contains details of all assets within the |
| deliver the level of security that any organization | | | | scope of the ISMS, and then to link, to each asset, |
| really needs. | | | | the details of its (multiple) threats and (multiple) |
| Today, security processes need to be well | | | | vulnerabilities, and their likelihood and resulting impacts, |
| documented and substantiated. So it's no longer good | | | | together with details of the asset ownership and its |
| enough to be secure; organizations have to be able | | | | confidentiality classification. |
| to prove they are secure. If done correctly, this | | | | The risk assessment process is made enormously |
| additional layer of regulatory scrutiny and reporting | | | | simpler if ready-made databases of threats and |
| can help enterprises combine their security and | | | | vulnerabilities are used. The database should also |
| compliance programs better to streamline efforts, | | | | contain details of the control decisions made as a |
| control costs and keep networks secure and | | | | result of the risk assessment, so at a glance, it easy |
| compliant. | | | | to see what controls are in place for each asset |
| With the key corporate governance objective being | | | | within the ISMS. To one extent or another, the |
| to ensure that the organization has an appropriate | | | | software tool chosen to perform the ISMS should |
| balance of risk and reward in its business operations, | | | | automate the risk assessment process and generate |
| information security requirements should be identified | | | | a Statement of Applicability. It should also encourage |
| by a methodical assessment of security risks, with | | | | the user to perform a thorough and comprehensive |
| expenditure on risk controls needing to be balanced | | | | security audit on the organization's information |
| against the business harm likely to result from | | | | system, while not generating too much paperwork. |
| security failures. | | | | The chosen software should produce risk |
| The most practical and effective way for policy | | | | assessment results that are easily comparable and |
| makers to handle their information security risks and | | | | reproducible. |
| obligations, is to adopt and implement an information | | | | One such tool on the market developed to help |
| security policy and information security management | | | | organizations quickly and easily carry out an |
| system (ISMS) that is capable of being independently | | | | ISO27001-compliant risk assessment is the ISMS tool |
| certified as complying with ISO/IEC 27001:2005. The | | | | vsRisk(TM)- the Definitive ISO27001: 2005-Compliant |
| standard provides the only independently developed | | | | Information Security Risk Assessment Tool. Equipped |
| framework for the management of information | | | | with a wizard-based approach to simplify and |
| security. While compliance with the standard does not | | | | accelerate the process for undertaking risk |
| of itself confer immunity from legal obligations, it | | | | assessments; asset by asset identification of threats |
| does point clearly to management's implementation of | | | | and vulnerabilities; the tool easily imports additional |
| best practice, of effective IT governance. Security | | | | controls to deal with risks, and an integrated threats |
| risks managed in this systematic and comprehensive | | | | and vulnerability databases, which are continually |
| manner help to garner competitive advantage in the | | | | updated to ensure that they are the most |
| organization through the adherence to an international | | | | up-to-date available. vsRisk(TM), in terms of |
| best practice standard. Certification to ISO27001 can | | | | functionality, ease of use and value for money, and |
| also aid in forming part of any potential legal defense | | | | alignment with the requirements of ISO27001 is the |
| required after a security breach. | | | | most complete ISMS software tool on the market. |
| ISO27001 compliance ensures a company will meet | | | | Effective risk management is a continuous |
| the regulatory guidelines and standards such as the | | | | Plan-Do-Check-Act-Cycle which means that the risk |
| following:o Sarbanes Oxley (SOX) requires companies | | | | assessment must be regularly revisited at planned |
| to disclose information regarding finances and | | | | intervals and take into account changes in the |
| accounting. SOX helps prevent financial malpractice | | | | business environment, regulatory bodies, and a |
| and accounting disclosures. All US-listed companies | | | | review of the residual risks. However, following the |
| must adhere to SOX regulations.o Gramm-Leach Bliley | | | | initial resource intensive phase of the ISMS |
| Act (GLBA) requires financial institutions to protect | | | | implementation the organization should find |
| customer data and provide privacy notices. Banks | | | | subsequent reviews of the ISMS are much less |
| and financial institutions must follow GLBA.o Health | | | | labour intensive and relatively easily maintained with |
| Insurance Portability and Accountability Act (HIPAA) | | | | the aid of the right software tool. |
| requires health care organizations to ensure the | | | | * vsRisk(TM) can also be found as part the No 3 |
| privacy of personal health information. Hospitals, | | | | Comprehensive ISO 27001 ISMS Toolkit, a necessity |
| medical centers and any business dealing with patient | | | | for organizations looking to accelerate their ISO27001 |
| medical records must comply with HIPAA.o Payment | | | | project and develop an ISO27001-compliant |
| Card Industry (PCI) specifies how to secure | | | | Information Security Management System (ISMS). |
| information systems and media containing cardholder | | | | |