Information security management

INFORMATION SECURITY MANAGEMENT

Information security management (ISM) deals with maintaining the integrity and availability of organisational information and knowledge. Much ISM information focuses upon digital data, however the subject also covers records and knowledge management.

Although in many companies ISM and business continuity management are treated as separate disciplines, information threats are crucial risks that need to be understood by the business continuity manager.

• Click here for a listing of the latest news on this topic.

• Know of a link we should add? Let us know

3G dream could become a security nightmare
Emerging risks presented by 3G technology exploits need to be assessed and monitored. By Dr Hamid Jahankhani, University of East London.
Read article
•Type: Article •Region: UK/Worldwide •Level: Basic
•Rate this article or make a comment - click here

Achieving NERC CIP compliance utilizing ISO 17799:2005
By Dr. Jim Kennedy, MRP, MBCI, CHS-III, CBRM.
Read article
•Type: Article •Region: US •Level: Advanced
•Rate this article or make a comment - click here

Action list for developing a computer security incident response team
CERT has published a checklist style document which provides a high-level overview of actions to take and topics to address when planning and implementing a computer security incident response team (CSIRT).
Read article
•Type: Article •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

A layered approach to IP SANs…
Zophar Santé discusses the security issues that companies must consider as they migrate to IP SANs for data backup and storage.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Addressing the risks of removable media
Magnus Ahlberg explores the data protection threats posed by technological developments in the field of removable media.
Read article
•Type: Article •Region: World •Level: Basic
•Rate this article or make a comment - click here

Advanced Information Assurance Handbook
Aimed at technical staff members charged with administering and securing information systems and networks.
Read article
•Type: Article •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Are you indulging in unprotected wireless?
Ian Kilpatrick highlights the business continuity risks associated with wireless networking.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Asking the right question: penetration testing vs. vulnerability analysis tools, which is best?
By Dennis Hurst, developer security evangelist, SPI Dynamics.
Read article
•Type: Article •Region: US/World •Level: Basic
•Rate this article or make a comment - click here

Beyond stored procedures: ‘defense-in-depth’ against SQL injection
Many people have heard of SQL Injection attacks and are aware of the potential danger these attacks present, but most developers’ knowledge of how to prevent SQL Injection is still inadequate. Bryan Sullivan explains why a ‘defense-in-depth’ strategy is required.
Read article
•Type: Article •Region: World •Level: Advanced
•Rate this article or make a comment - click here

CERT Coordination Center publishes guide to spyware
New document provides an overview of spyware, provides examples of some common threats, and outlines policies and practices to defend against spyware and architect the value out of the spyware market. Read the document.
•Type: Link •Region: World •Level: Advanced
•Rate this article or make a comment - click here

CERT issues updated CSIRT handbook
The 2nd edition of CERT's Handbook for Computer Security Incident Response Teams has just been published.
Read article
•Type: Article •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Complying with regulatory and business security needs
A pragmatic primer for protecting your most critical assets by David Johnson.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Coping with a major security breach? What’s your contingency plan?
Legal pressures, not to mention your moral obligation to assist unwitting victims, means that you should never delay when disclosing IT security incidents.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Creating a computer security incident response team: a process for getting started
Provides guidelines for establishing a computer security incident response team. Covering best practices, the article considers how to:
* Obtain management support and buy-in
* Determine the CSIRT strategic plan
* Gather relevant information
* Design the CSIRT vision
* Communicate the CSIRT vision and operational plan
* Begin CSIRT implementation
* Announce the operational CSIRT
* Evaluate CSIRT effectiveness.
Read article
•Type: Link •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Critical infrastructure protection: challenges and efforts to
secure
United States General Accounting Office report to Congressional requesters.
Read article
•Type: Link •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Cyber crime threatens the core infrastructure supporting critical business activities
Tapping into fibre optic cables is easier than you think!
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Cyber extortion is now a very real threat – is your business at risk?
The threat of being blackmailed by organised criminals using DDoS attacks is very real and businesses cannot afford to be complacent.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Data breaches: turn back the tide
An information security best practices primer to help minimise the risks posed to business and customer information.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Dead data poses risks
Steve Hill explores an often forgotten risk area – confidential data left on redundant PCs.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Data leakage: a real business continuity issue
Are reports of data loss and theft just the tip of an iceberg that at best compromises growth and at worst can result in the demise of businesses? Dr. Jim Kennedy gives his views.
Read article
•Type: Article •Region: US/Worldwide •Level: Basic
•Rate this article or make a comment - click here

Disaster preparedness and response
A primer on disaster preparedness, management and response for paper-based records.
Read article
•Type: Link •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Facing up to the threat of cyber-crime
Cyber-crime is constantly evolving : to protect your company your methods and attitudes must evolve too.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

From disappearing boundaries to security governance
Boundaries between the internal and external network are becoming blurred, providing a substantial challenge for IT continuity and security. Philippe Langlois explains.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Governing for enterprise security
The CERT Coordination Center has published a comprehensive guide to ways of directing and controlling an organisation to establish and sustain a culture of security.
Read article
•Type: Article •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Guide to network security for UK businesses
Covers common threats and risks, legal requirements, viruses, virtual private networks (VPNs) and public key infrastructures (PKIs). It was written by a panel of network security experts from Synstar Networking, Cisco and Sphinx Security.
Read article
•Type: Link •Region: UK•Level: Basic
•Rate this article or make a comment - click here

Houdini’s three easy lessons on breaking corporate data security
Steve Bale gives his view of the threat of insider hacking.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

How much security is enough?
The CERT Coordination Centre has published a new article which aims to help organisations determine what level of information protection is sufficient and appropriate.
Read article
•Type: Link •Region: US/Worldwide •Level: Basic
•Rate this article or make a comment - click here

How to buy security
Iain Franklin explores the practical side of planning for and buying security.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

How to select a password management system
‘Envelope technology’ and the story about the ‘never changing password’: by Oded Valin.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

How unified encryption management (UEM) is changing the threat landscape
Increasing challenges to corporate networks and data requires a new risk management approach.
Read article
•Type: Article •Region: UK •Level: Basic
•Rate this article or make a comment - click here

Identity theft in the corporate world
Much has been written about personal identity threat, but the issue is as important in the corporate sector and the consequences can be a real threat to business survival.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Illicit Cyber Activity in the Banking and Finance Sector
CERT and the United States Secret Service have published a new research report which analyses technical and behavioural indicators for the early detection of illicit cyber activity by organisational insiders.
Read article
•Type: Link •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Information security under the Basel II Accord
‘Think Y2K information availability challenge with added confidentiality and integrity requirements.’
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Interpreting the results of a vulnerability assessment: how to focus on what’s important in your Web application security testing
By Kevin Beaver, CISSP, and Caleb Sima.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Is IT security missing the mark?
Data loss and theft continues to create business continuity problems – is this partly due to companies focusing resources on the wrong areas of IT security? By Dr. Jim Kennedy.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Is machine-to-machine the gap in your security?
Asks Ian Kilpatrick, chairman Wick Hill Group.
Read article
•Type: Article •Region: UK/Worldwide •Level: Basic
•Rate this article or make a comment - click here

Information management: dealing with your business records
The dream of the paperless office is unrealistic for most businesses. Tony Croft overviews options for critical records management.
Read article
•Type: Article •Region:UK/ Worldwide •Level: Basic
•Rate this article or make a comment - click here

Information security governance: toward a framework for action
BSA Information Security Task Force white paper.
Read article
•Type: Link •Region: N.America •Type: Article •Level: Advanced
Rate this article or make a comment - click here

Introduction to business security patterns
This IBM white paper explores in detail business security patterns and ways to maximise the value of security and protection investments.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

ISO 17799 security standard: compliance and positioning
ISO 17799 is the most widely recognised security standard. It is based upon BS7799, which was last published in May 1999, an edition which itself included many enhancements and improvements on previous versions. The first version of ISO 17799 was published in December 2000. This article provides an overview of the standard and its uses.
Read article
•Type: Link •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Is your company site being hacked without your knowledge?
Hackers manage to successfully break into systems much more often than you might realise.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

IT security – the challenges and opportunities of cultural diversity and dispersed teams
Security policies must address changing modes of communications and business practises.
Read article
•Type: Article •Region: UK/Worldwide •Level: Basic
•Rate this article or make a comment - click here

Keeping the VoIP house in order
The emergence of Voice over IP as an affordable alternative to traditional telephony has ushered in a new wave of network security considerations. Jonathan Zar outlines the key issues.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Malicious Code Injection: it’s not just for SQL anymore
Bryan Sullivan discusses the growing threat posed by code injection attacks.
Read article
•Type: Article •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

MP3 players : the security risk and how to manage it
The goal is not to exhaust resources trying to ban devices, but to find a way to encompass their existence within the corporate data security policy.
Read article
•Type: Article •Region: UK/Worldwide •Level: Basic
•Rate this article or make a comment - click here

Preventing a brute force / dictionary attack
The brute force attack is about as uncomplicated and low-tech as web application hacking gets, but it is still an important threat.
Read article
•Type: Article •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Principles of survivability and information assurance
A new document has been published by CERT/CC which provides a organisations with an overview of the ‘ten principles of survivability and information assurance’ .
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Protecting information assets from terrorism
A CERT report.
Read article
•Type: Link •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Securing software
Information security attacks are one of the prime causes of IT downtime, and many of these are related to software vulnerabilities. Kevin Beaver and Caleb Sima highlight six common weaknesses in the software development life cycle that lead to vulnerable code and explain what can be done to avoid this problem.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Security risk assessment and management in Web application security
Caleb Sima highlights the primary areas to consider in a Web security risk management plan.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Security policy resources
Two comprehensive libraries of information security policies:
The SANS Security Policy Project
email-security-secure-email.co.uk
•Type: Link •Region: Worldwide •Level: Various
•Rate this article or make a comment - click here

SSL VPN gateways: a new approach to secure remote access
Secure Sockets Layer Virtual Private Networks are quickly gaining popularity as serious contenders in the remote-access marketplace. Ken Araujo overviews.
Read article
•Type: Article •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

The challenges of security management
CERT has published a white paper that explores the huge challenge currently presented by information security.
Read article
•Type: Article •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

The do’s and don’ts of dealing with privileged user accounts
One of the biggest issues facing organisations is the elimination of bad practices related to the use of privileged accounts, says Calum Macleod.
Read article
•Type: Article •Region: UK/Worldwide •Level: Advanced
•Rate this article or make a comment - click here

The fight against computer viruses
Dr. Jim Kennedy explores this increasingly important business continuity threat.
Read article
•Type: Article •Region: N.America / Worldwide •Level: Basic
•Rate this article or make a comment - click here

The impact of the consumerization of IT on IT security management
Alexei Lesnykh highlights new threats and solutions.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

The rise of SSL VPNs
The growth of Secure Sockets Layer virtual private networks (SSL VPNs) has accelerated in the last 12 months. Ian Kilpatrick explains why this is happening…
Read article
•Date: 24th April 2007• Region: World •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here

The threat within - why businesses need to manage and monitor employee e-mail usage
What are the main risks of allowing staff uncontrolled access to e-mail services? Jamie Cowper explores.
Read article
•Type: Article •Region: UK/World •Level: Basic
•Rate this article or make a comment - click here

‘The security-privacy paradox: strategies to address issues and misconceptions’
The Canadian Information and Privacy Commissioner Ann Cavoukian and Deloitte & Touche LLP have published a paper that provides companies with suggestions for developing strategies for information security and privacy protection.
Read article
•Type: Article •Region: N.America •Level: Various
•Rate this article or make a comment - click here

The top 10 Internet security bloopers
Tom Salkield highlights the most common areas where Internet security falls down.
Read article
•Type: Article •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

The US-CCU Cyber-Security Check List 2007
This checklist provides a useful document to assess current information security measures, to highlight potential gaps and to provide ideas for mitigation and protective measures.
Read article
•Type: Article •Region: US/ World •Level: Advanced
•Rate this article or make a comment - click here

Tribal thinking in today’s IT environments
Tribal thinking is human nature at its most basic - and may explain one of the more puzzling aspects of IT security. By David M Lynch.
Read article
•Type: Article •Region: World •Level: Basic
•Rate this article or make a comment - click here

Vital records and records disaster mitigation and recovery
An Instructional Guide from the US National Archives and Records Administration Office of Records Administration.
Read article
•Type: Link •Region: Worldwide •Level: Advanced
•Rate this article or make a comment - click here

Vulnerability assessment guide
Explains the importance of the vulnerability assessment in information security management.
Read article
•Type: Link •Region: Worldwide •Level: Basic
•Rate this article or make a comment - click here

Why information security and business continuity management must dovetail
By Brian Davey, senior consultant, Teed Business Continuity.
Read article
•Type: Article •Region: UK/Worldwide •Level: Basic
•Rate this article or make a comment - click here