04:00 PM
Connect Directly

ISO: Going Beyond Manufacturing

Information security standard provides a new option for financial institutions' security troubles.

Typically, ISO (International Standards Organization) brings to mind the manufacturing sector and quality control requirements. But there is another ISO standard -- ISO 27001: 2005 -- that spans all industries, and banks would do well to pay it mind, according to Barry Kouns, VP with risk mitigation consultancy Churchill & Harriman (Princeton, N.J.).

ISO 27001 is an information security standard designed to give organizations a means for providing clients, partners and regulators with proof that they adhere to an internationally recognized set of information security controls. Its sister document, ISO 17799: 2005, describes 133 best practices for information security, along with implementation advice. Together, the two standards create a certifiable framework for protecting information assets.

Kouns says becoming ISO-compliant is a culture-changing process that necessitates the involvement of the entire enterprise. "The standard requires a specific approach to risk assessment, treatment, identification of assets, monitoring and continuous improvement. It can't be something the IT department does on its own," he relates. "You need senior management buy in [to ISO 27001]."

The financial services industry is primed for adoption of such a standard, claims Kouns. In March, the Federal Reserve Bank of New York became the first U.S. organization to be certified to the ISO 27001 standard. And with all the negative publicity around data breaches at many of the nation's top financial institutions, Kouns stresses that banks can only benefit from 27001.

In the '90s, Kouns explains, ISO 9000 addressed quality in manufacturing and certification that is now required in order to do business in certain countries. The same trend will occur with 27001, he says. "The [European Commission] is putting more pressure on U.S. companies to demonstrate the capabilities of their information security systems."

Standard Customization

Kouns says companies should not be discouraged by the more than 100 best practices dictated by 27001 since the standard is scalable. It is not necessary to implement the standard for the entire enterprise, he says; a business can certify one application, process or department.

Once the scope of the rollout is determined, then organizations must act to be compliant with a set of predetermined best practices and requirements in management, Kouns adds. However, "A company can provide legitimate rationale explaining why [a best practice] doesn't apply to them," he notes.

Kouns asserts that 27001 -- which now is voluntary -- complements existing regulations such as Sarbanes-Oxley and Gramm-Leach-Bliley. "[27001] forces organizations to pull their silos together to gain efficiencies and provide a common framework for addressing compliance," he explains.

Kouns warns that companies should not be blinded by the technology piece of the compliance puzzle. Instead, he says, it is vital to think about the management system required by the standard to "safeguard your assets and empower the organization with a risk assessment methodology that provides treatment for the risks as they evolve. The technology part comes after all this."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.