Alan Calder on IT Governance, information security & ISO 27001

To help Human Resources and Training Managers get the most from their budgets we have introduced our new IT Governance Training Passports. In a single purchase, these allow organisations to acquire any combination of IT training, tools and support services from the most comprehensive one-stop shop on the Web. Discounts are offered on all chosen items, whether used immediately or at a future date, making them ideal for public and private sector organisations needing to purchase training ahead of their annual budget deadlines.

Training Passports are offered in three grades: Bronze (£5,000 + VAT), Silver (£10,000 + VAT) and Gold (£15,000 + VAT). Through IT Governance’s Training Gateway, Training Passport holders can access the Web’s widest range of accredited, professional IT training, which is available across the UK, and receive discounts of up to 30 percent:

* On every classroom course, including Basel II, BCM & BS25999, CISA, Cisco, CISM, CISSP, EC Ethical Hacking, HDI, ISO20000, ISO27001, ITILv2, ITILv3, ITIL bridging, Microsoft, MoR, MSP, Prince2 and Sarbanes Oxley.
* On every distance or e-learning course.
* On every exam guide, subject manual or other training material.

All bookings are made through IT Governance’s friendly and efficient team of training consultants, who can advise on how to get the maximum benefit from a Training Passport. Furthermore, these consultants can advise of additional late-booking discounts that IT Governance is often able to negotiate with training suppliers.

These discounts and the variety of options available allow HR and Training Managers to get the maximum value from their existing budgets. As purchasers receive just a single invoice for multiple courses and products, rather than needing internal expenditure approvals for each, this also saves significant administrative time and effort.

Although Training Passports enable courses to be purchased in advance, they offer flexibility, since delegates’ details need only be finalised at a later stage once the ideal course and location have been chosen. They also assure organisations of the most up-to-date training, as each Passport remains valid for all courses and products offered by IT Governance until it has been fully used.

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

Once upon a time, there was only BS7799 for information security – now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use – and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.

Perhaps – but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice – but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate – to go alongside their ISO27001 and ISO20000 certificates, no doubt.

Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?

The following is possibly the most arresting opening paragraph I have yet read in a security article:

‘The wave of cyberprobes or cyberattacks against Pentagon networks and government computer systems in France, Germany, New Zealand and the United Kingdom this summer appears to emanate from China, but no one in authority in the Defense Department or any of the other countries that have been victimized seems willing to finger the Chinese government or military as the culprit.’

While this sounds like a Tom Clancy thriller it is a serious account of a new front in the online battle, something that both governments and businesses need to be aware of. Military and industrial espionage are alive and well, and it is entirely plausible that businesses and even sovereign states will use the Internet both to gather intelligence and weaken their opposition.

This is a realization that would be worth spreading in the workplace. It can be hard to get all your colleagues to do their bit in safeguarding information assets. If more of them realized the nature of the foe they might feel more motivated to help out – we’re not just facing a threat from bored teenagers, but also from deadly serious criminals and even state agencies. If that sounds a little farfetched this article is worth a read, and BS25999 as a core component of an information security strategy makes real sense!