NGFW-Tech Half Battle In Orgs

I agree with the Governance people at ITgovernance:

http://www.itgovernanceusa.com/blog/technological-cybersecurity-solutions-address-only-half-the-threats/

Technology only addresses some of the potential Cybersecurity hurdles that a company may have.

The poster child of massive data breaches (Sony) was due to an internal breakdown, that plus previous documented failures show a lack of concern for  IT Governance.

In my mind I have a basic question, what is IT governance anyway? Neil Ford says that there are basic programs in the ISO 270001 Governance framework. Of course this is the promotion of their website – to have IT governance  solutions.

 

But I want to go over why we would need any kind of “Governance”  as I have experienced through a company going to ISO27001 a long time ago. It is a process of processes. going to ISO27001 means you will have a framework of processes and paperwork. the idea is that there are rules and implementations of processes, just in case you do not have them in place already, there is a path for you to create this methodology.

Actually iso.org has documents for ISO270001 which has Info tech — Security techniques — Information security management systems — requirements:

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

What is an ISMS?

{An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

It can help small, medium and large businesses in any sector keep information assets secure.}

This framework is a method to get your company secure from not just a Next gen firewall method, but internal controls as well.” The firewall protects from a purely network level.

 

Here is the primary reason for doing this: Internal controls in case an internal resource does something that goes against the company.

The criminal hacker is attempting to use your IT resources and you use a Next gen firewall among other defenses there:

http://oversitesentry.com/2-steps-stops-all-cyberattacks/

http://oversitesentry.com/more-sophisticated-attacks-we-must-up-cybersecurity/

But what about an internal employee doing something bad? then you must have Governance, which could mean ISO27001

 

You can view parts of the ISO27001:2013(en)  on their online browsing platform:

https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en

ISO is International Organization for Standardization (HQ in Geneva, Switzerland)

Information Security Management System (ISMS)

IEC (The International Electrotechnical Commission)

iso-iecorglogo

iso27001imagelogo

 

In my research I found this interesting mind map by  Peta Konsep Anak Bangsa:

https://pkab.wordpress.com/2009/03/13/peta-konsep-isoiec-27002/

iso_27002_mind_map_780

This is a very good representation of what is needed in managing the processes of IT governance.

 

Hopefully this article has given you food for thought as to why you need #testforsecurity (in this case test your internal processes).

 

you can also read the following http://oversitesentry.com/why-cybersecurity-breaches-insanity-is-cause/

Contact Us  as we can help.

 

 

 

 

 

Advertisements