I agree with the Governance people at ITgovernance:
Technology only addresses some of the potential Cybersecurity hurdles that a company may have.
The poster child of massive data breaches (Sony) was due to an internal breakdown, that plus previous documented failures show a lack of concern for IT Governance.
In my mind I have a basic question, what is IT governance anyway? Neil Ford says that there are basic programs in the ISO 270001 Governance framework. Of course this is the promotion of their website – to have IT governance solutions.
But I want to go over why we would need any kind of “Governance” as I have experienced through a company going to ISO27001 a long time ago. It is a process of processes. going to ISO27001 means you will have a framework of processes and paperwork. the idea is that there are rules and implementations of processes, just in case you do not have them in place already, there is a path for you to create this methodology.
Actually iso.org has documents for ISO270001 which has Info tech — Security techniques — Information security management systems — requirements:
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
What is an ISMS?
{An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
It can help small, medium and large businesses in any sector keep information assets secure.}
This framework is a method to get your company secure from not just a Next gen firewall method, but internal controls as well.” The firewall protects from a purely network level.
Here is the primary reason for doing this: Internal controls in case an internal resource does something that goes against the company.
The criminal hacker is attempting to use your IT resources and you use a Next gen firewall among other defenses there:
http://oversitesentry.com/2-steps-stops-all-cyberattacks/
http://oversitesentry.com/more-sophisticated-attacks-we-must-up-cybersecurity/
But what about an internal employee doing something bad? then you must have Governance, which could mean ISO27001
You can view parts of the ISO27001:2013(en) on their online browsing platform:
https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
ISO is International Organization for Standardization (HQ in Geneva, Switzerland)
Information Security Management System (ISMS)
IEC (The International Electrotechnical Commission)
In my research I found this interesting mind map by Peta Konsep Anak Bangsa:
https://pkab.wordpress.com/2009/03/13/peta-konsep-isoiec-27002/
This is a very good representation of what is needed in managing the processes of IT governance.
Hopefully this article has given you food for thought as to why you need #testforsecurity (in this case test your internal processes).
you can also read the following http://oversitesentry.com/why-cybersecurity-breaches-insanity-is-cause/
2 thoughts on “NGFW-Tech Half Battle In Orgs”