Who own's risk? Sarbanes-Oxley - HIPAA - USA Patriot Act - Graham-Leach-Bliley - FISMA - OMB (various) and Executive Directives (various) - Paper Reduction Act - Basel I and II - European Union privacy laws and Safe Harbor Principles - California Security Breach Notice Law as well as emerging bills with similar guidelines - SEC rule17a-4 in areas of NARA aligned records management - SEC CFR 17 Rule no. 16900 in areas affecting Clearing Corporations - National Strategy to Secure Cyberspace and many associated Public Laws and Government guildelines (espeically those affecting Security programs and implementation of appropriate standards such as various FIPS) are all a part of our audit universe. The PB&SP toolbox is a list of applictions and industry tools, with special attention to the better copmanies and materials, as found most successfully implemented among our clients. Risk Management in Industry, Tehcnology and Government Contexts Assessment Methods and Procedures: NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems (Initial public draft, July 2005) [As found on February 11 at <http://csrc.nist.gov/sec-cert/ca-verification.html> The purpose of NIST Special Publication 800-53A is to establish methods and procedures to assess the security controls in federal information systems, specifically those controls listed in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, to determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the agency. In practice, agencies would use the suggested assessment methods and procedures from NIST Special Publication 800-53A as the starting point for developing more specific test and evaluation procedures, which may, in certain cases, be needed because of platform dependencies or other implementation-related considerations. The assessment procedures in Special Publication 800-53A can be supplemented by the agency, if needed. Assessment methods and procedures may need to be created for those security controls employed by the agency that are not contained in NIST Special Publication 800-53. The employment of standardized assessment methods and procedures promotes more consistent, comparable, and repeatable security assessments of federal information systems. NIST Special Publication 800-26, Rev. 1 Assessment Guide for Information Systems and Security Programs (Initial public draft, August 2005) NIST Special Publication 800-26 is being revised to be consistent with NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The revision will consist of adding information about FIPS 199, compensating controls, common controls, Special Publications 800-53 and 800-53A, and agency security program-level assessments (including a program-level questionnaire). The system-level questionnaire will be used solely as a reporting form. The reporting form will have the seventeen families that are in Special Publication 800-53, and each control title and number that is in 800-53 will be listed. The security control and the enhancements will not be repeated in 800-26; rather, the document will direct the reader to go to Special Publication 800-53A. 800-53A will contain the control along with enhancements and the assessment procedures that should be conducted prior to annotating in Special Publication 800-26 whether the control is: (i) documented in policy (level 1); (ii) documented in procedures (level 2); (iii) implemented (level 3); and (iv) tested (level 4). To assist organizations in completing the FY05 system self-assessments, NIST is providing a modified 800-26 System Questionnaire which contains references and associated mappings to the 800-53 controls.
RA2 art of risk is the new risk assessment tool which replaces the previously successful RA Software Tool. This latest tool is more than just a risk assessment tool as it covers a number of security processes that direct businesses towards designing and implementing an information security management system (ISMS). RA2 art of risk is a risk approach with a difference; it’s a management tool designed to help businesses to develop an ISMS in compliance with the ISMS specification BS 7799-2, and the code of practice for information security management BS ISO/IEC 17799. RA2 art of risk provides software support to design and implement an ISMS in accordance with the requirements of BS 7799-2 which includes:
NEW key features and benefits include:
RA2 art of risk provides a user friendly, easy to understand step-by-step process approach. It also includes a comprehensive “What’s this?” help assistant facility, and various built-in checklists and questions to ensure that nothing has been forgotten. A fully worked through example has been integrated that can be called up at any time in the risk assessment and treatment process to illustrate how the tool can be used to support the ISMS development and implementation. RA2 art of risk can be completely customised to meet the requirements of your organization. This includes the assessment of assets, threats and vulnerabilities applicable to your organization, and the possibilities to include, in the assessment, controls additional to the ones in BS ISO/IEC 17799. It also includes a set of editable questions that can be used to assess the compliance with BS ISO/IEC 17799. A successful risk assessment and management needs to collect information from different sources within the organization. RA2 art of risk includes the RA2 Information Collection Device, which can be installed anywhere in your organization as necessary to collect and feed back information into the risk assessment process. Information assessed in the risk assessment can be exported to this Information Collection Device, and the information collected with help of this device can be automatically imported back into the risk assessment. When the process of designing and implementing the ISMS has been finalised, RA2 art of risk allows to create an archive that stores the results of this activity separately, whilst these results can at the same time be used as the basis for the next assessment in the ongoing risk management activities. It is also possible to import results from the previous RA Software Tool into RA2 art of risk to use these results now in the new tool. Your organisation needs to protect its information against a range of risks. Experience has shown the importance of effective risk management in today's modern business arena. It is important for management to understand what information security risks and impacts the business is likely to be faced with. This helps to facilitate informed decision-making in order to identify and implement an appropriate system of controls and processes to manage these risks. Risks caused by the lack of information security can severely damage a business. Knowing the “art of risk” enables a business to protect itself and to minimize any damage. Let RA2 art of risk help you in this quest. Products to think about when evaluating Risk are reviewed in Risk Management
Alfresco is the first open source enterprise-scale content management system with a modern content repository, an out-of-the-box portal framework for managing and using content designed to work with standard portals, and a groundbreaking Common Internet File System (CIFS) interface that provides Microsoft Windows file system compatibility. Built by founder of Documentum using a modern architecture that is easier to use, more scalable and more adaptable. Alfresco is perfect for providing enterprise and departmental portals, compliance applications or replacing uncontrolled shared file drives. Its standards-base allows you to use only the functionality you want or add new functionality with standard tools as requirements grow.
Special Thanks to Bruce Winters for his article Compliance CHOOSE THE RIGHT TOOLS FOR INTERNAL CONTROL REPORTING Bruce I. Winters New federal regulations require public companies to assess the effectiveness of their internal control structure and financial reporting procedures. Complex software is essential to such analysis. Here’s how to determine what kind is needed and how it should link to—or replace—a company’s existing systems., Dan Swanson, ISACA List Serve Community. Special Thanks to
|
|---|
From
BSI RA2 art of riskDistributed by BSI
