After going through a ISO 27001 exercise , are you more secure than you were
when you started. If yes , then the objective is fairly met.
As part of ISO 27001 implementation - my staff became more aware of security
practices, my system admins now have started hardening servers, we have an
incident reporting mechanism. Many [ if not most]of the ISO 27001 exercises
result in these positive improvements.
Security doesnot improve overnight. ISO 27001 is a good start. It shows the
company is serious about achieving security.
Once you have got ISO 9001 certified, the quality of your products have
improved. But it doesnot mean that there shall be no more bad quality
products.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of vijay upadhyaya
Sent: Friday, May 25, 2007 8:32 PM
To: Vijay Mukhi
Cc: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Re: Certifications a magic bullet for e-security!
Hi Vijay,
Absolutely agreed, however there are 2 main issues about the company who
got certified and got hacked, 1. Certifications stds are mearly framework,
people and their expertise will make or break the IT-SEcurity specially.
Standards like BS covers lot of other thing including IT-SEC. But frame work
complements the expertise it is not substitute for expertise 2. If
Certifications are treated as just few check boxes which needs to be checked
without having Risk based approach will give u the certification but not the
desired security level.
All depends upon who is the 3rd party Auditor what are their credential and
how well informed and skilled people they have who can guide the
Organization to the right path.
There is lack of Standard threat vulnerablity and the Risk modelling
approach and more over finding right balance between the business and the
security is become more and more challaging in this fierce competition.
To conclude I will not blame the certifiation but would definitely look
forward to some kind of a benchmark against which organization can be tested
for its readiness to different kind of threats, and Risk.
Regards,
Vijay Upadhyaya
> On 5/25/07, Vijay Mukhi <vmukhi (at) vsnl (dot) com [email concealed]> wrote:
> > Dear All
> >
> > I know of companies that have been received the ISO 27001
> > certificate and the next day been hacked or their security
> > compromised. For some reason there is the belief that if you are
> > certified than you are more secure. At least in India this is what
> > senior management think. I believe that over time this will give
> > certifications a bad name. How do we delink the fact that just
> > because you are certified does not make you more secure. There is
> > and can be no magic bullet for e-security that can companies can bite.
Any responses.
> >
> > Vijay Mukhi
> > CEO
> > Counter Espionage Officer
> >
> >
> >
> >
>
>
>
> --
Taking an optimistic stance -
After going through a ISO 27001 exercise , are you more secure than you were
when you started. If yes , then the objective is fairly met.
As part of ISO 27001 implementation - my staff became more aware of security
practices, my system admins now have started hardening servers, we have an
incident reporting mechanism. Many [ if not most]of the ISO 27001 exercises
result in these positive improvements.
Security doesnot improve overnight. ISO 27001 is a good start. It shows the
company is serious about achieving security.
Once you have got ISO 9001 certified, the quality of your products have
improved. But it doesnot mean that there shall be no more bad quality
products.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of vijay upadhyaya
Sent: Friday, May 25, 2007 8:32 PM
To: Vijay Mukhi
Cc: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Re: Certifications a magic bullet for e-security!
Hi Vijay,
Absolutely agreed, however there are 2 main issues about the company who
got certified and got hacked, 1. Certifications stds are mearly framework,
people and their expertise will make or break the IT-SEcurity specially.
Standards like BS covers lot of other thing including IT-SEC. But frame work
complements the expertise it is not substitute for expertise 2. If
Certifications are treated as just few check boxes which needs to be checked
without having Risk based approach will give u the certification but not the
desired security level.
All depends upon who is the 3rd party Auditor what are their credential and
how well informed and skilled people they have who can guide the
Organization to the right path.
There is lack of Standard threat vulnerablity and the Risk modelling
approach and more over finding right balance between the business and the
security is become more and more challaging in this fierce competition.
To conclude I will not blame the certifiation but would definitely look
forward to some kind of a benchmark against which organization can be tested
for its readiness to different kind of threats, and Risk.
Regards,
Vijay Upadhyaya
> On 5/25/07, Vijay Mukhi <vmukhi (at) vsnl (dot) com [email concealed]> wrote:
> > Dear All
> >
> > I know of companies that have been received the ISO 27001
> > certificate and the next day been hacked or their security
> > compromised. For some reason there is the belief that if you are
> > certified than you are more secure. At least in India this is what
> > senior management think. I believe that over time this will give
> > certifications a bad name. How do we delink the fact that just
> > because you are certified does not make you more secure. There is
> > and can be no magic bullet for e-security that can companies can bite.
Any responses.
> >
> > Vijay Mukhi
> > CEO
> > Counter Espionage Officer
> >
> >
> >
> >
>
>
>
> --
[ reply ]