Posts

Best Practices for secure Software Development

Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera

ISMS and ISO 27001 Questions and Answers

Image
1. What is ISO 27001? ISO 27001 is a comprehensive information security standard, which provides the requirements for an information security management system (ISMS) for certification. It is a framework of policies and procedures that consists of all technical, physical, and legal controls of an Information Risk Management process. 2. What does ISO 27001 certification signify in terms of risk assessment? ISO 27001 certification guides organizations to identify, analyze, assess and evaluate the  information security risks faced by organization information assests. 3. What is the purpose of ISO 27001? ISO 27001 purpose is to provide the framework to develop an information security management system to control the risks associated with data and systems to minimize  information security risks to ensure Confidentiality, Integrity and Availability of data and systems critical to business continuity. 4. What is meant by ISMS? The Information Security Management System (ISMS) is a systematic

Internal Audit Process : Ensuring compliances and Finding Non-conformities

Image
Image: TechTarget The sole purpose of the internal audit is to check compliance with the documented organization ISMS requirements. Internal auditing is a key component and essential for ISO 27001 compliance. Therefore internal audits need to be carried out regularly, and effectively at planned intervals. Internal audits help identify and rectify any issues of the ISMS before an external certification audit is carried out for ISO 27001 certification. It also identifies non-conformities and opportunities for improvement. Conducting internal audits reassure the organization and external auditor that a continuous review of the ISMS is done. It also reminds the employees of their responsibilities to comply with ISMS requirements for the protection of organizational information assets. An internal audit is a systematic and planned process that reviews the 114 controls in Annex A. They are identified in a statement of applicability for compliance with ISO 27001 standards.  Internal auditing

ISMS Best Practices : Survival in Cyber Security Landscape

Image
Image : anitechconsulting An Information Security Management System (ISMS) helps establish policies, standards, procedures, and security controls to minimize security risks to organizations' sensitive data and systems to ensure business continuity. An ISMS systematically address employee behavior and business processes centered around data, applications, networks, and systems minimizing risks to acceptable levels. ISO/IEC 27001 international standard provides comprehensive guidelines to establish an ISMS for an organization of any size. This standard provides requirements for documentation of ISMS scope, organization security policies, security objectives, conducting risk assessments, application of security controls, user training, supplier compliance, internal auditing, management review, corrective and preventive actions, and continual improvement to gain 27001 certifications.  An ISMS provides a holistic approach to managing the security of information systems within an organiz

Threat modeling : Being ready for the attackers

Image
Threat modeling is an essauntial component of your Information security management system (ISMS). It aims to identify, analyse, plan, communicate, potential threats to protect assets in your network. It is basically,  getting into the attackers' head, and deploying effective defences against their Tactics, Tools, and Procedures (TTPs) . Threat modelling requires effective threat intelligence process to protect your organization from emerging cyber security threats.  There are several threat modeling approaches such as PASTA, OCTAVE,  VAST, and STRIDE. The particular model applicable for your organization depends on the type of business, assets and threats. Threat modelling is based on your organization's infirmation security objectives and risk assesment outcomes as well as monitoring of indicators of compromises (IOCs). It also need to consider future and potential threats identified by your threat intelligence activities. The generic steps of threat modelling recommended by a

ISO 27001 ISMS in a Nutshell

Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen

Zero Trust Model : A Security Strategy to Protect Critical Systems

Image
Image :logrhythm Zero Trust model is a comprehensive security model that aims to protect critical systems and sensitive data. The foundation of Zero Trust model is that it does not trust anyone including internal users behind a firewall. It does not allow access or perform a transaction by any user, without due authorization. Zero trust assumes that every attempt to access the network, applications or data as a threat until due authentication and authorization is confirmed. The prime purpose of Zero Trust archetecture is to prevent data breaches. It provides organisations higher visibility of their data and user activities related to data, and gives the ability to detect suspicious behaviors that may cause a potential data leak. Zero Trust framework requires all users to be identified, authenticated, authorized and continuesly validated to access applications and data on the network. It follows strict user and device identity verification process  when attempting to access network reso