Characteristically, Kerberus demonstrates a relentless focus on controls and delivery. In fact, we work inline with best practice methodologies that provides unique assurances to clients.
This way enables us to cover all the bases in terms of program effectiveness, cost and timescales – so that solutions are fit-for-purpose. And it guarantees that we can deliver solutions in a consistent, repeatable way.
NIST Contingency Planning Guide for Information Technology Systems
Information technology (IT) and automated information systems are vital elements in most business processes. Because these IT resources are so essential to an organization’s success, it is critical that the services provided by these systems are able to operate effectively without excessive interruption. Contingency planning supports this requirement by establishing thorough plans, procedures, and technical measures that can enable a system to be recovered quickly and effectively following a service disruption or disaster. Interim measures may include the relocation of IT systems and operations to an alternate site, the recovery of IT functions using alternate equipment, or the performance of IT functions using manual methods.
Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002 was signed into law by President Bush on 30th of July 2002. This Act introduces many reforms which impact on corporate governance.
The Sarbanes-Oxley Act of 2002 requires that SEC-registered annual reports need to contain an "Internal Control Report".
The Internal Control Report needs to include both an assessment of the effectiveness of internal controls, as well as the procedures of the issuer for financial reporting:
-
Internal Controls have to be established and maintained. These must ensure that material information regarding the company (including consolidated subsidiaries) is known by the certifying officer, as well as others in the company;
-
The effectiveness of the company's internal controls must be evaluated by the certifying officer. The report should include their conclusions with respect to the effectiveness of the internal controls;
-
Disclosure to the company's auditors and audit committee of all significant deficiencies with the company's internal controls;
-
Disclosure to the company's auditors and audit committee of any fraud (whether or not material) involving management or other company employees who play a significant role in the company's internal control system;
-
The report should disclose any changes that could significantly affect the company's internal controls since the date when such controls where last evaluated.
The penalty for a certifying officer who "knowingly" makes a false certification is a fine of up to US$1,000,000 and up to 10 years imprisonment, while a "willful" violation can result in a fine of up to US$5,000,000 and a jail term of up to 20 years.
For an organization that wants to understand its information security needs, OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM) is a risk-based strategic assessment and planning technique for security.
OCTAVE is self-directed. A small team of people from the operational (or business) units and the IT department work together to address the security needs of the organization. The team draws on the knowledge of many employees to define the current state of security, identify risks to critical assets, and set a security strategy.
OCTAVE is flexible. It can be tailored for most organizations.
OCTAVE is different from typical technology-focused assessments. It focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology.
The overall objective for the CORAS project is to develop a practical framework for model-based security risk assessment by exploiting the synthesis of risk analysis methods with semiformal specification methods supported by an adaptable tool-integration platform. As illustrated by the following figure, the CORAS framework has four main anchor-points.
The CORAS risk assessment methodology integrates aspects of HazOp analysis, Fault Tree Analysis (FTA), Failure Mode and Effect Criticality Analysis (FMECA), Markov Analysis as well as CRAMM. It is model-based in the sense that it gives detailed recommendations for the use of UML-oriented modelling in conjunction with assessment. It employs modelling technology for three main purposes:
-
To describe the target of assessment at the right level of abstraction.
-
As a medium for communication and interaction between different groups of stakeholders involved in risk assessment.
-
To document risk assessment results and the assumptions on which these results depend.
The core risk analysis segment of the CORAS risk management process are three sub-processes ('identify risks', 'analyse risks', 'risk evaluation'), grouped together at the top layer of the figure. The CORAS risk management process consists of instantiations of abstract patterns given the CORAS framework using different risk analysis methods in order to analyse different parts of the system. The choice of risk analysis method upon which the abstract pattern is instantiated depends on the viewpoint in which the part to be analysed appears and the detail incorporated in the context of the analysis depends on the phase in the development lifecycle. The specific instances of the CORAS risk management process that are used throughout the system lifecycle depend on the target (sub)system and the context of the analysis.
As the system description becomes more elaborate, any combination of refinement and decomposition results into a propagation of the risk analysis from the composite object to the components guided by the system architecture.
OSSTMM (The Open Source Security Testing Methodology Manual) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
Successful organizations understand the benefits of information technology and use this knowledge to drive their shareholders’ value. They recognize the critical dependence of many business processes on IT, the need to comply with increasing regulatory compliance demands and the benefits of managing risk effectively. To aid organizations in successfully meeting today’s business challenges, the IT Governance Institute® (ITGI) has published COBIT®.
COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
ITIL is the most widely accepted approach to IT service management in the world. Providing a cohesive set of best practice guidance drawn from the public and private sectors across the world, it has recently undergone a major and important refresh project.
IT Service Management (ITSM) derives enormous benefits from a best practice approach. Because ITSM is driven both by technology and the huge range of organisational environments in which it operates, it is in a state of constant evolution. Best practice, based on expert advice and input from ITIL users is both current and practical, combining the latest thinking with sound, common sense guidance.
ISO/IEC 17799 (ISO 27002)
ISO 17799 (in full: ISO/IEC 17799:2005) is a risk management code of practice framework for Information Systems security developed by the International Organization for Standardization.
The excerpt below is taken from the International Organization for Standardization's Website:
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
-
security policy
-
organization of information security
-
asset management
-
human resources security;
-
physical and environmental security;
-
communications and operations management;
-
access control;
-
information systems acquisition, development and maintenance;
-
information security incident management;
-
business continuity management;
-
compliance.
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.
ISO/IEC 27001
ISO/IEC 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission. Its full name is ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements but it is commonly known as "ISO 27001".
It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls. Organizations that implement an ISMS in accordance with the best practice advice in ISO 27002 are likely simultaneously to meet the requirements of ISO 27001, but certification is entirely optional.
This standard is the first in a family of information security related ISO standards which are expected to be assigned numbers within the 27000 series. Others are anticipated to include:
-
ISO/IEC 27000 - a vocabulary or glossary of terms used in the ISO 27000-series standards;
-
ISO/IEC 27003 - a new ISMS implementation guide;
-
ISO/IEC 27004 - a new standard for information security measurement and metrics;
-
ISO/IEC 27005 - a proposed standard for risk management, potentially related to the current British Standard BS 7799 part 3;
-
ISO/IEC 27006 - a guide to the certification/registration process;
-
ISO/IEC 27799 - a guide to ISO 27001 for health sector organizations;
-
ISO/IEC 27002 has already been published, and was formerly called ISO/IEC 17799.
ISO 27001 was based upon and replaced BS 7799 part 2 which was withdrawn.
Several ISO affiliated national standards bodies have published localized versions of the standard. Generally speaking, these are simply language translations which retain the information content of ISO 27001.
AS/NZS 4360:2004 (Australian/New Zealand Standard)
The AS/NZS 4360 is the only internationally accepted risk management standard. The Standard provides a generic guide for establishing and implementing the risk management process involving identification, analysis, assessment, treatment and continuous risk monitoring.