ISO 27001 Compliance — Security is Standard with Cyber-Hunt
ISO 27001 (previously BS 7799) is a structured set of guidelines and specifications for assisting organizations in developing their own information security framework. The standard relates to all information assets in an organization regardless of the media on which it is stored, or where it is located. The standard assists organizations in developing their own information security framework. Cyber-Hunt is one of the leading consultants for ISO 27001 certification having worked with over 50 successfully certified clients. What's more, we are ourselves certified to the Standard, and are in an excellent position to 'walk-the-talk'.
ISO 27001 has 11 domain areas, 39 control objectives and 133 controls in all. The security controls represent information security best practices and the standard suggests that these controls should be applied depending on the business requirements.
ISO 27001 suggests development and implementation of a structured Information Security Management System (ISMS), which governs the security implementation and monitoring in an enterprise. The standard is designed to serve as a single 'reference point for identifying the range of controls needed for most situations where information systems are used'.
The code of practice for International Organization for Standardization (ISO 27001) is recognized internationally as a structured methodology for information security and is widely used as a benchmark for protecting sensitive and private information. A widely held opinion is that ISO 27001 is an umbrella over other requirements of law or regulation (such as JSOX, SOX and the Data Protection Directive) or contractual standards (PCI DSS) because it requires companies to review such obligations when assessing risk. Organizations that choose to adopt ISO 27001compliance also demonstrate their commitment to high levels of information security.
This is the international Code of Practice for information security management and offers a means by which certification against the standard can be achieved. Organizations certified to ISO27001 have demonstrated that their ISMS is of a level currently considered globally to represent best practice. Other organizations are utilizing the Code of Practice in their compliance programs to satisfy their internal requirements to achieve best practice.
The route to certification comprises a number of stages, typically;
- • Identification of Scope
- • Gap Analysis
- • Risk Assessment
- • Security Improvement Plan
- • Statement of Applicability
- • Training and Awareness
- • Mock Assessment
Cyber-Hunt has undertaken a large number of compliance and certification projects and is able to assist organizations in the pursuit of certification in a simple and effective manner.
There are 11 major controls required as part of the ISO 27001 compliance standard that comprise best practices in information security. Tripwire covers them all, including:
- • Security Policy
- • Organization of Information Security
- • Asset Management
- • Human Resource Security
- • Physical and Environment Security
- • Communications and Operations Management
- • Access Control
- • Information Systems Acquisition, Development and Maintenance
- • Information Security Incident Management
- • Business Continuity Management
- • Compliance
• Brings your organization to compliance with legal, regulatory, and statutory requirements.
• Market differentiation due to positive influence on company prestige.
• Increases vendor status of your organization.
• Increase in overall organizational efficiency and operational performance.
• Minimizes internal and external risks to business continuity.
• ISO 27001 certification is recognized on a worldwide basis.
• Significantly limits security and privacy breaches.
• Provides a process for Information Security and Corporate Governance.
• Reduces operational risk while threats are assed and vulnerabilities are mitigated.
• Provides your organization with continuous protection that allows for a flexible, effective, and defensible approach to security and privacy.
- • Implemented an Information Security Management System in accordance with ISO/IEC 27001:2005
- • Professional staff of certified information security and information technology audit professionals and a full-time dedicated specialist in Business Continuity Planning and Disaster Recovery
- • 24-hour staffed security
- • Restricted access via proximity cards
- • Computing equipment in access-controlled areas
- • Video surveillance throughout facility and perimeter '
- • Humidity and temperature control
- • Raised flooring to facilitate continuous air circulation
- • Underground utility power feed
- • Interruptible power systems (UPS)
- • Redundant power distribution units (PDUs)
- • Diesel generators with on-site diesel fuel storage
- • Smoke and fire detection sensors throughout the data centers
- • The Dublin Service Delivery Center (DSDC) is protected by a Halon system with sufficient reserves for multiple discharges
- • The Columbus Service Delivery Center (CSDC) is protected by a DuPont FM-200 fire suppression system
- • The data centers are also protected by wet-pipe sprinkler systems
- • There are fire extinguishers maintained throughout the DSDC and CSDC
- • User identification and access management
- • Connections to patron data via SSL 3.0/TLS 1.0, using global step-up certificates from Thawte, ensuring that our users have a secure connection from their browsers to our service
- • Individual user sessions are identified and re-verified with each transaction, using XML-encrypted security assertions via SAML 2.0
- • Depending on the specific services utilized
- • Connected to the Internet via redundant, diversely routed links from multiple Internet Service Providers served from multiple telecommunication provider Points of Presence
- • Perimeter firewalls and edge routers block unused protocols
- • Internal firewalls segregate traffic between the application and database tiers
- • Load balancers provide proxies for internal traffic
- • Cyber-Hunt uses a variety of methods to prevent, detect, and eradicate malware
- • Third-party independent security assessments are also periodically conducted
- • All data are backed up to tape at each data center
- • The backups are cloned over secure links to a secure tape archive
- • Tapes are transported offsite and are securely destroyed when retired
- • Cyber-Hunt 's Information Security staff monitors notification from various sources and alerts from internal systems to identify and manage threats
- • Cyber-Hunt tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities
- • Network vulnerability assessments
- • Selected penetration testing and code review
- • Security control framework review and testing
- • The Cyber-Hunt service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery site
- • Sensitive data are transmitted across dedicated links
- • Disaster recovery tests verify our projected recovery times and the integrity of the customer data
- • Incident management process for security events that may affect the confidentiality, integrity, or availability of its systems or data.
- • Information Security Team is trained in forensics and handling evidence in preparation for an event, including the use of third party and proprietary tools
- • Information can only be obtained by third parties through legal processes such as search warrants, court orders, subpoenas, through a statutory exemption, or through user consent
Benefits of Implementing ISO 27001
Some of the benefits of implementing the ISO 27001 standard are as follows:
Cyber-Hunt's Commitment to Secure Library Services
Cyber-Hunt understands that the confidentiality, integrity, and availability of our members' information are vital to their business operations and our own success. We use a multi-layered approach to protect key information by constantly monitoring and improving our applications, systems, and processes to meet the growing demands and challenges of dynamic security threats. In recognition of our security efforts, Cyber-Hunt has met ISO 27001 security standards and has received registrations.
Information Security and Enterprise Risk Management
Physical and Environmental Controls