POPULARITY
9 episodes with information security management
4 episodes with information security management
2 episodes with information security management
2 episodes with information security management
Service Management Leadership Podcast with Jeffrey Tefertiller
In this episode, Jeffrey discusses ITIL's Information Security Management Practice Each week, Jeffrey will be sharing his knowledge on Service Delivery (Mondays) and Service Management (Thursdays). Jeffrey is the founder of Service Management Leadership, an IT consulting firm specializing in Service Management, Asset Management, CIO Advisory, and Business Continuity services. The firm's website is www.servicemanagement.us. Jeffrey has been in the industry for 30 years and brings a practical perspective to the discussions. He is an accomplished author with seven acclaimed books in the subject area and a popular YouTube channel with approximately 1,500 videos on various topics. Also, please follow the Service Management Leadership LinkedIn page.
In dieser Folge des #ITundTECH Podcasts spricht Holger Winkler mit Florian Bieselt, CO-Founder bei SecTepe , über die Implementierung eines Informationssicherheitsmanagementsystems (ISMS) in Unternehmen. An einer aktuellen Fallstudie wird die Relevanz von IT-Sicherheit, die Motivationen hinter Cyberangriffen und die Schritte bei der Einführung eines ISMS (Information Security Management System) beleuchtet.Das sind die Themen des Interviews im Detail:Die Motivationen hinter Cyberangriffen verstehenWorst-Case-Szenarien: Was passiert, wenn es zu spät ist?Informationssicherheitsmanagementsystem (ISMS) das steckt dahinter: Struktur und MethodikFallstudie: Herausforderungen bei der Implementierung eines ISMSDie Rolle des externen Informationssicherheitsbeauftragten bei der Implementierung eines ISMSReifegrad und Zertifizierung eines ISMSDas Angebot von SecTepe im DetailAbonnieren Sie unseren Kanal, um auf dem neuesten Stand zu bleiben!Weiterführende Informationen zur Firma Eckel SecTepe UG:► Internet: https://www.sectepe.de/ ► LinkedIn-Firmenseite: https://www.linkedin.com/company/sectepe/ ► Florian Bieselt auf LinkedIn: https://www.linkedin.com/in/florian-bieselt-29457b147/ —Der Werbepartner dieser Sendung: „Mitarbeiter werben Mitarbeiter auf LinkedIn" - 3 x effizienter als Facebook- oder LinkedIn-Ads ► Internet inkl. kostenlosem Quick-Check: https://www.itundtechjobs.com/ —Über den #ITundTECH für Deutschland Podcast:Der Podcast mit CEOs innovativer Softwarehersteller, IT-Dienstleister oder TECH-Unternehmen aus Deutschland!► Abonniere unseren Youtube-Kanal: https://www.youtube.com/@itundtech ► Abonniere unseren Podcast: https://www.itundtech.de/podcast ► Besuche uns auf unserer Webseite: https://www.itundtech.de/ ► Vernetze dich mit Holger Winkler auf LinkedIn: https://www.linkedin.com/in/holger-winkler/—Sie sind CEO eines innovativen Unternehmens aus dem IT- und TECH-Umfeld und hätten Lust, als Gast in den ITundTECH für Deutschland Podcast eingeladen zu werden?Dann melden Sie sich hier: https://www.itundtech.de
AI has been integrated into almost every aspect of our lives, from everyday software we use at work, to the algorithms that determine what content is recommended to us at home. While extraordinary in its capabilities, it isn't infallible and will open up everyone to new and emerging risks. Legislation and regulations are finally catching up to the rapid adoption of this technology, such as the EU AI Act and new Best Practice Standards such as ISO 42001. For those looking to integrate AI in a safe and ethical manner, ISO 42001 may be the answer. Today Rachel Churchman, Technical Director at Blackmores, explains what ISO 42001 is, why you should conduct an ISO 42001 Gap analysis and what's involved with taking the first step towards ISO 42001 Implementation. You'll learn · What is ISO 42001? · What are the key principles of ISO 42001? · Why is ISO 42001 Important for companies either using or developing AI? · Why conduct an ISO 42001 Gap Analysis? · What should you be looking at in an ISO 42001 Gap Analysis? Resources · Register for our ISO 42001 Workshop · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Rachel Churchman joins Steph to discuss what ISO 42001 is, it's key principles and the importance of implementing ISO 42001 regardless of if you're developing AI or simply just utilising it. Rachel will also explain the first step towards implementation – an ISO 42001 Gap Analysis. [02:45] Upcoming ISO 42001 Workshop– We have an upcoming ISO 42001 workshop where you can learn how to complete an AI System Impact Assessment, which is a key tool to help you effectively assess the potential risks and benefits of utilising AI. Rachel Churchman, our Technical Director, will be hosting that workshop on the 5th December at 2pm GMT, but places are limited so make sure you register your place sooner rather than later! [03:20] The impact of AI – AI is everywhere, and has largely outpaced any sort of regulation or legislation up until very recently. These are both needed as AI is like any other technology, and will bring it's own risks, which is why a best practice Standard for AI Management has been created. If you'd like a more in-depth breakdown of ISO 42001, check out our previous episodes: 166 & 173 [04:30] A brief summary of ISO 42001 – ISO 42001 is an Internationally recognised Standard for developing an Artificial Intelligence Management System. It provides a comprehensive framework for organisations to establish, implement, maintain, and continually improve how they implement and develop or consume AI in their business. It aims to ensure that AI risks are understood and mitigated and that AI systems are developed or deployed in an ethical, secure, and transparent manner, taking a fully risk-based approach to responsible use of AI. Much like other ISO Standards, it follows the High-Level Structure and therefore can be integrated with existing ISO Management systems as many of the core requirements are very similar in nature. [05:45] Why is ISO 42001 important for companies both developing and using AI? – AI is now becoming commonplace in our world, and has been for some time. A good example is the use or Alexa or Siri - both of these are Large Language AI Models that we all use routinely in our lives. But AI is now being introduced in many technologies that we consume in our working lives - all designed to help make us more efficient and effective. Some examples being: · Microsoft 365 Copilot · GitHub Copilot · Google Workspace · Adobe Photoshop · Search Engines i.e. Google Organisations need to be aware of where they're consuming AI in their business as it may have crept in without them being fully aware. Awareness and governance of AI is crucial for several reasons: For companies using AI they need to ensure they have assessed the potential risks of the AI such as unintended consequences and negative societal impacts, or potential commercial data leakage. They also need to ensure that if they are using AI to support decision making, that they have ensured that decisions made or supported by AI systems are fair and unbiased. It's not all about risk - organisations can also use AI to streamlining processes helping to become more efficient and effective, or it could support innovation in ways previously not considered. For companies developing AI, the standard promotes the ethical development and deployment of AI systems, ensuring they are fair, transparent, and accountable. It provides a structured approach to risk assessment and governance associated with AI, such as bias, data privacy breaches, and security vulnerabilities. And for all, using ISO 42001 as the best practice framework, organisations can ensure that their AI initiatives are aligned with ethical principles, legal requirements, and industry best practices. This will ultimately lead to more trustworthy, reliable, and beneficial AI systems for all. [10:00] Clause 7.4 Communication – The organisation shall determine the internal and external communications relevant to the system, and that includes what should be communicated when and to who. [09:00] What are the key principles outlined in ISO 42001? – · Fairness and Non-Discrimination - ensuring AI systems treat all individuals and groups fairly and without bias. · Transparency and Explainability - Making AI systems understandable and accountable by providing clear explanations of their decision-making processes. · Privacy and Security - Protecting personal data and privacy while ensuring the security of AI systems. · Safety and Security - Prioritising the safety and well-being of individuals and the environment by mitigating potential risks associated with AI systems. · Environmental & Social - Considering the impact of AI on the environment and society, promoting sustainable and responsible practices. · Accountability and Human Oversight - Maintaining human control and responsibility for AI systems, ensuring they operate within ethical and legal boundaries. You'll often hear the term 'Human in the loop'. This is vital to ensure that AI is sanity checked by a human to ensure it hasn't hallucinated or result ‘drifted' in any way. [11:10] Why conduct an ISO 42001 Gap Analysis? What is the main aim? – Any gap analysis is a strategic planning activity to help you understand where you are, where you want to be and how you're going to get there. The ISO 42001 gap analysis will identify gaps and pinpoint areas where your AI practices need to meet the ISO 42001 requirements. It aims to conduct a systematic review of how your organisation uses or develops AI to then assess your current AI management practices against the requirements of the ISO 42001 standard. This analysis will then help you to identify any "gaps" where your current practices do not fully meet the standard's requirements. It also helps organisations to understand 'what good looks like' in terms of responsible use of AI. It will help you to prioritise improvement areas that may require immediate attention, and those that can be addressed in a phased approach. It will help you to understand and mitigate the risks associated with AI. It will also help you to develop a roadmap for compliance to include plans with clear actions identified that can then be project managed through to completion, and as with all ISO standards it will support and enhance AI Governance. [13:15] Does an ISO 42001 gap analysis differ from gap analysis for other standards? – Ultimately, no. The ISO 42001 gap analysis doesn't differ massively from other ISO standard gap analysis, so anyone who already has an ISO Standard and has been through the gap analysis process will be familiar with it. In terms of likeness, ISO 42001 is similar in nature to ISO 27001 in as much as there is a supporting 'Annex' of controls and objectives that need to be considered by the organisation. Therefore the questions being asked will extend beyond the standard High Level Structure format. Now is probably a good time to note that the Standard itself is very informative and includes additional annex guidance information to include · implementation guidance for the specific AI controls, · an Annex for potential AI-related organisational objectives and risk sources, · and an Annex that provides guidance on use of the AI management system across domains and sectors and integration with other management system standards. [14:55] What should people be looking at in an ISO 42001 gap analysis? – The Gap Analysis will include areas such as looking at the 'Context' of your organisation to better understand what it is that you do, or the issues you are facing internally and externally in relation to AI - both now and in the reasonably foreseeable future, and also how you currently engage with AI in your business. This will help to identify your role in terms of AI. It will also look at all the main areas typically captured within any ISO standard to include leadership and governance, policy, roles and responsibilities, AI Risks and your approach to risk assessment and treatment and AI system impact assessments. It also looks at AI objectives, the support resources you have in place to manage requirements, awareness within your business for AI best practice and use, through to KPI's, internal audit, management review and how you manage and track issues through to completion in your business. The AI specific controls look more in-depth at Policies related to AI, your internal organisation in relation to key roles & responsibilities and reporting of concerns, The resources for AI Systems, how you assess the impacts of AI Systems, The AI system lifecycle (AI Development), Data for AI Systems, Information provided to interested parties of AI Systems, and the use of AI Systems and 3rd party and customer relationships. [18:10] Who should be involved in an ISO 42001 Gap analysis? – An ISO 42001 gap analysis looks at AI from a number of different angles to include organisational governance that includes strategic plans, policies and risk management, through to training and awareness of AI for all staff, through to technical knowledge of how and where AI is either used or potentially developed within the organisation. This means that it is likely that there will need to be multiple roles involved over the duration of a gap Analysis. At Blackmores we always provide a Gap Analysis 'Agenda' that clearly defines what will be covered over the duration of the gap analysis, and who typically could be involved in the different sessions. We find this is the best way to help organisations plan the support needed to answer all the questions required. It's also important to treat the gap analysis as a 'drains up' review, to help get the most benefit out of the gap analysis. This will ensure that all gaps are identified so that a plan can then be devised to support the organisation to bridge these gaps, putting them on the path to AI best practice for their business. If you'd find out more about ISO 42001 implementation, register for our upcoming Workshop on the 5th December 2024. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached. It has become clear in recent years that information security isn't just a ‘nice to have', it's a necessity to ensure you and your client's data are protected. Which is especially the case for those processing personal and financial data, such as today's guest, Mintago. In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard. You'll learn · Who are Mintago? · Who is Tom Catnach? · What was the main driver behind achieving ISO 27001? · What was the biggest ‘gap' identified in the Gap Analysis? · What have they learned from the experience? · What are the benefits of certification to ISO 27001? · What does the threat horizon for information security look like? Resources · Mintago · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification. [02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including: · Finding lost pension pots · Help to save money through finding discounts · Retirement planning · Offering various salary sacrifice products · Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings · Helping people to be more financially literate [05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer. Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001. Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights. [06:30] What was Mintago's main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it's security. Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001. ISO 27001 also offers the assessment of general business practice, and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand. [08:30] Aligning Standards with core values: Trust is one of Mintago's core values and they want to give their clients the assurance that they can be trusted to protect their data. ISO 27001 can be compared to the likes of Bcorp as it's an on-going process. It doesn't just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year. [10:15] What was the scope of Mintago's certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service. This was because all of the sensitive data is handled in those departments and they don't allow access to any other teams, so it made sense to start there with a view to expand the scope after certification. That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they're ready. [11:50] How long was Mintago's certification journey?: They started their journey in September 2023, in fact it was Tom's first project with Mintago! Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified. Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it's an advantage to implement ISO Standards early while your agile so that your management system grows with you. [14:25] What was the biggest ‘gap' identified at the Gap Analysis? Mintago are lucky in the fact that they are a new business so are using modern tech, and don't have the burden a larger site or other physical elements such as rack mounted servers. However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance. There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place. [16:35] Did Mintago experience any significant barriers in addressing identified gaps? Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to. One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place. When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago's size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software. [18:45] Engagement is key - Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security. Mintago also has the advantage of being a smaller business, so getting communication out isn't a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite'. Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that's something that people would want to engage in. It's also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online. [23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? - The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don't work?', ISO 27001 drilled down to ask specifics such as: · How do we recover from that scenario? · Are we 100% confident in our back-ups? · Will they work near instantaneously? · What's Mintago's availability like in that scenario? · How do we prevent disruption to our clients during that scenario? So, while they did have back-ups they weren't necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system. In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories. [25:00] Internal Auditing – A beneficial tool - Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average. Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified. Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification. [27:20] Minor Non-conformities aren't the end of the line – There's a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can't be certified, but that's simply not true! If an Assessor is comfortable that you are in a good position for certification, they will recommend you. ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits. [29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include: Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it's core qualities to the benefit of their own Information Security practices. Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other's commitment to information security. Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow. [31:10] Any concerns on the threat horizon?: As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They're going to be a lot more sophisticated and harder to spot and deal with. Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident. However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security. [34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It's not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place. If you would like to learn more about Mintago and their financial services, check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISMS.online has released its ‘State of Information Security' report which surveyed 502 people in the UK (over 1500 globally) who work in information security across 10 sectors including technology, manufacturing, education, energy and utilities and healthcare. The main findings that it exposed are: 79% of businesses have been impacted due to an information security incident caused by a third-party vendor or supply chain partner. Over 99% of UK businesses received hefty fines for data breaches or violation of data protection rules over the last year Deepfakes now rank as the second most common information security incident for UK businesses and have been experienced by over a third of organisations.What does all of this mean? As data breaches continue to surge, government entities and trade bodies are in turn, trying to meet these challenges with updates and implementation of regulations and compliance mandates. Listen in as Luke speaks to IT managers about the need to build robust and effective information security foundations, invest in securing their supply chains and increasing employee awareness and training.Learn more about ISMS.online: https://itspm.ag/ismsonline08ab81Note: This story contains promotional content. Learn more.Guest: Luke Dash, CEO, ISMS.onlineOn LinkedIn | https://www.linkedin.com/in/luke-dash-33867b25/ResourcesThe State of Information Security Report 2024: https://itspm.ag/ismsonlinef56b77Learn more and catch more stories from ISMS.online: https://www.itspmagazine.com/directory/isms-onlineView all of our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugalAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
ISMS.online has released its ‘State of Information Security' report which surveyed 502 people in the UK (over 1500 globally) who work in information security across 10 sectors including technology, manufacturing, education, energy and utilities and healthcare. The main findings that it exposed are: 79% of businesses have been impacted due to an information security incident caused by a third-party vendor or supply chain partner. Over 99% of UK businesses received hefty fines for data breaches or violation of data protection rules over the last year Deepfakes now rank as the second most common information security incident for UK businesses and have been experienced by over a third of organisations.What does all of this mean? As data breaches continue to surge, government entities and trade bodies are in turn, trying to meet these challenges with updates and implementation of regulations and compliance mandates. Listen in as Luke speaks to IT managers about the need to build robust and effective information security foundations, invest in securing their supply chains and increasing employee awareness and training.Learn more about ISMS.online: https://itspm.ag/ismsonline08ab81Note: This story contains promotional content. Learn more.Guest: Luke Dash, CEO, ISMS.onlineOn LinkedIn | https://www.linkedin.com/in/luke-dash-33867b25/ResourcesThe State of Information Security Report 2024: https://itspm.ag/ismsonlinef56b77Learn more and catch more stories from ISMS.online: https://www.itspmagazine.com/directory/isms-onlineView all of our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugalAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
ISO 42001 was published in December of 2023, and is the first International Standard for Artificial Intelligence Management Systems. It was introduced following growing calls for a common framework for organisations who develop or use AI, to help implement, maintain and improve AI management practices. However, its benefits extends past simply establishing an effective AI Management System. Join Steph Churchman, Communications Manager at Blackmores, on this episode as she discusses the top 10 reasons to adopt ISO 42001. You'll learn · What is ISO 42001? · What are the top 10 reasons to use ISO 42001? · What risks can ISO 42001 help to mitigate? · How can ISO 42001 benefit both users and developers of AI? Resources · Isologyhub · ISO 42001 training waitlist In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:30] What is ISO 42001?: Go back and listen to episode 166, where we discuss what ISO 42001 is, why it was introduced and how it can help businesses mitigate AI risks. [02:45] Episode summary: We take a look at the top 10 reasons why you should consider implementing ISO 42001. [02:55] #1: ISO 42001 helps to demonstrate responsible use of AI. – , ISO 42001 helps ensure fairness, non-discrimination, and respect for human rights in AI development and use. Remember, AI can still be bias based on the fact that AI models are typically trained on existing data, so any existing bias will carry over into those AI models – an example of this is the existing lack of representation for minority groups. We also need to take care in the use of AI over people, as staff being replaced by AI is a very real concern and should not be treated lightly. We've already seen a few cases where this has happened, especially across the tech support field where some companies mistakenly think that a chatbot can replace all human staff. We also need to consider the ethics of AI content. It's predicted that 90% of online content will be AI generated by 2026! A lot of this generated content includes things like images, which poses a real concern over the values we're translating to people. The content we consume shapes the way we think and if all we have is artificial, then what message is that conveying? An example of this is Dove's recent advert, which showed an example of AI generating images of very unobtainable ideals of a beautiful face. Which were predictably absolutely flawless, almost inhuman and something that can only be achieved through photo editing. If the internet was flooded with this sort of imagery, then that starts to become the expectation to live up to, which can be tremendously damaging to people's self-esteem. They then went on to show actual unedited people, in all their varied and wonderful glory and stated that they will never use AI imagery in any of their future marketing or promotional material. Which sends a very strong message – AI definitely has its place, but we need to fully consider the implications and consequences of it's use and possible oversaturation. [05:20] #2: Traceability, transparency and reliability - Information sourced via AI is not always correct – It collates information published online, and as many of us are aware, not everything on the internet is correct or accurate. Data sets carelessly scrapped from online sources may also contain sensitive or unsavoury content. We've had cases where people have managed to ‘break' Chat GPT, causing it to spew out nonsense answers which also contained sensitive information such as health data and personal phone numbers. While not usually accessible when requested, it does not stop the risk of this data being dug up through exploits. AI is like any other technology, and is not infallible. So, it's up to developers to ensure that the data used to train models is safe and appropriate for use. It should be expected that data sets will be scrutinised from a legal standpoint – either as a result misuse of AI or a mandatory exercise as a part of future legislation. There's also research that suggests data sets can be potentially poisoned to produce inaccurate results – which is another consideration for developers using live data sets, who will need to stay on top of these risks to ensure the integrity of their tools. ISO 42001 provides specific guidance that covers how developers can ensure transparency and explainability within sample training data. [06:45] #3: It's a framework for managing risks and opportunities – AI, like any other new technology, is going to create new risks and opportunities. Risks include the likes of inaccurate data being used, existing bias in data training sets, plagiarism, information security risks and data poisoning. If you're simply using AI to gather information, it's also a good exercise to ensure that the information is coming from a reputable source. One easy way to so this is to simply ask for the source to be cited when pluging in a prompt into tools like Chat GPT and Gemini. You can then verify how legitimate that source is. For web developers and SEO specialists, Google has recently updated it's algorithm to punish those with a lot of AI generated content on their websites. So those within the SEO space may see some interesting trends over the course of 2024. Another unfortunate risk is that of more complex scams being implemented through the use of AI. An example of this involves those who may use an AI assistant in their systems, which can be affected by malicious emails that contain prompt injections which could be used to send data from a victims machine to outside sources. This is only touching on a few risks, but as you can see, there's a lot to consider and I've no doubt that more complex risks will make themselves known as the technology evolves. However, there are a lot of opportunities to be found with AI use. There's a huge potential for AI to be utilised to tackle mundane and routine tasks which could be automated. AI also has the capability to scan masses of data and provide suggestions based on it's findings. Obviously, humans can't possibly compete with the sheer volume of data that AI can process, and so we can utilise it to help us make better more informed decisions. A lot of commonly used software has already integrated various AI tools which offer great quality of life updates and help make a lot of tasks quicker. Which in turn means our time is better spent elsewhere on tackling the more complex issues that require a more human touch. ISO 42001 can help you balance out these risks and opportunities by helping you build a robust management system to manage and mitigate risks, and drive forward opportunities through continual improvement. [10:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [12:50] #4: Demonstrate that introducing AI is a strategic decision with clear objectives - Businesses looking to integrate AI should not make this decision lightly. I know it's tempting to play with the newest toy, but we should take care to look at any possible risks, and that it aligns with both your company objectives and ethics before rushing to utilise something. For example, allowing your staff to use ChatGPT for content creation. You need to consider a few things: You need to make sure Staff aren't putting in any confidential or sensitive information into publicly available AI tools. Also, ensuring that Staff understand that content provided by the likes of ChatGPT and Gemini could be plagiarised if used as is. You need to build, adapt and change the content so it's something unique. It's all well and good introducing AI technology if it truly is going to be beneficial to your employees and to the business as a whole, however if you're just introducing it because everyone else seems to be, then you really have to question if it's worth it. If it's not actively making your work lives easier and helping you to achieve your objectives, then is it really worth the potential cost and effort to implement? It may also be worth looking into how the AI tool you're using was created. There is sadly still a lot of exploitation involved in the development of new technology, so it's up to you to ensure that the tools you're using were created in an ethical way. Ultimately, ensure that you are using AI safely, ethically and that it aligns with your businesses established objectives. This will need to be communicated clearly to everyone in the business. ISO 42001 is, at its heart, a Management system standard. Like many other ISO Standards, it includes guidance on setting objectives and communicating these to your wider business. [15:24] #5: ISO 42001 helps to implement safeguards – Certain features of AI may require safeguards to help protect businesses against the extra risks they pose, such as the increased potential of more sophisticated cyber attacks or compromised training data. This can be applied within a particular process or an entire system. Examples of features that may require these safeguards include: · Automatic decision making · Data analysis, insight and machine learning · Continuous learning Something you need to consider: Cyber scams are going to become a lot more complex with the help of AI, so you need to ensure you're staff are both aware of this and how they can avoid falling prey to them. Safeguards may simply involve more training on these new risks, or updating to a more robust security software that is able to detect possible AI cyber scams. Developers are also going to need to keep on top of any data being fed into their tools. Public live data tools especially will be more susceptible to being poisoned and tampered with, so it's up to them to monitor and ensure the integrity of their data. ISO 42001 provides guidance in it's annexes for users and developers to implement these necessary safeguards. [16:30] #6: ISO 42001 Supports compliance with legal and regulatory Standards – More AI focused legislation is an inevitability, with the new EU AI Act being a perfect example. It's important to ensure that you are prepared to comply with legislation as it's released, or you may be held liable and be subject to fines. Currently, the UK has no plans to introduce a new regulator for AI, instead relying on existing technology based regulators like the Information Commissioners Office (ICO), Ofcom and FCA. ISO 42001 includes specific considerations for any potential applicable legislation. [17:06] #7: ISO 42001 Can enhance your reputation – ISO Standards are internationally recognised and ensure you are complying with best practice. Gaining certification to ISO 42001 will show you are confident in your AI related claims, and are happy to have this verified by a third party. [17:30] #8: ISO 42001 Encourages innovation within your business – For as much as we've stressed the potential risks AI could expose your business to, ultimately AI is here to help make our lives easier. We just need to ensure we're responsible when applying it. ISO 42001 ensures you can safety integrate AI tools and systems within your business. It's there to help guide the adoption of this new technology, and drive continual improvement as your management system matures. [17:55] #9: ISO 42001 Can be easily integrated with existing systems – ISO 42001, like many ISO Standards, is based on the Annex SL format and can be easily integrated with existing ISO Management Systems such as an ISO 9001 (Quality management) or ISO 27001 (Information Security management) system. Risks addressed in ISO 42001 include security, privacy and quality among others, and can help to enhance the effectiveness of your Management system in those areas. [18:25] #10: ISO 42001 Does not require an existing Management System to implement – While ISO 42001 would make a great addition to any ISO Management System, it's important to note that this can be implemented independently. It is also not intended to replace or supersede any existing quality, safety or privacy Standards / existing management systems. We'll be releasing a suite of ISO 42001 related training content on the isologyhub, if you'd like to get notified as soon as this becomes available, please register your interest on our waitlist. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023. Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive. As a result, the question of businesses being affected by a cyber incident has become ‘when' rather than ‘if'. However, there are a number of steps you can take to mitigate risks ahead of any potential incidents. We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks. You'll learn · Who are Epiq? · What is a cyber incident? · The importance of being proactive in reducing the risk of an incident · What can organisations do to be proactive in mitigating cyber incident risk? · What are forensic tabletop exercises, and how do they enhance preparedness? · Why might an organisation need to get an incident response retainer? · What role do Information Governance consultants play in reducing cyber risk? Resources · Epiq · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk. [02:40] Who are Epiq? – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe. [04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them. Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director. Jack's role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology. [06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation's information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats. Organisations looking to combat information security risks should consider ISO 27001, as it's key principles include the confidentiality, integrity or availability of your businesses information. [08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business? – Let's look at some startling statistics: In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week. 48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business. This is the most shocking of the statistics, and why it's so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident. 70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don't). Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following! [12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024: January saw a rise in cyber incidents predominantly affecting retail, education and local government. In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets. All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident. [13:35] ISO Standard trends – At Blackmores, we've seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries. [15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation's requirements and compliance issues arising from a cyber incident. If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it's imperative that your organisation has established, sound relationships with law firms and consultants. [17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents. Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business. [18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs. The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident. [19:35] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity. In Blackmores' experience, a lot of organisations don't actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it's a bit of an eye opener when they realise they're not as resilient as initially thought. It's always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task. [23:40] Why might an organisation need to get an incident response retainer? – We're starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements. One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements. [26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate. [27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining: · Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements. · Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements. · Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process. · Privacy Compliance: Aligning with regulations such as GDPR, DP, DPA, CCPA. [33:30] What are Jack's top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn't a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against: Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks. These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions. So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security. Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases. Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees. Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure. Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I'm seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur. If you'd like to learn more about Epiq and how they can help you, visit their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
According to the ISO Survey, there's been a 82.9% increase in worldwide ISO 22301 certificates issued following 2020. Business Continuity is a must have for businesses who want to ensure long-term survivability following a disruptive event. Many turn to ISO 22301 to help put a framework in place, including today's guest – Lifelong Learner. However, what usually takes businesses a minimum of 6 months, Lifelong Learner managed to accomplish in just 4 months across an international organisation! That is no small part due to the tremendous effort of Lifelong Learner's Manager of Information Security, Governance, Risk and Compliance, Lauren Taylor. Lauren joins Mel on this weeks' episode to share her journey and explains the challenges associated with implementing a Business Continuity Management System in just 4 months. You'll learn · Who are Lifelong Learner? · Why did they decide to Implement ISO 22301? · What did they learn from implementing ISO 22301? · What was the biggest challenge with Implementation? · What are the benefits of implementing ISO 22301? Resources · Isologyhub · Lifelong Learner · PSI Testing Excellence · Talogy In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Lauren Taylor who is the Manager of Information Security, Governance, Risk and Compliance at Lifelong Learner Holdings LLC. Lifelong Learner and it's brands represent a fusion of comprehensive workforce solutions, with a human-first focus of changing lives through assessment. This includes helping people advance in educational and career aspirations, earning or maintaining licensing or certifications, or providing the tools to develop future leaders. Lauren has helped Lifelong Learner accomplish a massive milestone, and that's the implementation of the Business Continuity Standard ISO 22301 across an international organisation, which she managed to do in just 4 months! She's here to share her journey and lessons learned from implementing ISO 22301. [03:30] Not many people know this about Lauren – She had previously trained to be a mental health counsellor. [04:05] Who are Lifelong Learner LLC? – Lifelong Learner is the parent company of two subsidiaries: PSI Testing Excellence: a leading provider of assessment solutions for the licensing and certification markets, to Educational Testing Services. Talogy: A market leader in the talent management space whose core purpose is helping organizations achieve their potential. They manage the talent management side of the business. So what they'll do is they'll put together psychometric tests that help companies find the right person for the right job, and will assist with skills development. [05:00] Adding to Lifelong Learner's ISO Collection: Lifelong Learner already have an impressive ISO Library, being certified to: · ISO 9001 – Quality Management · ISO 14001 – Environmental Management · ISO 27001 – Information Security Management [05:20] What was the main driver behind obtaining ISO 22301? – The main driver, as with most companies, is usually a client contractor requirement, but business continuity has been something that we've wanted to look further into for a while, just because there's elements of ISO 27001 that cover the business continuity. While we were able to get through the audits with what we had, we just felt that it just needed a little bit more building out. Business Continuity is a requirement in part of ISO 27001, but for Stakeholders that want assurance that a business has robust business continuity plans in place, ISO 22301 is the next step. [06:10] The Implementation Timeline – In October 2023, we began with the context workshop where we could kind of get a better idea of the scope of the management system. This was followed by a number of SWOT and PESTLE workshops to help identify what the perceived risks would be. Next came the Business Impact Analysis (BIA) - So essentially what you're needing to find out from these workshops is, the core activities that each of the teams perform on the day-to-day basis. You also need to understand what their systems are that they use, if they have any dependencies, and essentially it all comes down to understanding that if the business cannot perform those activities, what would be the impact overtime if those activities were to stop. Once you have all that information, the next step was to map it across into a risk assessment, which really helps you to understand the granular risks to your business when it comes to business continuity planning. This risk assessment helped to highlight some weaknesses that we hadn't considered before, and gave us a point in the right direction as to what we needed to work on to bridge those gaps. Next was the creation and revamping of documentation inline with ISO 22301 requirements. Thankfully, due to the other ISO's we hold, we already had a lot in place. Same goes for Internal Audits, so this was more a case of integrating ISO 22301 into our existing Management System. Once we had all the documentation, we conducted a ransomware test exercise, which we also documented all the findings from. Then we were we were ready for stage 1! [09:15] What were the biggest gaps Lifelong Leaner needed to address?: Following the BIA and Risk Assessment, we were able to see where we needed response plans because business continuity is always your Plan B. So in our minds, we had an idea of what kind of response plans we would need in terms of i.e. a malware response plan, a ransomware response plan, those sorts of things. But until we actually looked at the BIA we released we needed a few more. [10:25] What difference did addressing those gaps make? – For us it was understanding the real risks to our business. We already had ISO 27001 in place, and we figured if there were to be another pandemic for example, that we'd be covered. However, it wasn't until we did those exercises did we realise that there was a lot we could improve on. [13:25] What did Lauren learn from Implementing ISO 22301? – How much people underestimate the importance of a good business impact analysis. After going through this in a very, very short space of time, I realised that it is actually the driving force behind a good business continuity management system. Also, it highlighted just how many people believe business continuity is just all about IT and physical security, they completely loft out the human element. An example of this is having a single point of failure, which is where if somebody left there would be a gap. [14:40] What benefits have Lifelong Learner experienced since implementing ISO 22301? – Lauren has noticed that more clients are requesting to see their Business Continuity Plans. It's helped with the introduction of the latest ISO 27001:2022 controls – as these too also focus on elements of business continuity. [15:50] Lauren's top tips for implementing ISO 22301 – Definitely give yourself longer than 4 months! Logically think about how everything links together, the clauses all have purpose and flow in a logical pattern to help create a Management System. Your Management Review can be your best friend. It's your opportunity to really engage with senior management and help them understand what your risks are to the business, how your internal audit is coming along, how you manage your nonconformities and it can be all neatly wrapped up in that nice management review bow. [18:00] Lauren's book recommendation – The Matthew Perry Autobiography, Friends, Lovers and the Big Terrible Thing. [19:30] Lauren's favorite quote – “You catch more flies with honey than vinegar.” If You'd like to learn more about Lifelong Learner, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The deadline is looming over the horizon as October 2025 marks end of the validity of ISO 27001:2013 certificates. Have you made a start on your transition journey? If not, you really should make a start in 2024 to ensure you're all set well before that final deadline. The first step is to decide if you want to do it yourself or enlist the help of a professional consultant. For those that want to tackle it yourselves, you're in luck! As we have just the tool to help: The ISO 27001:2022 Transition Gameplan. In this weeks' episode, Steph Churchman, Communications Manager at Blackmores, explains why you need to transition to the 2022 version of the Standard and outlines the 7-step ISO 27001:2022 Transition Gameplan available on the isologyhub. You'll learn · Why do you need to transition to ISO 27001:2022? · What happens if you don't transition? · What is the ISO 27001:2022 Transition Gameplan? · An overview of the 7-step Gameplan Resources · Isologyhub · ISO 27001 Transition Gameplan In this episode, we talk about: [00:25] A different host – Steph Churchman, Communications Manager at Blackmores, steps in to cover today's episode. She's heavily involved with the development and updating of the isologyhub, and will be explaining one of the latest Gameplan's: The ISO 27001:2022 Transition Gameplan [01:15] Why do you need to transition to ISO 27001:2022? The October 2025 deadline is fast approaching, so you really should be making a start in 2024 if you've not already. [01:45] Who needs to transition to ISO 27001:2022? – Basically, anyone who is currently certified under ISO 27001:2013 will have to transition to the updated Standard. One of the main reasons why we recommend getting a head start on this is , Certification Bodies will undoubtedly have a large demand for transition audits in 2025, when everyone's rushing to get it done last minute. This results in a shortage of resources from the CB's, and you may end up struggling to get booked in time. [02:35] What happens if you don't transition in time? – The harsh truth is you will lose your ISO 27001 certification. This then means you'll be required to go through another Stage 1 and 2 Assessment against the latest version of ISO 27001, which can be costly. Another key reason is the latest version of ISO 27001 also considers a lot of new technologies that weren't around back when the last version was published. You can imagine now that there are a lot more cybersecurity risks to consider with all the latest technology that has been released in that time. Put simply, it's for the benefit of your Information Security to ensure you are adhering to the most recent best practice Standards. [03:40] What is the ISO 27001:2022 Transition Gameplan? This Gameplan will walk you through the stages of transition, which align to our proven isology® approach. Isology being our methodology for implementing any ISO Standard, based on our 18+ years of experience. In this Gameplan we provide training videos on the changes to ISO 27001, along with specific training videos covering each of the new Annex A controls that you will need to be familiar with, along with templates and workbooks to take you through the process from beginning to end. [04:20] Step 1: Plan – Before you begin on your journey, it's advised to understand the main changes to the standard. We've summarised the high-level changes in a previous podcast, and included a quick summary in the first step of the Gameplan. In this first step, you'll also find guidance on how to prepare for your Certification Body visit. You really do need to do this early on to help establish a realistic timeline to complete your transition work. [04:55] Step 2: Discover – At this stage, you need to get to grips with the changes to the Standard. There have been a number of controls changed, and 11 completely new ones added. We did cover a select few of these new controls in a few previous podcasts: #111, #112, #113, #114 In this Discover step we provide a number of awareness videos to explore these new controls and changes in detail, including how they may apply to your business. We've also included a downloadable PDF guide to these changes, in case you'd like to share this information internally. [05:40] Step 3: Expose - In this step we've included an ISO 27001:2022 transition workbook, which will act as a guide for all your transition activities. The first being the conducting of a Gap Analysis against the latest version of the Standard. After completing this, you will have a much better idea of where your main gaps and vulnerabilities are, so you can start putting the necessary controls in place to ensure compliance with ISO 27001:2022. We've also included a summary of the main Management System documentation that will need to be updated ahead of your transition visit. [06:20] Step 4: Create - This is the step where you will be implementing those changes as a result of your Gap Analysis. This will also be guided by that workbook, and we have provided some additional templates and resources to aid you. These include: · A Statement of Applicability Template · Annex A Control Mapping · ISO 27001 Management Review Template [07:15] Step 5: Launch – It's not just about updating your documentation, you will obviously need to communicate these changes to the wider business. In this step we go over a few options for your launch plan – including guidance for both a soft launch and an all-in launch. To help you decide which one would be the best fit for you, we've included a full summary of each method in addition to a pro's and con's list for each. [08:30] Step 6: Engage – The last stages are all about gathering evidence of compliance against new and updated clauses and controls. In this step we provide some insight into what's required from your Internal Audits and Management Review ahead of your transition visit. If you wanted to get some more tips on carrying out internal Audits within your business – we also offer a full Internal Auditor course on the hub that covers the core skills needed to complete those. If you become a member of the hub, you'll get access to our whole library of resources – which includes a wealth of ISO related tools, templates and training videos. [09:20] Step 7: Review – This last step will help you prepare for the transition visit with your certification body. We touch on what you should expect from your Certification Body ahead of the transition visit, and include guidance on carrying out a final Document and evidence check to make sure you're all good to go. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
This week Ryan and Shannon are on a well-deserved break. Please tune in all week to listen to our Top 5 downloaded episodes. Here is our fifth-most downloaded show: On this week's episode of Ask A CISSP, we have an interview with Daryl Brooks! Please LISTEN
With a growing number of threats and risks facing businesses every day, it's never been more crucial to have a proper system in place to mitigate and manage issues when they crop up. A variety of ISO Standards can help businesses to do just that! And we're seeing an ever-increasing trend of requests for Integrated Management Systems, which combine multiple ISO certifications to cover every aspect of their business. Such is the case with today's guest, Todd Research. Todd Research have been in the business of designing, manufacturing and supplying X-ray scanners for 70 years. They have since expanded their product range to include other solutions, all designed to detect suspect devices. We're joined by Caroline Banks, Support Manager at Todd Research, to learn about why they decided to implement ISO 9001 (Quality Management) and ISO 27001 (Information Security), including an insight into their experience with our ISO 14001 coaching programme, hosted on the isologyhub. You'll learn ● Who are Todd Research? ● Why did they choose to Implement ISO 9001 and ISO 27001? ● What challenges did they face? ● The benefits of ISO 9001 and ISO 27001 ● Their experience with our ISO 14001 coaching Programme Resources ● Todd Research ● isologyhub ● ISO 9001 ● ISO 27001 In this episode, we talk about: [00:37] An introduction to Todd Research and Caroline Banks' role as Support Manager there. [01:20] What is something not many people know about Caroline? She's taken up running and started with the couch to 5K. She later completed a half-marathon in the same year, and has since gone on to finish 21 more half-marathons and 2 full ones! [02:27] Who are Todd Research? They were founded in 1950, designing, manufacturing and supplying X-ray scanning equipment. They also provide service and maintenance for their devices worldwide. [03:11] What Standards are they certified to? ISO 9001 (Quality Management, inherited from a previous company) and ISO 27001 (Information Security Management) [03:48] What was the main driver for achieving ISO 9001 and ISO 27001? – For ISO 9001 – As a manufacturing company, they want to ensure that they can provide the best quality in terms of product and service. For ISO 27001 – This was more sales driven and was being requested in a lot of tenders, particularly Government tenders. [04:35] How did Caroline manage an inherited Quality Management System? – Caroline completely revamped the inherited Management System, making it their own and adapting it to suit how they currently run their business. It involved a lot of review and removal of unnecessary documentation, with the end result of streamlining the whole system. They also appreciated a 3rd party coming into review and assist with the process. After moving to a new premises, they are still continually Improving system year on year. [06:25] How long did it take to achieve certification to ISO 27001? – They started in April 2021 with a Gap Analysis and gained certification in September 2021 (6 months in total). As they already held ISO 9001, they made the decision early on to integrate the two Standards into a Business Management System. [07:50] What was the biggest gap found after the initial ISO 27001 Gap Analysis? – The biggest challenge for Todd Research was carrying out the Risks Assessments. Getting Directors involved in the review of Standards and agreeing what risks applied to them took the most time in the early stages. [09:00] Caroline's experience with ISO 27001 – While she had experience with ISO 9001, ISO 27001 was a whole new ball game. There are a lot of risks associated with Information Security including, phishing, malware, risks to hardware ect. This was all new territory for Caroline, but she adapted and learned a lot along the way. [09:50] What difference has the Management System made to the business? – It's unique to them and their way of working, especially as a result of integrating the two Standards into a single Management System. The whole process gave them a chance to look at the business with a new perspective, which in turn helped them to streamline a lot of processes. [10:20] What lessons have they learned from Implementing ISO 9001 and ISO 27001? – Caroline now has a better understanding of how the business works from all angles, from manufacturing to finance. Her experience with having Blackmore assist with Internal Audits highlighted the need and importance of impartiality. [11:20] What are the main benefits? – For them, it's having an Integrated Management System, as a lot of aspects of various ISO Standards share similarities, and it just makes sense to combine them to save on doubling up on documented information. Caroline also highlights the Corrective Actions Log as her key tool for managing actions following on from Internal Audits, allowing for a proactive approach for business improvement on a weekly basis. [12:50] What is the ENE / ISO 14001 Coaching programme? – Blackmores secured some European funding to support 7 businesses in the East of England to raise awareness of environmental issues and implement some practical tools for Environmental Management. We opted for an ISO 14001 focus and utilized our online membership portal, the isologyhub, as the host with additional coaching from one of our experienced consultants. [13:25] What was Caroline's experience with the isologyhub and the ISO 14001 coaching programme – Todd Research made the decision early on not to go for ISO 14001 certification. The experience gave Caroline a good insight into what the requirements are for the Environmental Management Standard in preparation for potentially certifying in future. Caroline highlights the wealth of information available in the hub, including documentation which supplemented the coaching sessions. Her 1-2-1 coaching sessions resulted in deeper analysis of what their business can act on to improve their impact, for example putting in place a scrap metal policy for X-ray scanners and equipment that needs to be disposed of. They have also streamlined their Engineer's service visits, by making the most of them while in any given area to reduce the carbon impact of travel. [17:00] What was the most useful resource in the isologyhub? – The training provided for carrying out Risk Assessments, with a focus on their environmental risks. [18:05] What was the main benefit of achieving certification to ISO 9001 and ISO 27001? – Having both standards sets them aside from their competitors, as many have ISO 9001 but not many have ISO 27001. It also brings a sense of continuity to the business. [18:55] Caroline's top tips – Use an independent company (such as Blackmores) to assist with Implementation. Having a helping experienced hand will make the journey run a lot more smoothly and will give you piece of mind, especially as you have your own day job to worry about! [19:30] A reminder that the ISO 27001 Transition Gameplan is available on the isologyhub – ISO 27001 recently updated, and those certified with need to update to the latest 2022 version of the Standard. Our Transition Gameplan will guide you through the changes and what needs to be done to update your Management System. [21:17] Caroline's book recommendation – ‘Menopausing' by Davina McCall [22:17] Caroline's favorite quote – ‘It's not so much that I began to run, it's that I continued' You can find out more about Todd Research via their website! We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
On this week's episode of Ask A CISSP, we have an interview with Daryl Brooks! Please LISTEN
In this episode of CHATTINN CYBER, Marc Schein interviews Nadav Aharon-Nov, VP of Cybersecurity at R-MOR, Israel. He is experienced in Organizational and Regulatory Compliance, Information Security Management, Auditing and Governance, among many other areas of cyber risk management. During the conversation, Nadav shares getting into cybersecurity, leading a cybersecurity firm in Israel, the differences and similarities of the threats observed in Israel and America, the importance of investing in internal systems for any company, and how to mitigate cyber risks by thinking from the point of view of the attacker. Nadav explains that due to the constant cyber-attacks faced by Israel, the country has learned to be creative on the cybersecurity front. They're always thinking outside the box to figure out ways to keep their civilian life safe. The majority of the threats faced by the companies in Israel is due to ransomware attacks. Cybersecurity firms like his' continually level up their attempts to study the attacking group's moves and intelligence and try to get them from the inside without them knowing. He also talks about the importance of assessing a business' infrastructure from the outside – from the viewpoint of the attackers or hackers. While internal assessments are fairly common, external assessments could give a firm a competitive edge. Another critical piece of information shared is about automation. Attacking groups tend to use more manpower and less automation to analyze issues and make decisions quickly. The present times have highlighted the importance of cybersecurity more than ever. Working from home, with not more than a VPN connection as security, the security offered by office spaces is quashed. Nadav explains that his company offers two unique departments – web analytics and cybersecurity to create a strategic platform that collects information from all three layers of the web to understand the hacker's perspective, security gaps in the existing technologies and products, and to assess a company's internal infrastructure thoroughly. A company must invest in their internal systems more than anything else, especially in today's times. Tune in to the episode now! Highlights: “There's a big blind spot when it comes to businesses, seeing their infrastructure from the outside in. So they're usually looking from the inside out, doing internal assessments, (...) they're forgetting about the other point of view. And that is the external point of view – how a criminal or a hacker or someone with malicious intent looks from the outside-in.” “The problem is you have nothing to secure yourself at home other than a VPN connection. And most of the infrastructure at your house is either a simple modem, no firewalls, no true security on your endpoints, and everything is very exposed. So the comfort that you had in your infrastructure back at the office is literally smashed and you have nothing to get home.” “(Every company) needs to invest in internal systems, because the criminal could be either from the outside (or) from the inside. Everyone could have criminal intentions when it comes to manipulating data, stealing data.” Time-Stamps: [02:19] - The threats faced by Israel vs. America in cybersecurity [03:23] - How Nadav got into cybersecurity [05:24] - How COVID has caused a rise in the need for cybersecurity [10:19] - Where should a company invest more to mitigate cyber risks (other than cybersecurity teams)? Connect with Nadav Website: https://www.linkedin.com/in/nadav-aharon-nov-62a8b5a/?originalSubdomain=il
InfosecTrain hosts a live event entitled “Cybersecurity Foundation Course” with certified experts Mr. Sanyam. Thank you for watching this video, For more details or free demo with our expert write into us at sales@infosectrain.com ➡️ Agenda for the Webinar ✑ Day 28 – Basic Cloud Computing
Anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline. Over the past few weeks, our mini-series has covered the fundamental changes to the Standard, along with tips on how to plan and Implement the required updates. Join Mel this week as she explains the final few stages of an ISO 27001 transition, including the Internal Auditing and final preparation ahead of a Certification Body visit. You'll learn ● What needs to be audited? ● What do I need to do to prepare for the Certification Body visit? ● How can you get a free copy of ISO 27001:2022? Resources ● Isologyhub ● ISO 27001 Transition Programme ● What you need to know to transition to ISO 27001:2022 In this episode, we talk about: [00:44] Catch up on the last two episodes before listening to this one: What you need to know to transition to ISO 27001:2022 / What changes need to be Implemented to transition to ISO 27001:2022 [01:00] The last stages are all about gathering evidence of compliance against new and updated clauses and controls [01:28] Make sure you plan your transition visit well in advance – If you leave it too late you may incur additional fees for more days or possibly even for a full certification if you miss the deadline. [02:15] This process for transition is fairly consistent among Certification Bodies. It typically includes a Readiness Review and a transition visit where they will review evidence of compliance against the new controls. [02:45] You can get a free copy if you sign up to our Transition Programme by April 1st 2023) [02:55] The last stage ahead of the transition visit is Internal Auditing. For those still planning their 2023 Internal Audits, you may wish to Implement the changes earlier in the year with a view to audit the changes in the later half of 2023. Ensure that you allow time to build evidence of compliance ahead of a transition visit. [03:45] If you need a bit of extra help, we include Internal Auditing within our transition programme – this will typically take 1 day. [04:30] We can also support you during your transition visit – this could be on-line or on-site, which would depend on your Certification Bodies preference. [05:20] Currently many Certification Bodies are suggesting a half day for the Readiness Review and another day for the transition. Some may choose to include this transition as a part of their annual Surveillance visit to help save on costs. If you have a Surveillance coming up, it's worth getting in contact with them to see what they would recommend regarding your transition. [05:43] We advise that you also ask your Certification Body, when they will be UKAS accredited for ISO 27001:2022 – they may not be ready complete a transition visit until the later half of 2023. [06:35] For our global listeners, your Certification Body will have an Accreditation Body that needs to verify their ability to conduct transition visits. For the UK this is UKAS, but it may differ for other countries. [07:15] Don't leave this until last minute! Based on previous experience with transitions, we've found companies that leave it until a few months before the deadline often can't transition in time, and end up having to pay up for a full Stage 1 and 2 Assessment in order to keep their certification. Grab a copy of our ISO 27001:2022 Guideline to the changes here We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
In this edition of the podcast, Benjamin Corll, Chief Information Security Officer at Coats joins Matthew Davies, VP of Product at SureCloud to discuss his approach to cybersecurity and to running an information security team. He explains his approach to handling the many challenges that his busy and demanding role involves.
APMG International presents our popular weekly panel Q&A show. Level Up your Cyber Resilience with the host: Nick Houlton and Question Master: Charlotte Miller. Answering your questions are panellists: Gary Hibberd, Sarbojit Bose, Nigel Mercer, Darren Conway and Lynnette Kelly. An opportunity to have your real-life questions answered, driving the panel discussion before moving on to the focus topic on Data Protection and Data Privacy by Darren Conway.
During this episode, LTC Erica Mitchell discusses the Army Cyber Institute’s Jack Voltaic (JV) project, which studies response gaps alongside assembled partners to identify interdependencies among critical infrastructure sectors, provide recommendations, and prevent strategic surprise. JV provides an innovative, bottom‐up approach to critical infrastructure resilience in two unique ways. Whereas most federal efforts to improve resiliency focus on regional or multistate emergency response, JV focuses on cities and municipalities where critical infrastructure and populations are most heavily populated. Furthermore, JV deviates from other cybersecurity and national preparedness exercises in that it builds around areas of interest nominated by the participants. Although JV events include national-level capabilities and resources, they are conceptually driven by the concerns of the cities and their infrastructure partners. Through this approach, the Department of Defense is able to harvest insights about potential roles, dependencies, partners, and support requests, while cities are able to discover potential capability gaps and expand their critical infrastructure information-sharing networks before a potential disaster strikes. The flexible JV platform is capable of including information operations scenarios, as well. Link to full show notes and resources Bio: Lieutenant Colonel Erica Mitchell is the Critical Infrastructure and Key Resources (CIKR) Research Group Chief for the Army Cyber Institute and Assistant Professor in the Electrical Engineering and Computer Science Department at the United States Military Academy (USMA) at West Point. She graduated from West Point with a B.S. in American Legal Systems, was commissioned as a Signal Corps officer, and later transitioned to an Information Systems Management Officer (FA26B). She attended Syracuse University, where she earned an M.S. in Information Systems Management, C.A.S. in Information Security Management, and PhD in Information Science and Technology. Her military service includes serving at increasing levels of responsibility starting at the tactical level as a platoon leader, up to and including project management on DoD-level enterprise technology programs. She has authored and co-authored several conference papers and a journal article. Her main research focus at ACI is critical infrastructure resilience. She is a member of ACM and ISC2 and maintains the CISSP certification. IPA is a non-profit organization dedicated to exploring the role of information activities, such as influence and cognitive security, within the national security sector and helping to bridge the divide between operations and research. Its goal is to increase interdisciplinary collaboration between scholars and practitioners and policymakers with an interest in this domain. For more information, please contact us at communications@information-professionals.org. Or, connect directly with The Cognitive Crucible podcast host, John Bicknell, on LinkedIn.
This episode is sponsored by CORE. How do you ensure emotional agility with your team? Click hereScott Augenbaum - Connect with Scott on LinkedIn!After joining the Federal Bureau of Investigation (FBI) in the New York Field Office in 1988 as a support employee, Scott Augenbaum became a Special Agent in 1994 and was assigned to the Syracuse, New York Office, where he worked domestic terrorism, white collar and hate crimes, and all computer crime investigations. In October 2003, Agent Augenbaum was promoted to Supervisory Special Agent at FBI Headquarters, Washington D.C in the Cyber Division, Cyber Crime Fraud Unit and was responsible for managing the FBI's Cyber Task Force Program and Intellectual Property Rights Program. In 2006, Mr. Augenbaum transferred to Nashville, TN and managed the FBI Memphis Division Computer Intrusion/Counterintelligence Squad in Nashville, TN.Over the past ten years, Retired Special Agent Scott Augenbaum has had the opportunity to provide hundreds of computer intrusion threat briefings with the goal of educating the community on emerging computer intrusion threats and how to not to be the victim of a data breach.Scott earned an MBA at American Sentinel University in Information Technology and a Masters Certificate in Information Security Management from Villanova University in addition to holding numerous General Information Assurance Certifications.Website: https://www.scotteaugenbaum.com/ This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit debcrowe.substack.com
Today, we're joined by the Director of Corporate Assurance at Totally PLC, Falu Bharmal. Falu plays a key role in working with NHS England and has in-depth knowledge and understanding of ISO implementation, Legal Policy relating to corporate governance, health and safety, and integrated Risk Management. He has extensive experience in establishing new corporate governance structures, systems, and processes to ensure organizations are fit for purpose. Today, Falu is here to discuss ISO 27001 (Information Security Management), and why it's so important to have consistent practices throughout a company. Falu explains how he's able to implement new ISO's so effectively and some of the biggest improvements ISO 27001 has allowed him to make. We talk about how best you can prepare before implementing a new standard, and how ISO's can help systemise your way of working across a company. Website: Mobile phone: Email: You'll learn The benefits of working as a group with consistent practices throughout a company. How to effectively prepare for and implement new standards. How ISO 27001 is used as a best practice mechanism. How implementing standards can help to systemise the ways of working across a company. How many people you need to be involved with the implementation of new standards. Resources Blackmores Totally PLC In this episode, we talk about: [00:29] The services Totally PLC supplies and how they support the NHS and reduce A&E waiting times. [03:30] The different divisions that makeup Totally PLC. [05:36] The ways Falu as Director of Corporate Assurance is involved with ISO implementations. [06:34] How Falu implements ISO standards effectively. [07:21] How ISO 27001 is used as a best practice mechanism for Totally PLC. [08:20] Some of the biggest improvements Falu's made through using ISO 27001. [09:25] How ISO standards help to systemise ways of working across a company. [10:14] The different roles Totally PLC has dedicated to ISO implementation. [12:18] The best things you can do before implementing a new standard. [13:46] The extra pressures Totally PLC has faced due to the pandemic, and the new opportunities this has brought. If you need assistance with implementing ISO 27001 – Contact us! We'd love to hear your views and comments about the ISO Show, here's how: Share the ISO Show on Twitter or Linkedin Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud
Beskrivelse:I episode 1 introduserer jeg og Karim vårt minimum baseline security program og forklarer hvorfor vi har etablert denne serien. Vi tar også for oss første domene i programmet, Information Security Management. I episoden dekker vi blant annet Information Security Management System, ansvar og roller, policyer, standarder, rutiner, risikovurdering, risikoapetitt, med mer. Level: 100 Overordnet
Six years ago Scott Augenbaum discovered the medium of podcasts. The first show he ever downloaded was "Cool Things Entrepreneurs Do" (now "Making Waves at C-Level") and he was hooked. He later reached out to the host, Thom Singer, to talk more about what he was learning. Thom invited Scott on the show to talk about Cyber Security, and they became friends. Over the years Scott has retired from the FBI and has become a professional speaker and author. He reinvented himself at age 50 and is now living a new life educating people about how to stay safe online. He gives credit to this podcast and Thom for inspiring his journey. For episode 606 Thom has invited Scott Augenbaum back on the show to share his journey (and to talk a little bit about cyber security). About Scott Augenbaum After joining the Federal Bureau of Investigation (FBI) in the New York Field Office in 1988 as a support employee, Scott Augenbaum became a Special Agent in 1994 and was assigned to the Syracuse, New York Office, where he worked domestic terrorism, white collar and hate crimes, and all computer crime investigations. In October 2003, Agent Augenbaum was promoted to Supervisory Special Agent at FBI Headquarters, Washington D.C in the Cyber Division, Cyber Crime Fraud Unit and was responsible for managing the FBI’s Cyber Task Force Program and Intellectual Property Rights Program. In 2006, Mr. Augenbaum transferred to Nashville, TN and managed the FBI Memphis Division Computer Intrusion/Counterintelligence Squad in Nashville, TN. Over the past ten years, Retired Special Agent Scott Augenbaum has had the opportunity to provide hundreds of computer intrusion threat briefings with the goal of educating the community on emerging computer intrusion threats and how to not to be the victim of a data breach. Scott earned an MBA at American Sentinel University in Information Technology and a Masters Certificate in Information Security Management from Villanova University in addition to holding numerous General Information Assurance Certifications. Email Scott at saugenbaum@gmail.com to get his free chapters and other handouts about cyber security. https://www.thomsinger.com/podcast/scott-augenbaum2
What are the controls in ISO 27001 Infomation Security Management System? Further your learning: E-Learning Workshops Playlist - https://www.youtube.com/playlist?list... Free ISO 27001 Checklist - https://bit.ly/2EIFAHf ISO 27001 Course - https://www.bestpracticeeducation.com... Best Practice Training Academy - https://www.bestpracticeeducation.com... What this video helpful? Let us know in the comments below if you have any other questions and we will help you! Kobi's Linkedin - https://www.linkedin.com/in/kobisimmat/ Kobi's Instagram - https://www.instagram.com/kobisimmat/ ISO IEC 27001:2013 is an internationally recognized Information Security Management System (ISMS) standard. ISO 27001 is the framework for the requirements to manage your organization's information security risks. ISO IEC 27001:2013 Information Security Management standard, when implemented, is a strategic activity that preserves the confidentiality, integrity and availability of information by applying risk management processes to adequately manage threats. It is the most recognized information security standard in the world. It is applicable to organizations of all sizes and industries, regardless of the products and services it offers. We are JAS-ANZ accredited to provide certification to this standard.
Today I will discuss: 1. What is the requirement of FISMA? 2. How FISMA is helping different Federal departments? 3. What are the main features of FISMA? Watch
Kobi Simmat, CEO of Bestpractice.Biz talks about ISO27001, Information Security Management System Follow and subscribe to: Best Practice Website: https://goo.gl/uJTioQ Facebook: https://goo.gl/VOJfKZ LinkedIn: https://goo.gl/dZmlTr Youtube: https://goo.gl/8SVD9E Instagram: @bestpractice.biz TikTok: bestpracticebiz
The latest Federal Information Security Management Act report Suzette Kent, U.S. Chief Information Officer, and Grant Schneider, U.S. Chief Information Security Officer, discuss the latest FISMA report showing improvement in agency risk management Updates from the Federal Acquisition Service Julie Dunne, Commissioner of the Federal Acquisition Service at GSA, outlines how the Federal Acquisition Service is helping its customer agencies reopen USAID’s new digital strategy Bonnie Glick, Deputy Administrator of the United States Agency for International Development, describes USAID’s new strategy for making digital technology central to its humanitarian assistance
I have known Mark Carbrey for over 20 years, from my first job in the software development industry. One fateful day I asked to audit a class he was teaching and our paths have been intertwined ever since. We have worked together, helped one another with projects, and both learned a lot along the way. Mark has worked leading software development teams and organizations up to the CTO/CIO level, has helped companies improve quality, figuring out how to pass audits, and facilitate acquisitions. Topics include "What is it like having hundreds of people trying to sell to you?" and "Why are security audits becoming harder and more commonplace?" ISO 27001: Information Security Management https://www.iso.org/isoiec-27001-information-security.html Cyber Hygiene: https://digitalguardian.com/blog/what-cyber-hygiene-definition-cyber-hygiene-benefits-best-practices-and-more Yes, it's all about the PowerPoint: https://business.tutsplus.com/tutorials/how-to-learn-powerpoint--cms-29884 Mark on LinkedIn: https://www.linkedin.com/in/mark-carbrey-6a7672/ Tasty Bytes BBQ: http://tastybytesbbq.com
After a series of recent high profile information security breach incidents, the role of Chief Information Officers, particularly their role in information security risk management, has been in a heated debate among practitioners. However, little is known in academic literature about how a CIOs' risk aversion level affects the effectiveness of information security management. Using reported information security breach incidents during 2003-2015, this study examines how a CIO's risk aversion level is associated to the possibility of information security incidents. In addition, we investigate the moderating effect of CEOs' risk aversion level and whether the CIO is on the board on the aforementioned effect. Our preliminary results show that a CIO's risk aversion level is significantly associated with a lower likelihood of information security breaches. We further document that such association varies depending on types of security breaches. About the speaker: Tawei (David) Wang is currently an Assistant Professor at DePaul University. He received his Ph.D. from Krannert Graduate School of Management, Purdue University. Before joining DePaul University, he was a faculty member at the University of Hawaii at Manoa and National Taiwan University. His research interests are IT management and information security management. His papers have appeared in several leading journals, including Information Systems Research, Decision Support Systems, European Journal of Information Systems, Information and Management, Information Systems Journal, Journal of Accounting and Public Policy, Journal of Banking and Finance, Journal of Information Systems, Journal of Organizational Computing and Electronic Commerce, among others.
After a series of recent high profile information security breach incidents, the role of Chief Information Officers, particularly their role in information security risk management, has been in a heated debate among practitioners. However, little is known in academic literature about how a CIOs’ risk aversion level affects the effectiveness of information security management. Using reported information security breach incidents during 2003-2015, this study examines how a CIO’s risk aversion level is associated to the possibility of information security incidents. In addition, we investigate the moderating effect of CEOs’ risk aversion level and whether the CIO is on the board on the aforementioned effect. Our preliminary results show that a CIO’s risk aversion level is significantly associated with a lower likelihood of information security breaches. We further document that such association varies depending on types of security breaches.
In a video release, an anonymous voice says it will destroy Facebook on November 5 of this year. Bennet talks about that with Information Security Management expert Stan Stahl, PhD. Stan Stahl, PhD. Bennet welcomes returning guest Berin Szoka, the President and founder of TechFreedom.
As information assets have become a critical factor for enterprises to stay competitive, there is an increasing awareness of information security management. However, they are easily overlooked by those who focus only on the IT side, failing to see that human resources and policies are the most likely cause of information risks, which need to become real enterprise-wide and strategic issues. This paper examines the impacts of an IT executive's structural status in Top Management Teams (TMTs) on information security risk management. E-Business has made it imperative for IT executives to adopt cross-functional roles due to the increased importance of securing and managing risks to information assets across the enterprise. Therefore, IT executive representation and status in a TMT is necessary to strategically and operationally conduct liaison activities between IT groups and other business units. However, there is little empirical research examining the effects of IT executives' structural status on managing information security risks. We employ logistical regression to examine the data from 2003 to 2008 with information security breach reports and executive compensation data. We augment this data with IT internal controls information provided by external auditors. Our results demonstrate high IT executive engagement and fair compensation are associated with reduced levels of both IT internal controls weaknesses and reported information security breaches. Second, we find that pay dispersion in a TMT increases the probability of information security breaches, while IT executive turnover is not significantly associated with breaches. As a comprehensive analysis across the accounting, human resources, and information systems literature, this study gives firms new insights into how they set IT executive compensation strategies as well as delegate authority and responsibility for ensuring confidentiality, integrity, and availability of information assets. About the speaker: Juhee Kwon is currently a Ph.D. candidate of Management Information Systems at Krannert School of Management, Purdue University. Her primary research interests cover Information Security and Privacy. Although the primary interest is in information security, her research interest spans e-Commerce, Accounting Information Systems, and Telecommunication with cross-selling.
As information assets have become a critical factor for enterprises to stay competitive, there is an increasing awareness of information security management. However, they are easily overlooked by those who focus only on the IT side, failing to see that human resources and policies are the most likely cause of information risks, which need to become real enterprise-wide and strategic issues. This paper examines the impacts of an IT executive’s structural status in Top Management Teams (TMTs) on information security risk management. E-Business has made it imperative for IT executives to adopt cross-functional roles due to the increased importance of securing and managing risks to information assets across the enterprise. Therefore, IT executive representation and status in a TMT is necessary to strategically and operationally conduct liaison activities between IT groups and other business units. However, there is little empirical research examining the effects of IT executives’ structural status on managing information security risks. We employ logistical regression to examine the data from 2003 to 2008 with information security breach reports and executive compensation data. We augment this data with IT internal controls information provided by external auditors. Our results demonstrate high IT executive engagement and fair compensation are associated with reduced levels of both IT internal controls weaknesses and reported information security breaches. Second, we find that pay dispersion in a TMT increases the probability of information security breaches, while IT executive turnover is not significantly associated with breaches. As a comprehensive analysis across the accounting, human resources, and information systems literature, this study gives firms new insights into how they set IT executive compensation strategies as well as delegate authority and responsibility for ensuring confidentiality, integrity, and availability of information assets.
![Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.](https://ivyfm.s3.amazonaws.com/i320/593911.jpg)
Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.
2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON 16. Brad Stone, New York Times technology correspondent Brad Stone joined the New York Times in December 2006. He covers Internet trends from the newspapers San Francisco bureau. In addition to writing for the paper, he contributes to the Times technology blog, Bits. >From 1998 to November 2006, Stone served as the Silicon Valley Correspondent for Newsweek magazine, writing for the technology and business sections of the magazine and authoring a regular column, Plain Text, on our evolving digital lifestyles. He joined the Newsweek writing staff in 1996 as a general assignment reporter and covered a wide range of subjects. He wrote about Mark McGwire's home run chase during the summer of 1998, the jury deliberations in the Timothy McVeigh trial, and profiled authors such as Kurt Vonnegut. He is also a frequent contributor to Wired magazine, and has written for publications such as More magazine and the Sunday Telegraph in London. Brad graduated from Columbia University in 1993 and is originally from Cleveland, Ohio. Patrick Chung, Partner, NEA Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusettsbars. Maria Cirino, Co-Founder and Managing Director, .406 Ventures Maria is co-founder and managing director of .406 Ventures, a new VC firm focused on early stage investments in security, IT, and services. She serves as an active investor, director and/or chairman in one public company and four venture-backed companies including Verecode and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of Verisign following its 2005 $142 million acquisition of Guardenta Sequoia, Charles River Ventures and NEA-backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating network infrastructure company from 1993 to 1997. Mark McGovern, Tech Lead, In-Q-Tel Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute. Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts. Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents. Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue. Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technolog and strategy engagements in the Financial Services Industry. Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and System Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.
![Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.](https://ivyfm.s3.amazonaws.com/i320/593910.jpg)
Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.
2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON 16. Brad Stone, New York Times technology correspondent Brad Stone joined the New York Times in December 2006. He covers Internet trends from the newspapers San Francisco bureau. In addition to writing for the paper, he contributes to the Times technology blog, Bits. >From 1998 to November 2006, Stone served as the Silicon Valley Correspondent for Newsweek magazine, writing for the technology and business sections of the magazine and authoring a regular column, Plain Text, on our evolving digital lifestyles. He joined the Newsweek writing staff in 1996 as a general assignment reporter and covered a wide range of subjects. He wrote about Mark McGwire's home run chase during the summer of 1998, the jury deliberations in the Timothy McVeigh trial, and profiled authors such as Kurt Vonnegut. He is also a frequent contributor to Wired magazine, and has written for publications such as More magazine and the Sunday Telegraph in London. Brad graduated from Columbia University in 1993 and is originally from Cleveland, Ohio. Patrick Chung, Partner, NEA Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusettsbars. Maria Cirino, Co-Founder and Managing Director, .406 Ventures Maria is co-founder and managing director of .406 Ventures, a new VC firm focused on early stage investments in security, IT, and services. She serves as an active investor, director and/or chairman in one public company and four venture-backed companies including Verecode and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of Verisign following its 2005 $142 million acquisition of Guardenta Sequoia, Charles River Ventures and NEA-backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating network infrastructure company from 1993 to 1997. Mark McGovern, Tech Lead, In-Q-Tel Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute. Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts. Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents. Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue. Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technolog and strategy engagements in the Financial Services Industry. Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and System Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.
© 2020-2025 Ivy Podcast Discovery LLC
