Category Archives: ISO

NAFTA Cyber Security Framework

As part of the NAFTA discussions it looks like the US is looking to add a cyber security component in the mix. Finally a great idea in a trade agreement! The basis for this is quite clear given the interconnected world we live in and the fact that all Canadian Internet traffic is routed to the US. We have to ensure that one country is not in a position to bring the downfall of another due to weak security practices.

Given the current state of cyber security practices in Canada by most SMB’s this will serve as a good wake up call to get your security house in order if you want to sell to the US. Based on the current wording companies would have to demonstrate the implementation of an accepted cyber security framework within the organization.

What does these mean? From the top down, executives are responsible enough to have implemented the necessary security management system to measure and mitigate cyber risk within their respective organizations. I am not going to provide all the nuts and bolts to how to do this but would “highly” recommend you get a copy of ISO/IEC 27001/27002 and build your plan to implement a Information Security Management System (ISMS). Don’t let the information part of the name fool you, this standard has been written to fully consider the cyber elements of any organization regardless of sector.

The best place to buy this is from our friends at CSA Group in Canada. They actually offer a Security bundle that contains all the base standards to get you started at a very reason price.

When you initiate your cyber program focus on conducting your risk assessments, your action/mitigation plan and getting those policies and processes nailed down, and most of all education and awareness will be a key element of your success.

Keep in mind that this will not be easy but the benefits will help you sell your solutions to the US and will help protect your digital assets. What else could you ask for?

Facebooktwittergoogle_plusredditpinterestlinkedin

Data Breach – Get Prepared if you collect customer data

Today, I was a panellist at Data Breach Seminar held in Toronto. It was a full room of attendees at the Davis LLP office in First Canadian Place. Our panelist include the following:

Kelly Friedman – Moderator

Kelly is an experienced litigator with unique expertise in electronic information matters, including e-discovery, privacy and data breach risk mitigation and response. She is an expert advisor to Standards Council of Canada with respect to the development of international (ISO) standards regarding information technology security. 

Kelly is known for her efficient, no-nonsense approach to problem solving and dispute resolution and her ability to bring calm and clarity to bear in crisis situations.

Anna MacMillan

Anna MacMillan has extensive experience in mergers and acquisitions, and has been involved in a broad range of transactions involving international and Canadian clients. Anna has specialized expertise in dealing with financial institutions and payment card industry participants, both in the M&A setting and in respect of ongoing compliance considerations. 

She has advised clients on a wide range of issues relating to privacy, data protection, actions to be taken on a data breach incident and allocation of risks relating to data breach.

Carol Levine

Carol Levine is a professional communicator with expertise in image, issues and reputation management, as well as crisis communications. Her experience spans many industry sectors, including health and pharmaceuticals, consumer packaged goods, retail, technology and manufacturing. 

Carol is co-founder and owner of energi PR, the Canadian affiliate of the Public Relations Global Network (PRGN), which is among the four largest networks of independently-owned PR firms in the world.

Patrick Malcolm

Patrick Malcolm is the President of NetRunner Inc. – A Canadian Cyber Defence Company. 

Patrick is a trusted advisor to the Department of National Defence and the Royal Canadian Mounted Police Integrated Technology Crime Unit. He has extensive experience dealing with both criminal and nation-state cyber threats. He is a technical trainer and professional speaker. Patrick combines subject matter expertise with a mature assessment process to provide a complete solution that helps his customers enhance their security posture, reduce risk, facilitate compliance and improve operational efficiency.

Garth Heustis

Garth is responsible for leading and managing the Information Risk (cyber) book of business for CNA in Canada and is very active in conducting seminars across the country for their brokers. CNA as a corporation has been writing Information Risk since 2001 and is one of the top 5 carriers for this line of business.

We provided attendees details to both pre-breach and post-breach issues and considerations. The key here is being prepared and ensuring you create a playbook to be used in the even of a breach.

As this is growing issue with our customers, I am attaching a document the includes some considerations and questions you should be asking your organization to determine you level of preparedness.

As always, should have any questions on data breach please reach out to us. We would be more than willing to provide support and help you build your data breach playbook.

Data Sheet on Breach Services

Facebooktwittergoogle_plusredditpinterestlinkedin

You’re never to small to implement an ISMS

So what is an ISMS? A Information Security Management System is typically used by larger organizations who due to process maturity have developed many systems and processes to be able to show proof of risking being managed and deployed for IT. However, we are seeing a trend where the starts-ups need to quickly develop these capabilities…..why??…..big customers are demanding alignment or evidence of a ISMS.

We are fortune enough to be working with some starts-up to help secure their product and service solutions. During these engagements we are being asked more and more to provide guidance around building a ISMS. This can include aspects of security policies and procedures to designing a secure coding practice which aligns to a ISMS. While many don’t have policies and procedures these can be quickly developed, updated and instilled into the corporate culture for ensuring security is being considered at all stages of product development and business operations.

While not a requirement for everyone, CEOs need to consider that requirements for ISMS will come quickly as you grow a start-up.

Things to consider:

1. You will need a security policy that covers off your plan to secure your product/service. It might be small at the beginning and that is okay but make sure you document how you determined your risk, controls that you have implemented, how you monitor the systems, and determine if you have possible compromises to both the process and product/service.

2. Make sure you understand threats to your organization not just product and services.

3. Make it part of your culture now not just when the security compromise happens. ‘cause if you put it off you will loose customer confidence down the road

4. Purchase ISO 27001/27002 and read them

5. Conduct a quick assessment of your company against the guidelines for ISO 27000 to determine how far off you are from having this capability

6. You don’t have to get certified “right now” but you will have the foundation prepared when you are large enough and mature enough in your processes to quickly obtain this certification

7. You will increase customer confidence as you have seriously considered security implications to your business

There does that sound too difficult? You need to start off small and let this grow with your business. It becomes a much smaller obstacle down the road with this approach.

Facebooktwittergoogle_plusredditpinterestlinkedin

Canada we need more cyber security leadership

One of the good things of practicing security consulting globally and participating in ISO work is that I get to talk to security experts around the globe. One thing that I am seeing more and more every year is the how many countries are pull away from Canada when it comes to cyber security leadership.

When I look at our government I am not aware of any one security leader who is driving requirements for things like cloud, mobile and IoT. Nor do I see the same thing when it comes to critical infrastructure. Not to say they don’t exist but when I have people in the government reaching out to me to ask that same question…..thats a problem…..a big problem.

Canadians are completely oblivious to fact the we do not have a national plan to help protect us against cyber security attacks from another nation. Really, if you are aware of something please send me details because I have asked over and over and never received a single response. I am also aware of security companies that have stopped practising in Canada due to lack of business. However, many are relocating or opening offices south of the boarder where they are more bullish on this topic and business is brisk.

Also of concern is the lack of supporting and developing ISO standards when the rest of the world is. This topic has been discussed on many forums in Canada but no action has taken place – business and government leaders are very well aware of this issue. I was recently attending a three day symposium on software assurance in the US where this is hot topic and government who takes this and supply chain very serious. I was very surprise to discover that they stated on several occasions that everyone should be looking to ISO for the basis for standards. This is definitely a tone change from when NIST and ANSI were the go to organizations. It shows a shifting tide which is refreshing. However, we are not seeing the same thing in Canada nor is our government even considering the security risk of software. Again, should we be concerned.

Canada is going to have to change their old ways or we are going to become an easily target for cyber attacks. Take for example that our carriers send Internet routers to all customer in a insecure configuration. When someone gets their device compromised and experience a theft of service they are responsible for paying the bill. This is very disturbing. This is not a case where our carriers don’t know any better, they do, they are just to stuck in there ways to change how they operate. Yet they insist they don’t need more regulations….I think they do for security…or they will never change.

Canadians need to start asking our political and corporate leaders if we are doing enough to protect our organizations and citizens. Right now it is a resounding NO!

Facebooktwittergoogle_plusredditpinterestlinkedin