tag:blogger.com,1999:blog-4088979.post4315383909619733884..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Thoughts from Several ConferencesRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-4088979.post-71622253641256647172008-06-03T11:19:00.000-04:002008-06-03T11:19:00.000-04:00Re: 27001The various standards organizations have ...Re: 27001<BR/><BR/>The various standards organizations have little to sell to pay for their activities, so they sell standards.<BR/><BR/>Yes, I know that there is an argument for them to be open source, but that is not the reality of all of the standards world, or the publishing industry in general.<BR/><BR/>As with any justifiable library purchase decision, standards are a good investment.<BR/><BR/>You'll want a bunch of other ISO standards to go with your copy of ISO 27001 as 27001 only has a very short definitions section. As with all standards, at this point in the 27000 family's life, terminology is borrowed from other standards. 27001 lists some of these. Also, there will eventually be a 27000 family standard devoted to vocabulary. I suggest you watch Gary Hinson's http://www.iso27001security.com. He tracks changes in the 27000 family closely. He also maintains a Google Group that you can sign up for.<BR/><BR/>Right quick, you'll find out that you really want to look at some of the other standards families that surround the 27000 family - e.g.; ISO 14000 which is environmental management, ISO 9001 which is quality management...<BR/><BR/>The ISO 27000 family deals with Information Security Management Systems (ISMS), but draws heavily on other standards and best practices documents in the industry. <BR/><BR/>Alas, it is expensive to maintain a library of any kind. Consider this 27001 business to be like any other speciality. You need much specialized, and expensive, stuff on the shelf and on disk.<BR/><BR/>One set of resources that is not commonly discussed are the various Best Practices documents that BSI publishes. On the BSI site, you can find documents like BIP 0071:2005 - Guidelines on Requirements and Preparations for ISMS Certification based on ISO/IEC 27001. Yes, they cost money, though not much. As with other standards, most of the problem is finding them and ordering them. And, yes, some of these documents are only available in hard copy. <BR/><BR/>Buying the standards directly from ISO works great. You get them as PDFs and there is a strict license attached to each (e.g.; limited distribution, no distribution...)<BR/><BR/>As soon as I get the E-Mail thing figured out, I'll post a presentation on the 27000 family that I did.<BR/><BR/>Meantime, consider 27001 as the barest entry point to the wonderful world of international standards for infosec.<BR/><BR/>RayKAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-13699329461048936462008-03-24T14:31:00.000-04:002008-03-24T14:31:00.000-04:00Rocky, glad to see you blogging! I just added you...Rocky, glad to see you blogging! I just added your feed to my watch list.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-5617948961406993782008-03-24T14:24:00.000-04:002008-03-24T14:24:00.000-04:00Richard,You always add value to these conferences....Richard,<BR/><BR/>You always add value to these conferences. It was a pleasure having you interact with the rest of the folks during the SIEM Best Practices discussion at the Institute's recent forum. <BR/><BR/>On my new blog http://blog.decurity.com/ I just added some more context around SIEM Best Practices and will be adding more content over the coming days/weeks as I have time to get my thoughts out.<BR/><BR/>RockyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-21773367542820199872008-03-17T21:41:00.000-04:002008-03-17T21:41:00.000-04:00ISO 17799 (ISO 27001 and 27002)- http://www.17799c...ISO 17799 (ISO 27001 and 27002)- http://www.17799central.com/glossary.htmAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-66856113151616677712008-03-17T12:02:00.000-04:002008-03-17T12:02:00.000-04:00Anonymous,That's a really good point about middle ...Anonymous,<BR/><BR/>That's a really good point about middle management!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-8516748738624964672008-03-17T11:56:00.000-04:002008-03-17T11:56:00.000-04:00Richard,The copy I have of ISO 27001 is licensed t...Richard,<BR/><BR/>The copy I have of ISO 27001 is licensed to an individual which leads me to believe it's not free to download.<BR/><BR/>"Middle management who exist to manage techies are losing their jobs. In the end only executives and the techies themselves will be left."<BR/><BR/>This is a disturbing trend. I consider middle managers to be executives in training. There are too many "executives" without formal education and experience in the business world as it is.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36275707621025813512008-03-17T06:09:00.000-04:002008-03-17T06:09:00.000-04:00Lance, good comment -- but where can I download IS...Lance, good comment -- but where can I download ISO 27001? I found definitions at this <A HREF="http://www.praxiom.com/iso-27001-definitions.htm" REL="nofollow">other site</A> but the lack of general availability makes me less inclined to use them.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-80516588725290938302008-03-16T23:13:00.000-04:002008-03-16T23:13:00.000-04:00"I liked John Schlichting's case study. It made me..."I liked John Schlichting's case study. It made me wonder why we bother blocking anything but specific IPs outbound. All we've done by restricting outbound protocols is force everything to be SSL-encrypted HTTPS traffic. Wonderful!"<BR/><BR/>How true!Unknownhttps://www.blogger.com/profile/17058052430915652909noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-21049427847156804072008-03-16T22:34:00.000-04:002008-03-16T22:34:00.000-04:00Richard, great stuff. One question, why focus on ...Richard, great stuff. One question, why focus on the NIST defintions? My concern here is that with the NIST we are becoming US focused. The rest of the world is migrating to using the ISO 27001 definitions, which I find in many ways simpler to understand. This will only make it hard for the US security folks to communicate with everyone else. :(<BR/><BR/>lanceLance Spitznerhttps://www.blogger.com/profile/01302083186604441299noreply@blogger.com