Bright Stove

Reflecting information risk journey

Archive for March 2010

8th RAISE Forum Meeting (cont.)

leave a comment »

Continuing from the morning break in Day one, we have Dr Perry Liu from Chinese Taipei, and Prof Youm Hueng Youl from South Korea, which provided updates on their areas of focus and the recent information security development in the Cyberspace of their respective economies. Dr Liu’s presentation covered how the Chinese Taipei government is enhancing the ISO/IEC 27001 (Information Security Management System, ISMS) with a Cyber Healthcheck system to measure the information security performance (risk profile) of organizations, and provides metrics to drive relevant aspects of training and implementation forward. The session also discussed about the Information Sharing Framework established by the Government Information Sharing and Analysis Center (G-ISAC), and the formation of two new ISACS, namely Telecom-ISAC and Academic-ISAC as part of the efforts.

Prof Youm’s session covered the information security standardization efforts and related activities in South Korea, the ISMS Certification scheme that has been mandated by the Ministry of Public Administration and Security (MOPAS) for implementation in all government agencies, and the lessons learnt for the massive Distributed Denial of Service (DDoS) attack in July 2009.

After lunch, further updates were delivered by delegates from Malaysia, P.R. China, and Singapore. Malaysia’s representative shared two aspects of information security work in their economy. One relates to the SC 27 standardization efforts, in particular, their editorial work on ISO/IEC 27037 – Guidelines for the Collection, Acquisition, and Preservation of Digital Evidence. The other relates to the implementation of the National Cyber Security Policy for critical information infrastructure protection (CIIP). including a products security certification scheme (using the Common Criteria approach) for CIIP needs.

Dr LianQiang Wang spoke about the regulatory framework, recent policy changes relating to Cybercrime and Cybersecurity, the compulsory certification scheme, security standardization, and the ISMS implementation drive in China. On ISMS, there are currently 251 organizations that have been ISO/IEC 27001 certified through International accredited certification bodies, and another approximately 200+ organizations certified through China government accredited certification bodies.

Mr Kin-Chong Chan shared the standards development activities in Singapore, including some of the recent projects, and an effort to propose a new standard (SS) to enable certification of organizations against the practices recommended in ISO/IEC 27031 – ICT Readiness for Business Continuity.

Following the updates, members of the Forum reviewed the terms of reference, and the meeting was adjourned.

image

In Day Two, the Forum continued with more focused discussions on local/regional information security challenges and learning experience. Dr Liu discussed the Cyber Healthcheck methodology, and the strategy behind its use and development. Interestingly, the strategy was based on the “Strategy Map” and “Balanced Scorecard” approach, which was highly insightful and inspiring. Mr Thomas Kok of ISS/NUS also shared his findings from a recent empirical study he has completed on information security tertiary education. Interestingly, but ironically, Mr Kok found that there is a disconnect between what most Universities are offering in terms of information security courses for undergraduates, are not aligned to the needs of the industry. In majority cases, information security courses are elective, and focused on “interesting” areas such as network security and cryptography, rather than operation security, business continuity, and disaster recovery and related management. The Japanese delegates lead by Mr Koji Nakao discussed about the work of the Japan National Institute of Communication Technology (NICT) in Darknet Monitoring, to visualize the global trend of malware attacks on the Internet. The team also discussed about an incident detection and alert system build on the Darknet monitoring system. In Prof Youm’s session, he shared about South Korea’s efforts on IPTV Security and its standardization work. This was followed by Prof Pauline Reich (Waseda University) discussion on the current challenges in Cyber Law and related legislative approaches.

In the deep dive session, we discussed about the challenges involved for Small and Medium enterprises (SME) in the implementation of ISMS, and a proposal based on the SS 493:2001 – Security Framework Standard to benchmark SME more consistently. Mr Sivanathan Subramaniam, the co-editor for ISO/IEC 27037, provided details on the standard, which is currently under development and discussed some of the challenging issues involved in terminology and procedure agreement amongst the participating National Bodies (NB). Mr Darren Cerasi of SPSTC also discussed about his work on digital forensic and how e-discovery tool may be used for digital forensic purposes.

The Day Two meetings ended at about 6pm. The 9th meeting is tentatively targeted for around Nov 2010 period, to be held at Taipei. Until then, the group has resolved to continue discussions offline and also online at the LinkedIn RAISE Discussion Group platform. 

Written by mengchow

March 10, 2010 at 5:37 am

Posted in Security Standards

8th RAISE Forum meeting

leave a comment »

The 8th RAISE Forum meeting convened today at the Institute of System Science (ISS), National University of Singapore (NUS). We have 20+ delegates from Japan, Malaysia, P.R. China, Chinese Taipei, Singapore, and South Korea, participating and lined up to also speak at the two-day meeting. The morning session started with a review of some of the international development in security standards, in ISO/IEC JTC 1/SC 27, and also ITU-T Study Group 17. There are a number of new Working and Study Groups that have also been created at JTC 1 level to look into newer ICT standardization needs, in area such as Clouding Computing, Green ICT, Smart Grid, and Energy Efficiency Data Center. Some of these topics are also being looked into at ITU-T, in which there are now new recommendations relating to secure application services, and Service Oriented Architecture (SOA) security being developed. The two groups, SC 27 and ITU-T SG17 have some overlapping works as well, but liaison coordination between the two groups have been ongoing. The Working Party Chairs and Rapporteurs at ITU-T SG17 are also participating actively at SC 27, which helps in these coordination efforts.

We just completed our morning break. What’s next, and this afternoon, will be updates from the various participating economies’ security standards experts on their respective information security landscape.

Written by mengchow

March 8, 2010 at 3:23 am

Posted in Security Standards

%d bloggers like this: