Bright Stove

Reflecting information risk journey

8th RAISE Forum Meeting (cont.)

leave a comment »

Continuing from the morning break in Day one, we have Dr Perry Liu from Chinese Taipei, and Prof Youm Hueng Youl from South Korea, which provided updates on their areas of focus and the recent information security development in the Cyberspace of their respective economies. Dr Liu’s presentation covered how the Chinese Taipei government is enhancing the ISO/IEC 27001 (Information Security Management System, ISMS) with a Cyber Healthcheck system to measure the information security performance (risk profile) of organizations, and provides metrics to drive relevant aspects of training and implementation forward. The session also discussed about the Information Sharing Framework established by the Government Information Sharing and Analysis Center (G-ISAC), and the formation of two new ISACS, namely Telecom-ISAC and Academic-ISAC as part of the efforts.

Prof Youm’s session covered the information security standardization efforts and related activities in South Korea, the ISMS Certification scheme that has been mandated by the Ministry of Public Administration and Security (MOPAS) for implementation in all government agencies, and the lessons learnt for the massive Distributed Denial of Service (DDoS) attack in July 2009.

After lunch, further updates were delivered by delegates from Malaysia, P.R. China, and Singapore. Malaysia’s representative shared two aspects of information security work in their economy. One relates to the SC 27 standardization efforts, in particular, their editorial work on ISO/IEC 27037 – Guidelines for the Collection, Acquisition, and Preservation of Digital Evidence. The other relates to the implementation of the National Cyber Security Policy for critical information infrastructure protection (CIIP). including a products security certification scheme (using the Common Criteria approach) for CIIP needs.

Dr LianQiang Wang spoke about the regulatory framework, recent policy changes relating to Cybercrime and Cybersecurity, the compulsory certification scheme, security standardization, and the ISMS implementation drive in China. On ISMS, there are currently 251 organizations that have been ISO/IEC 27001 certified through International accredited certification bodies, and another approximately 200+ organizations certified through China government accredited certification bodies.

Mr Kin-Chong Chan shared the standards development activities in Singapore, including some of the recent projects, and an effort to propose a new standard (SS) to enable certification of organizations against the practices recommended in ISO/IEC 27031 – ICT Readiness for Business Continuity.

Following the updates, members of the Forum reviewed the terms of reference, and the meeting was adjourned.

image

In Day Two, the Forum continued with more focused discussions on local/regional information security challenges and learning experience. Dr Liu discussed the Cyber Healthcheck methodology, and the strategy behind its use and development. Interestingly, the strategy was based on the “Strategy Map” and “Balanced Scorecard” approach, which was highly insightful and inspiring. Mr Thomas Kok of ISS/NUS also shared his findings from a recent empirical study he has completed on information security tertiary education. Interestingly, but ironically, Mr Kok found that there is a disconnect between what most Universities are offering in terms of information security courses for undergraduates, are not aligned to the needs of the industry. In majority cases, information security courses are elective, and focused on “interesting” areas such as network security and cryptography, rather than operation security, business continuity, and disaster recovery and related management. The Japanese delegates lead by Mr Koji Nakao discussed about the work of the Japan National Institute of Communication Technology (NICT) in Darknet Monitoring, to visualize the global trend of malware attacks on the Internet. The team also discussed about an incident detection and alert system build on the Darknet monitoring system. In Prof Youm’s session, he shared about South Korea’s efforts on IPTV Security and its standardization work. This was followed by Prof Pauline Reich (Waseda University) discussion on the current challenges in Cyber Law and related legislative approaches.

In the deep dive session, we discussed about the challenges involved for Small and Medium enterprises (SME) in the implementation of ISMS, and a proposal based on the SS 493:2001 – Security Framework Standard to benchmark SME more consistently. Mr Sivanathan Subramaniam, the co-editor for ISO/IEC 27037, provided details on the standard, which is currently under development and discussed some of the challenging issues involved in terminology and procedure agreement amongst the participating National Bodies (NB). Mr Darren Cerasi of SPSTC also discussed about his work on digital forensic and how e-discovery tool may be used for digital forensic purposes.

The Day Two meetings ended at about 6pm. The 9th meeting is tentatively targeted for around Nov 2010 period, to be held at Taipei. Until then, the group has resolved to continue discussions offline and also online at the LinkedIn RAISE Discussion Group platform. 

Advertisements

Written by mengchow

March 10, 2010 at 5:37 am

Posted in Security Standards

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: