Tuesday, December 14, 2010

How to have all partitions mounted on startup in Ubuntu

Follow trongbang86 on Twitter

I'm using Ubuntu now. It's really impressive. However, every time I open my laptop, it's quite annoying to double click on the partition to have them mounted before use. After doing some research, the following is a tip to overcome that.

Go ahead and install ntfs-config. If you don't know how to install software in Ubuntu.

Once ntfs-config is installed, go to System > Administration > NTFS Configuration Tool to launch it.

Where it says , type what directory you want the drive to appear in. /media/Windows is a good choice if you can't think of anything else.

The window hiding behind that one allows you to enable write support for the device, too.

Follow trongbang86 on Twitter

Sunday, December 5, 2010

Processes required to ensure that Information Assets are suitably protected

Follow trongbang86 on Twitter
About me
Level: Intermediate
Prerequisite: Experience in Risk Management Process

1. Identification and Analysis
>establish the context
*understand the business and its processes
*identify competitors
From that, we can know which and how the information can become useful when other competitors can get it
>establish the security goals or success criteria (depending on each company)
*what the critical aspects of the business
Companies working in different fields have different critical information so they require different approaches ensure the protection for information assets
*to what extent they need to be protected
>identify possible threats
*what can happen that makes information leak
*what if questions
*brainstorming and so on
>determine the causes
*what leads to the threat
*is there only one reason or a combination of many things
>analyse the threats:
*based on the causes, establish the relationship between the threats and the current context, i.e. how it is linked to the customers, outside competitors and other entities in the current context
*specify the likelihood of the threats. How likely for the threats to become true? And how frequently it can happen
*determine the possible impacts according to 1) time, political and financial 2) CIA: confidentiality, integrity and availability
*determine the changes of the possible impact in certain durations such as 1 hour, 1 day or 1 week
*determine the triggers for the threats.
What are the events or actions that can start off the threats?

>prioritize the threats
Which one is most likely to happen? Which one is less likely to happen but has a severe impact on the business
>write up user stories that record the course of actions performed by users.
It is a good idea to write down the possible steps that can happen so it can ease discussions among people and a good starting point to estimate the impacts
>write up a document for tracking and to assist others in understanding what has been done

2. Control/Reducing the impact
>understand users’ capability
Different users have different level or capabilities so we can’t expect too much from them.
>determine appropriate controls
*Depending on the level of users’ understanding and capability, we have to choose appropriate controls.
*Balance between the costs of the controls with the impacts of threats. If the controls don’t give any better than the threats in terms of the costs, we have to think if we should go for it or not.
*Take the complexity of the controls into consideration because if their complexity is over the capability of users then users might try to get around with the controls.
>if the cost of controls is not worth considering the impacts, we might put the corresponding threats in a queue and we have to set appropriate indicators and contingency plans for them. If some events that can make the impacts far more than the indicators occur, we have to take actions.
>keep the all the protection in a consistent and appropriate manner. Don’t mess up with a lot of various controls that can lead to confusion
>collaborate with users and help them understand
Organize training classes for users to educate them, make them understand the importance of the security in place and how to operate them

3. Tracking
>assign accountability
*Who is responsible for tracking the threats
*How often to carry out the tracking process
*How to collect the information
*Who need to be reported to
For example, 2 people have to reassess the threats once a month. After that, they need to write up a report and give to CEO for reviews.

>determine the level of warning, or when requiring immediate actions
*Different threats have different levels and types of impacts so it’s better to set out an indicator for each threat. When some threats are over the threshold, we have to take actions immediately.
*It’s not appropriate if we set the level of impacts, for example, from 1 to 5; then we say that, for example, when the level is higher than 3, we have to take actions.  The reason is different threats have different types of impacts and we cannot sometimes make them identical.

4. Report, review and improvement
>continual review and improvement
>determine the format for the reports
It’s better to have reports written in different ways because different people will have different views such as managers and CTO.
>involve appropriate people in the review process
>recheck the level of impacts for the threats
>check for new threats
*check for business processes to see whether there are any changes that can lead to new threats
Follow trongbang86 on Twitter

The Barriers to creating a detailed Threat Risk Assessment

Follow trongbang86 on Twitter
About me
Level: Intermediate
Prerequisite: what is BSI HandbookWhat Risk AssessmentTemplate for Threat Risk Assessment (TRA)

+difficult to understand the business processes. For example, 
>how many departments needed and what are they
>how they cooperate along with each other
>what the input and output of each department are
>how the transferring processes of information between departments happen (manual or electronically)

+difficult to capture and represent information in a logical way. For example,
>what the means used to carry information, is it in the information system electronically or it’s kept manually
>how to describe the information assets so we can make sense out of them when we come back later all. The reason why it bothers is we have multiple assets with the same name or nearly identical name but with different meaning. Therefore, it’s sometimes a challenge when we want to go back or put reference to them
>information asset has many-to-many relationship with threat à how to store the relationship so that we can query them on the fly. If, for example, we got an information asset, we want to know how many threats can be applied on it and vice versa.
>should we relate a threat with another information asset by using the ID number of the information asset or using its descriptive name? which one is more helpful in understanding?

>we don’t know exactly what can happen along with the possible impacts. Even though we put much effort in creating a detailed threat risk assessment, they will change with the growth of our company. So when the threats become true, the impact we can measure at that time can be far different from what we recorded. The reasons can be 1) our analysis was wrong 2) the context has changed, therefore the possible impacts also changed
>we don’t have all the information in place: 1) the company culture was not so well organised that all the useful information can be appropriately saved for future uses 2) processes are not well established so there are no certain scheme for the usage of data or information à hidden information

+lack of context
>is an information asset useful and critical when considering if it were exposed to competitors? à requires knowledge in that specific industry
>is an information asset useful to customers? To what extent we should expose that information asset? Can the customer have full access to the information? à we need to research what other companies are doing and how they are doing that.

+how important and critical the information assets are
>we have to brainstorm and analyse with “what-if” questions
>which one needed to be introduced to clients
>and which one needed to be hidden or secured for internal use

+how to cope with the expansion of information assets when identifying them
>how to keep track all of them
>which ones are really information assets
>some information assets don’t exist naturally but logically in the employees’ understanding. What are they? And how to get them? à need to understand the business and its scope

+what approach to be used in order to fully address all the possible threats
>what if questions
>BSI handbook and so on
>where they can occur and how
>what triggers them
>which vulnerability

>how to measure the impact by using dollar terms
The reason is after we finish off, we need to submit a report regarding this to the CFO. In other words, we need to give a report to business people and what they can understand is monetary things.

>what can happen
>how to know the political impact à market analysis to see other competitors
>how to measure the frequency
>what is the maximum loss that can happen

>what kind of controls needed? Preventive or corrective?
>how much it costs to carry out the control
>whether the benefits really outweigh the impacts of threats
>whether it’s suitable for the users or not
*considering the users’ physical ability
*considering the complexity of the controls

Follow trongbang86 on Twitter

Benefits of ISO 27001, COBIT, ITIL, ISO 9001 and ISO 14001

Follow trongbang86 on Twitter
About me
Level: Intermediate
Prerequisite: Basic Understanding of ISO 27001, COBIT, ITIL, ISO 9001 and ISO 14001

+Benefits from ISO 27001
>security risks are managed in a cost effective way.
>customer confidence when interacting with these companies.
>business confidence of companies in the knowledge that their security is assured.
>achieve international standards.
>avoid adhoc in information security management.
>guidelines on establishment, implementations of information security management systems.
>improvement in the information security management systems of companies such as enhancement in monitoring, review and maintenance of the information security management systems.

+ Benefits from COBIT:
>better alignment between business and IT.
>set directions, improve monitoring and in time corrective actions based on providing a better view to IT from a managerial perspective.
>an internationally recognised control framework.
>provides an environment which is responsive to business needs.
>mapping of IT goals to business goals and vice versa.
>clear process ownership à process-oriented à reduced incidents.
>clear performance indicators à better control.

+ Benefits from ITIL:
>consistency and standardised processes.
>suitable for merging and acquisition to bring coherence in management structure.
>save time and money due to not having to reinvent the wheel (with checklist and procedures).
>better governance to IT.
>integrate IT across the enterprise.

+Benefits from ISO 9001:
>more efficient and effective operations
>disciplined business because of common understanding in repeatable and consistent processes.
>fewer failures in quality of products and services.
>quicker response when things are going wrong.
>discovery of inherent errors/failures in the existing processes when implementing the standards.
>clear understanding of what to do and how it is to be done, especially important for new comers.
>improved employees’ morale.

+Benefits from ISO 14001:
>provides a guideline on committing purposes of environmental management systems.
>shows that companies are environmentally responsible.
>increases profits due to better resource management such as energy conservation.
>lower insurance rates when complied to this standard.
>improved relationship with customers and employees.
>better awareness à safety benefits at the work place.
>a ticket to some European markets.

+Benefits in common:
>less expensive to prevent or to do good things from the beginning rather than cleaning up everything.
>cost reduction due to better management.
>standard compliance is a way to attract customers.
>some business domains require the compliance to these standards.
>gain business alignment: when implementing these standards, all the sectors including finance, business management, and technical management have to work together. Hence, business alignment can come naturally when the implementation has been successful.
>instil the feeling the best of the best among the company’s employees.
>share understanding because of having a common language
*everybody has to get onboard when implementing the standards. Employees will be trained and they can get a better understanding of their company.
>improved marketing
*some companies use the certification as a mean to do marketing, to expand their market.
>encourage the organisation’s capability of learning as well as individuals
Follow trongbang86 on Twitter

A comparison of the business and technical drivers for ISO 9001 and ISO 14001

Follow trongbang86 on Twitter
About me
Related Article: A comparison of the business and technical drivers for ISO 27001, ISO 27002, COBIT and ITIL
Level: Intermediate
Prerequisite: Basic Understanding of ISO 9001, ISO 14001, and ISO 27001

ISO 9001 is about Quality Management Systems – Requirements. This is an international standard that companies can state to be compliant to if audited and certified. This standard originated in manufacturing but now applied in various disciplines.

So ISO 9001 is completely different compared to ISO 27001, COBIT and ITIL in terms of business drivers and technical drivers. This standard is to deal with the quality of executing processes, not measuring and assessing IT controls (COBIT) , not to improve IT services(ITIL) and not for governance(ISO 27001).

ISO 9001 is to ensure the quality of processes and improve them continually. It provides a systematic approach to managing companies’ processes so that they can consistently produce products with the quality satisfying customers. The end result of ISO 9001 is a quality management system in which all processes of a company are standardised. It means the processes are well documented and each participant in the process has a clear role regarding what he/she has to be responsible for.

ISO 9001 states all the requirements companies must meet in order to have a better quality management system but it doesn’t specify in detail how to reach that. It’s similar to ISO 27001 which also includes only a set of requirements to be fulfilled. On the contrary, COBIT and ITIL provides details with performance indicators, checklists because they are frameworks.

From the business perspective, ISO 9001 is not only applicable in IT but in many different fields, and it’s to assist companies in improving their quality management systems, thereby gaining satisfaction in customers. In contrast with ISO 9001, ISO 27001 is to provide customers the confidence in interacting with companies. And for COBIT, it is to provide managers with an in depth view for the performance of the system. And ITIL is to improve the internal IT service level.

Another quality standard to be analysed is ISO 14001. ISO 14001 is part of ISO 14000 families which is about Environmental Management Systems (EMS) and it is the major core of ISO 14000. ISO 14001 helps companies reduce the negative effects on the environment. It’s very difficult but crucial in balancing between building an effective EMS and maintaining profitability. That’s what ISO 14001 is all about. Moreover, environmental impacts have never been hotter so companies are trying to implement this standard with three purposes according to the understanding of the writer: 1) to reduce the impacts 2)to comply with government’s policy 3)to appeal customers.

ISO 14001 offers guidance on introducing and adopting EMS. It also offers certifications for companies who want to be compliant. Compared to ISO 27001 and ISO 9000, it’s also guidance on implementing a systematic approach to setting objectives and targets, to demonstrating they have been achieved, and to improving EMS continually. Besides that, it also doesn’t dictate clearly how to reach the objectives.

Even though identifying the environmental impacts of business’s activities is part of ISO 14001, it does not specify levels for the impacts. The reason is that each industry has different types of impacts with different levels. Therefore, the standard needs to be tailored for each industry which is not the intention. That is why ISO 14001 is a set of generic requirements like ISO 27001 and ISO 9000.

Considering the business drivers for ISO 14001, it can be seen that companies who are implementing this standard are aiming to comply with government standards or to be eco-friendly. There’s nothing related to the information systems (IS). Moreover, it can keep customers and even employees happy by assuring the ethical aspects because they know they are buying products from or working for an environmentally responsible company. According to Rockstad, ISO 14001 is an open opportunity to enter European market due to Europe’s environmental concerns. Besides that, he also states implementing ISO 14001 can actually reduce costs due to recycle programs for waste and better usage of raw material.

As for technical drivers, ISO 14001 doesn’t assist companies in building a more robust IS but to make a change in the business activities and the existing infrastructures so that they can be more eco-friendly while maintaining profitability. However, it does give an insight into the existing processes when implementing so that managers can recognise flaws in the processes and can improve them. Specifically, when implementing ISO 14001, companies have to do gap analysis to compare the current overall performance of their processes with the requirements in ISO 14001. In order to do that, they have to analyse and reengineer their processes. Then they have to understand the standard requirements so they can do comparison. After that, they can see what is going wrong or not done efficiently in their companies.

Follow trongbang86 on Twitter
There was an error in this gadget