Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2013-12-05 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dec OUCH! is out - "Securing Your New Tablet". Download & share with family/friends. www.securingthehuman.org/ouch
Chrome update heading your way - multiple security updates (thanks Martin). Time to update if not set to do so automatically

Updated Standards Part 2 - PCI DSS/PA DSS

Published: 2013-12-05
Last Updated: 2013-12-05 11:20:48 UTC
by Mark Hofman (Version: 1)
3 comment(s)
Last week the PCI Security Standards Council released the next versions of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS), version v3.0.  The standards are updated over a three year cycle and are valid from the date of release.  The previous version can still be used for certifcation until 31 December 2014 giving companies plenty of time to adjust to the new requirements.  
 
The changes are mostly clarifications of the current requirements. A few have been combined and moved, but there really are no earth shattering changes.  
 
Unlike ISO 27001 there is a document of changes for each of the standards. These are available on the council's web site (www.pcisecuritystandards.org).  One of the more visible changes is that the standard, for each requirement, now provides a guidance statement that explains why the requirement is important.  In early 2014 the reporting requirements should be available which will provide insight as to what documentation and evidence needs to be available when facing an assessment. 
 
Mark H - Shearwater
Keywords:
3 comment(s)

Updated Standards Part 1 - ISO 27001

Published: 2013-12-05
Last Updated: 2013-12-05 10:44:00 UTC
by Mark Hofman (Version: 1)
0 comment(s)
ISO 27001:2013 - Information Security Management Systems was released in September and slipped into use relatively quietly. The standard replaces ISO27001:2005.  Whilst the overall intent of the standard remains the same and when you peel back the changes, most of the old standard remains. There are however enough changes that may require some effort to address.  
 
One of the main changes is the format, instead of the 8 sections in the previous standard, plus the annex. There are now 10 sections and the Annex.  This new format is the Annex SL format which is what will be used in all ISO quality standards going forwards.  Yes standards have been standardised.  One of the cheeky changes is that the Normative references and Terms and Definitions have been removed from the standard and are published separately (so yes you have to buy those).  The new sections are: 
  • 0 Introduction - exactly what it says
  • 1 Scope - states what the standard is about
  • 2 Normative references - no longer included in the standard but a separate purchase :-(
  • 3 Terms and definitions - ditto
  • 4 Context of the organisation - The old section 4 risk assessment component, now more aligned with ISO 31000  
  • 5 Leadership - This refers to the old standard's management responsibility requirement
  • 6 Planning - More risk management and preventative and corrective processes
  • 7 Support - Management support
  • 8 Operation - the implement and operate section of the old standard
  • 9 Performance evaluation - Monitoring, audit and management review
  • 10 Improvement - Continuous Improvement
So still the same elements, but moved about a bit so you will end up having to make changes in your documentation.  The main thing that has gone from the standard is the plan-do-check-act cycle, but when you read between the lines it is still there.  You are still expected to plan the controls to be implemented, implement them, measure and update as needed just like the old one.  
 
The Annex still links through to the ISO 27002 document and reduces the number of controls from 133 down to 114. A few have been removed and some have been combined.  The number of domains has been increased to 14.
  • 5 Information security policies
  • 6 Organisation of information security 
  • 7 Human resource security
  • 8 Asset management
  • 9 Access control
  • 10 Cryptography
  • 11 Physical and environmental security 
  • 12 Operations security
  • 13 Communications security
  • 14 System acquisition, development and maintenance
  • 15 Supplier relationships
  • 16 Information security incident management 
  • 17 Information security aspects of business continuity management 
  • 18 Compliance
These are all pretty self explanatory.  
 
With regards to the documentation and evidence you need keep in order to be compliant there are no significant changes. the main addiiton for most organisations will be the documentation requirements for Performance evaluation. The organisation will need to determine what needs to be measured and what evidence needs to be kept. As many organisations are weak in this, that will be the biggest change for many
 
You will have to check with your certifying body, but most of you will have between 12-24 months to implement the changes and certify to the new standard.  
 
Happy updating
Mark H -   Shearwater
Keywords: ISO 27001 standards
0 comment(s)
Diary Archives