One of our clients is a large New Jersey County which embarked on a shared services initiative several years ago at the direction of the County Freeholders to attempt to curb spiraling property taxes. In addition to centralizing services like snow removal, health services, and senior programs – the initiative included a number of implicit/explicit shared services with notable information technology/security ramifications including; shared IT Services, web hosting, law enforcement data sharing, and medical insurance sharing. The County CIO took his charge very seriously and set about to build out the necessary infrastructure to support the programs. Over lunch I asked him if this was a “Field of Dreams” type situation and if built, would they would want or be forced to come. Between laughs, I think I heard the phrase “herding cats” and something about thirsty horses… and he finished with… “But, I have a plan”.

That lunch took place about a year ago and the CIO’s plan is approaching fruition. His idea was to ISO-27001 certify his Private Cloud Offering (we were tickled that he chose us and our ISO-27001 Roadmap to guide his journey). In doing so he felt that he could use the certificate as a means of validating the security of the significant investment the County was making to the Board of Freeholders and the County Administrator. Being able to demonstrate that critical information security risks pertaining to Public Safety Systems, Financial Systems, and constituent/employee Personally Identifiable and Health Information and the like were effectively managed in a manner consistent with their direction was critical to the success of the initiative. Equally important was gaining “buy-in” from the various “potential” consumers of the cloud services including Township police departments, CFO’s, fire departments, and clinics. He is using the 27001 Certificate effort (and eventual certificate) to provide assurance to these third parties that their data will be secured in a manner consistent with an internationally recognized data standard and in accordance with all relevant laws and regulations.

Interestingly over the last month or so I have had very similar conversations (e.g., using ISO 27001 to prove Private Cloud/Shared Service initiatives are secure/complaint) with a global entertainment/media company and a global pharmaceutical. The decentralized nature of both companies allows the varying business units to select the best “vendor” for the IT services they are looking to “outsource”. That vendor may be a traditional vendor (e.g., Telehouse for hosting) or it may be their internal Private Cloud hosting service. This requirement to compete for business means they may be held to the same vendor risk management processes as a traditional party. Accordingly, being able to prove that they are secure and compliant is integral to their success – and ISO 27001 is the best mechanism, especially when considering the global nature of their businesses.

It seems like the time-frame between “thought leadership” and a “prevailing good practice” is shortening … sort of a get on board or get left behind. To put it succinctly, ISO 27001 may just be the “Field of Dreams” for future IT security!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!