The nonprofit Information Security Forum (ISF), widely recognized as a leading authority on cybersecurity and information risk management, just published a major update to its Standard of Good Practice for Information Security for IT security professionals. Dubbed “the industry’s most business-focused, all-in-one guide to information security assurance,” the annually updated reference encompasses four main ISMS categories: governance, security requirements, control frameworks and security monitoring and improvement.
Organizations worldwide use “The Standard” and related tools and services from ISF to manage the risk associated with new technology adoption, improve resilience and competitiveness, build confidence in their ability to meet legal/regulatory challenges, and prepare for and manage cybersecurity incidents. The document is available at no cost to ISF members and can be purchased by non-members.
The National Institute of Standards and Technology (NIST) announced on October 2 that it has chosen a winner in its five-year competition to select a new cryptographic hash algorithm – one of today’s fundamental information security tools.
According to the NIST press release: “The winning algorithm, Keccak (pronounced “catch-ack”) was created by Guido Bertoni, Joan Daemem and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. The team’s entry beat out 63 other submissions that NIST received after its open call for candidate algorithms in 2007, when it was thought that SHA-2, the standard secure hash algorithm, might be threatened. Keccak will now become NIST’s SHA-3 hash algorithm.
Hash algorithms are widely used for digital signatures, message authentication and other cryptographic applications that verify the authenticity of digital documents. They create a “digital fingerprint” (called a digest) of the hashed content. Any change to the content, however small, causes a change in the digest. Likewise, the hash algorithm makes it extremely difficult for a cyber forger to create a different file with the same digest.
NIST chose the Keccak algorithm for its elegant design and ability to run well on many different computing devices, including the growing number of sensors, home appliances and other embedded devices that now connect to computer networks but are not full-fledged computers. Keccak had higher performance in hardware implementations than SHA-2 or any of the other finalists in the competition. Further, its design is entirely different from SHA-2, so it is less likely to be vulnerable to attacks that might compromise the SHA-2 algorithm.
Among its many other potential uses, SHA-3 “provides an essential insurance policy” in the event SHA-2 is ever cracked. Officially, NIST considers SHA-2 to be “secure and suitable for general use” despite attacks that compromised similar but simpler hash algorithms (SHA-1 and MD5) in 2005 and 2006.
Authentication and encryption of key information assets in transit and in storage is not only essential to securing transactions, but is also a vital part of Payment Card Industry (PCI) compliance and a robust Information Security Management System (ISMS) framework in general.
According to a recent study by Forrester Consulting, which was commissioned by IBM, 63% of companies have understaffed IT departments, and more than 50% are unable to find experienced cybercrime-fighters to help them maintain IT security.
With threats rapidly morphing and new attacks emerging literally daily, and cloud computing, social media, mobile devices and other vulnerabilities compounding the challenges, IT departments are looking to be proactive rather than reactive. And that takes experience and expertise, as well as the bandwidth to get off the treadmill of daily responsibilities. Yet according to the Forrester survey, “many organizations are struggling to find the skills to take this [a proactive IT security posture] on.”
Likewise, skilled security professionals are in heavy demand and expensive to hire and keep, especially with today’s tight IT budgets. In another recent study by Deloitte, many banks and other financial institutions are challenged to be more proactive around information security due to cost constraints.
Against this backdrop, the use of third-party security experts and “Security-as-a-Service” offerings are increasingly seen as a viable and reasonable response to the situation.
ISO 27001 Consulting
It is the ability to certify the operation of an Information Security Management System (ISMS) that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program. Pivot Point Security can help your business achieve ISO 27001 certification. See how we can help.