Information Security Management Systems

One Point has extensive experience in the drafting, implementing and running of Information Security Management Systems (ISMS), especially in the context of ISO 27001 compliance and accreditation and other compliance standards.

Starting from the position that security is process, and that looking to a technology quick fix is looking in the wrong place, there remains a compelling argument for using biometric-related technology here.

• Risk assessment and management. One of the key technologies that can be marshalled to keep the residual risk low - and acceptable - is biometric-enabled ID management. more

  As a starting point to any compliance exercise, most enterprises are obliged to assess the risk - threats and vulnerabilities - to their information assets and to state, explicitly, how applying controls (process and the use of technology) keeps the overall risk measure down. In the ISO 27001 context, this reliance on Controls is detailed in the Statement of Applicability (SoA); the operation of the Information Security Management System, and the accreditation, is to a particular version of this SoA.

  Any senior manager looking at the first results of a company-wide risk assessment/audit would be thankful for certain Controls to be in use. At that level, trends are usually quite visible, plus there is room for balancing the costs of introducing one type of Control against another. It's difficult to reason about cost benefit at a programme level, as often a point solution that reduces the local risk to information assets on one programme is not the most effective for the enterprise overall. It's part of the value-add that the senior manager responsible for compliance can contribute.

• Accounting procedures & Sarbanes-Oxley (SOX). The intrinsic strength of biometrics as one of the ID authentication factors, especially that of non-repudiation, makes a compelling case for deploying biometric-enabled ID management. more

  Specifically for sections such as 302: Internal Controls and 404: Assessment of Internal Controls, there is a good case for introducing strong verification and non-repudiation into the chain of trust that compliance demands. Using the shared secret factor - the password - for personal authentication is difficult to argue for. It's even harder to ensure that correct policy is actually being adhered to, with all the rules of the inevitable password policy.

• Personal data. The significant point here is that a person's biometric data is kept on the ID card - a smart card - and only used, and held, with their permission. more

  There is no need to go over the arguments about how damaging the loss of personal data is, whether staff or for customers. Good practice demands that the handling of large aggregates of this data should be treated with the utmost care. One of the ways of doing that is to introduce strong personal verification, including non-repudiation, for access controls for staff authorised for this work.

If you feel we could help you here, please contact us at contact@one.consultinglimited.com or use the Web Form.