Sunday, January 9, 2011

12 Global Business Practices for Information Security Professionals

I am very happy to announce that 12 Tenants by the premier Global Information Security professional organizations have been developed to advance the profession of Information Security. This is huge! Collaboration of this effort requires egos to be left at the door; We have some huge egos in IT Security, this demonstrates that they can all get along and work together to globally practice the tenants of IT Security, which are Confidentiality, Integrity and Availability.


These 12 principles were developed as a framework for IT Security professionals to influence and guide them in their career; they are a welcome sight for individuals new to the field. The principles are intended to affect behaviors, objectives, approaches and activities, which in return will lead to more success safeguarding privacy and technology infrastructure in organizations across the globe.

Target audience

The principles for information security practitioners are aimed at all individuals working in the information security community, including
those who:
  • are employed as part of a security function
  • provide security services in local environments (eg local security co-ordinators)
  • are responsible for developing systems securely
  • supply security products and services (eg vendors and consultants)
  • influence legal / regulatory requirements for information security
  • are aspiring to become security practitioners (eg students).

Benefits to Business

Organizations that have not had a real security framework for their IT Security professionals to follow will see an immediate benefit, which can add value and become a marketable asset.
  • A - Support the Business
  • B - Defend the Business
  • C - Promote Responsible Security Behavior


Information security practitioners need to respond to the changing requirements of organisations in today’s complex, interconnected world.
For example,
  • corporate, IT and information security governance have promoted information security higher up on the board’s agenda
  • the information security profession is not fully mature, traditionally has a bias towards technology and needs to be more risk focused
  • rapidly evolving threats require information security practitioners to stay ahead of the game
  • co-ordinated efforts are needed to maintain the adaptability of information security practitioners, particularly in changing business environments. Over the years there have been a number of offerings related to individual information security practitioners that cover behaviour, actions or ethics. However, there is a requirement for an independent, non-proprietary set of principles, which are:
  • more generic and complete, with less focus on professional qualifications
  • relevant to the business world – and kept up to date
  • agreed throughout the security profession, rather than being proprietary to one organization
  • able to map easily to different security standards and guidelines.
The principles for information security practitioners have been designed to meet these needs. They have been jointly developed by three
of the worlds leading global security organizations, the ISF, ISACA and (ISC)².

A. Support the business
  • A1. Focus on the business: The business is the reason that you have your job! Your goal is to help your organization make money or meet your organizations mission or vision statement.
  • A2. Deliver quality and value to stakeholders: The solutions you implement as an IT security professional in the form of technology, process and people can add value and become a marketable asset for your organization.
  • A3. Comply with relevant legal and regulatory requirements: The law and Information Security go hand and hand. The IT security professional must adhere and comply to all laws and help your organization meet or exceed required compliance objectives.
  • A4. Provide timely and accurate information on security performance: You won't know if your IT Security objectives are working if you have no way to measure the outcome of your IT security implementations; are you receiving the desired results?
  • A5. Evaluate current and future information threats: Information Security threats are forever changing and criminals are always ahead, so the IT security professional must be proactive by studying trends and defending the business from threats before they become a problem.
  • A6. Promote continuous improvement in information security: Once you implement your security solutions go back and review to see if there are opportunities to improve your security solutions currently in production.
B. Defend the business
  • B1 Adopt a risk-based approach: Protect the most critical business applications and information.
  • B2. Protect classified information: Always limit access on a need to know basis to information like the following: social security numbers, customer account information, health records, credit card numbers and proprietary business information; and don't let unauthorized individuals to access your network.
  • B3. Concentrate on critical business applications: Information or systems that are VITAL for the business to stay up and running need the most security; think defense in layers; defense in depth; Confidentiality, Integrity and Availability (CIA).
  • B4. Develop systems securely: Implement security at the beginning of your Information Technology projects. It much easier and cost effective to do so, than try to fit in after a system or data base has been implemented.
C. Promote responsible security behaviour
  • C1. Act in a professional and ethical manner: You are held to a high standard as one appointed to safeguard an organizations system and data assets. Read ethics/ code of conduct from the premier IT Security organizations: ISF, (ISC)2, and ISACA,
  • C2. Foster a security-positive culture:
Download the 12 Principles Poster

I applaud the premier IT Security organizations for working together to create the 12 principles, which will be of great value to new IT Security professionals entering the field.


Julius Clark, MBA, CISSP, CISA


ISF, (ISC)2 and ISACA Release Information Security Principles


12 Principles

12 Principles Poster Download


Friday, January 7, 2011

Google Releases a Preview of its Honeycomb Android 3.0 Tablet Operating System

Yesterday Google Released a Preview of its Honeycomb Android 3.0 tablet operating system designed specifically for tablets.

I love tablets that run on the Android platform! I bought a very cheap one generic from China just to play with over the holidays; the potential with Android tablets is amazing. The biggest reason for me liking Android tablets over Apple iPads is the cost. Tablets running the Android OS will be in the price range of $100 - $400 dollars. Compared to iPads in the range of $500 - $650 dollars.

Additionally, Android tablets will allow the owner to configure it more to their liking, so you won't have to worry about being locked into the default options as with the iPad. The Android version of Apples App store is the App Market that has thousands of application, which developers say is more developer friendly that Apple is.

The future is here with Android tablets and I predict that these devices will be the hottest item on many peoples Christmas list this year.



Get Expert Advice!