Tag Archives: information security

What Are the Issues Around Cloud Computing?

commissum explain all the issues of cloud computing, and explain all about the benefits it can bring small companies.

When we mention cloud computing to our SME clients as a possible solution for the cost effective management of their services, we often get asked “but what are the risk of trusting our information to someone else?” At commissum we believe that many of the issues relating to cloud computing are not new and should be considered for all relationships with service providers, although there are a few specific considerations to be made.

Using cloud computing, organisations can contract service providers to provide infrastructure, platforms and, presently more commonly software. These services enable convenient, on-demand network access to a shared pool of configurable resources such as networks, servers, storage, applications and other services, provided and released with minimal management effort or interaction of the service provider. The advantages of scalability, reduced lower overhead costs and flexibility are clear and allow organisations to focus on core competencies instead of devoting resources on IT operations.

Most companies have policies and processes in place to deal with commercial relationships with IT service providers. Although these policies and processes will equally work well with cloud services many still do not sufficiently cover the risk related to the security of information.

Applications which are to be provided by a cloud service require the same risk assessment considerations as those provided by a traditional service provider.
What if the solution is:-
· failing to deliver the required business value;
· not performing to the levels agreed;
· not integrated with the existing in-house services;
· unavailable and causes delays and reputational damage;
· suffered from breaches in integrity and confidentiality of information.

But commissum’s Principal Assurance Consultant André Coner suggests that the following considerations specific to cloud computing should
he added:
· Maturity of the cloud service provider and service provider on-going concern issues;
· Complexity of compliance with laws and regulations;
· Legal issues around liability and ownership relating to different hosting countries;
· Storage of personally identifiable information in other countries;
· Consider the much greater dependency on third parties and reliance on external interfaces;
· Greater reliance on Internet connectivity;
· Security issues of public, community and hybrid cloud environments;

With 20 years of experience, commissum is adept at offering practical advice and recommending cost-effective solutions, to deliver a joined-up, coherent approach to protecting an organisation’s information assets.

Via EPR Network
More Computer press releases

The new PCI DSS version 2 is effective. What now?

The PCI Security Standards Council (PCI SSC) is a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS). The PCI SCC has released the new version 2 of its PCI Data Security Standard (PCI DSS) which has become effective on 1st January 2011.

The new standard begins the three year lifecycle that allows for validation against the previous version of the standard (1.2.1) until 31st December 2011. This provides stakeholders time to understand and implement the new version of the standard as well as provide feedback. The PCI SCC encourages organizations to transition to the updated version as soon as possible.

The changes in version 2.0 introduce no new major requirements. The majority of changes are modifications to the language to clarify the meaning of the requirements and make understanding and adoption easier. Many of the revisions reinforce the need for a thorough scoping exercise prior to assessment in order to: understand where cardholder data resides; reduce the infrastructure and applications subject to the standard; allow organizations to adopt a risk-based approach when assessing; prioritizing vulnerabilities based on specific business circumstances;

commissum’s Principal Assurance Consultant André Coner commented that many organisations fail to adequately segment the cardholder data environment from the remainder of it’s network and therefore are significantly increasing the complexity and cost of their PCI DSS compliance. Because, without adequate network segmentation the entire network is in scope of the PCI DSS assessment. Segmentation is therefore strongly recommended as it will reduce the scope and cost of the PCI DSS assessment. It also reduces the cost and difficulty of implementing and maintaining the PCI DSS controls.

Via EPR Network
More Computer press releases

Information Security Experts commissum Welcomes the Cyber Crime Classification But Warns Businesses May Not Be Able to Improve

The National Security Council has released its security strategy that classifies cyber crime as one of the four highest priority risks.

Titled ‘A strong Britain in an age of uncertainty’, the 39-page document looks at and evaluates all levels of national defences. It claims that the four highest priority risks for the next five years include: ‘international terrorism, cyber attack by other states and by organised crime and terrorists, international military crises and major accidents or natural hazards’.

commissum’s Managing Director Martin Finch made the following comment:

“Attacks to the national infrastructure are now becoming more sophisticated. These are not being just initiated by teenagers looking for a challenge but by groups of state sponsored professionals in a number of countries that are using the complex connectivity of modern systems to access information or systems for economic advantage or hostile aims.

“Therefore more needs to be done to protect us from the increasing cyber attacks but the current economic climate, or even the perception of this may make it difficult for many organisations to increase or even maintain expenditure for information and IT security.”

This has also been recognised by the Centre for the Protection of National Infrastructure (CPNI) which is providing organisations and companies with protective security advice to reduce risks. Their top ten security guidelines provide protective security points which have not changed for some time, but are still valid and are becoming much more important with the increasing sophistication of attacks.

The CPNI have established a unique partnership program with expert security consultancy companies such as commissum to work with businesses to help find innovative and holistic ways to address vulnerabilities and increase security with minimum investment or, in some cases, decreasing operational costs.

The commissum information security advisory services which include risk assessments, audits and security health checks, will help organisations to prioritise the selection and deployment of defensive measures in the context of the risk attitude and culture of the organisation.

Via EPR Network
More Computer press releases