Wednesday, February 11, 2009

Excellent flow chart on the IS27002 certification process.

I would warmly recommend a tool for ISO 27001 automation that uses PTA - Practical Threat Analysis. What these folks have done is to write a generic library for performing an ISO 27001 assessment using the PTA Professional freeware. The framework is all there and you can build a real life threat model in about 15 minutes by adding your ownthreats and assets. The part I like about PTA is the optimized risk mitigation plan that recommends the most effective controls.

3 comments:

  1. I concur - i've been using PTA - http://www.ptatechnologies.com for about 3 years in a wide variety of threat modeling missions from SOX IT audit to software security assessment like this -

    http://www.software.co.il/case-studies/66-risk-assessment-of-software-as-a-service.html

    Also - I would comment that quantitative analysis is the only way for us to start speaking the same lingo as the CEO
    A major data loss event like Hannaford Supermarkets (4M credit card records leaked…) is a black swan as described by Nassim Nicholas Taleb - it has three characteristics:

    1. Appears as a complete surprise to the company
    2. Has a major impact to the point of maiming or destroying the institution (note the case of Card Systems or Hannaford whipping out a check for $10M to IBM for a get out of jail free card)
    3. Event, after it has appeared, is ‘explained’ by human hindsight.

    Danny Lieberman
    http://www.software.co.il Buggy software, risky software

    ReplyDelete
  2. Dear colleagues,

    I would like to inform you that on February 2009 we released an updated version of PTA Professional Edition (1.60 - build 1208) with major usability improvements.

    PTA – Practical Threat Analysis – is - a calculative threat modeling methodology and a risk assessment tool that assist security consultants and analysts in assessing the risks in their systems and building an appropriate risk mitigation policy. The role of a practical threat analysis process is to identify system vulnerabilities, map system assets, asses the risk of the threats and define an effective risk mitigation plan for a specific system architecture, functionality and configuration.

    PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version's new features and download a free copy of the software from the following link:

    http://www.ptatechnologies.com

    http://www.ptatechnologies.com

    PTA fully supports the PCI DSS 1.1 and ISO 27001 standards as well as many useful security standards libraries which are available for free downloaded from the following url:

    http://www.ptatechnologies.com/?action=documents

    Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I'll be happy to have your comments and answer your questions on any issue.

    Regards,

    Zeev Solomonik
    R&D - PTA Technologies
    http://www.ptatechnologies.com
    zeev_at_ptatechnologies_dot_com

    http://www.ptatechnologies.com

    ReplyDelete
  3. nice blog !! thanks for sharing the information about iso consultants . this blog is nice and interested to read.

    ReplyDelete