Eurogiro News 11
ISO27001:2013
It was necessary to update the ISO27001
security standard due to emerging technol-
ogy with the rapid implementation of mobile
devices and a change in the threat pattern. Urs
Fischer, Fischer IT GRC, presented the move
from the 2005 to the 2013 edition. The new
edition is written in a new structure to align with
other management system standards.
The real changes in the area of information
security are very small.
Urs Fischer concluded that the implementation
of this new standard seems to be easier. The
focus should be on the scope of the Manage-
ment System and on the Information Security
Objectives. Start the transition with your docu-
mentation to reflect the new structure and then
implement the new requirements.
Mobile devices and security
Within a few years the use of mobile devices
has evolved from browsing for information over
the 2nd generation with corporate e-mail and
consumer self-service to the current usage
with data, both internal and external and busi-
ness processes.
A high percentage of workers are using their
personal devices to access business applica-
tions and resources. They believe it is their
right and will use it in contravention of a policy
if the policy is too strict. When the devices are
used for both private and business purposes
it is essential to manage both the security and
the legal aspects.
Lars Syberg from FortConsult in Denmark
presented the resulting possible threats and
counter-measures. First of all it is necessary to
have a clear and well communicated policy on
how mobile devices are managed and how the
user should react in various situations.
The modern operating system on the devices
has a robust architecture with a number of built-
in functions to protect the data; often it is just a
matter of turning on these features.
The most obvious and major threat today is the
lost or stolen device. Enabling data encryption
and remote access can protect the data. If the
device is lost it can be wiped via the network.
Malware and viruses are both things you either
get or you install. The threat here is installation
of apps from informal sources or users tam-
pering with the operating system (jail-breaking
or rooting). The policy must be very clear on
this point.
Cloud storage can be a real
t
hreat to company
data. The data is out of the control of the com-
pany and only protected by a simple password
owned by the employee. If the company does
not provide workable solutions the employees
take decisions.
Lars Syberg concluded the presentation by
giving examples of Mobile Device Manage-
ment providers and technologies. Mobile
devices are still a very secure alternative to an
uncontrolled Windows machine!
3
Arvydas Bakanauskas, fromAB
Lietuvos Pastas showed how the ELS
was integrated in the “UPDV – uni-
versal postal work place”. It required
minimal change to the Host system
and the Operators do not need to use
a separate application.
Matteo Anghileri, from Banca Popo-
lare di Sondrio presented the integra-
tion of the ESM and how it is con-
nected to SWIFTNet using a service
bureau. A very impressive transaction
monitoring is in place where he can
monitor the traffic in detail.
Marin Junusic, from Croatian Post
completed the session by showing
how they have developed since they
joined Eurogiro 15 years ago. The ELS
is connected to the domestic Host
system that pushes the incoming
messages directly to the Post offices.
He also showed how they are using
Centreon in the monitoring.
ISO27001 main changes:
>
New high level structure
>
Terminology
>
Risk assessment
>
Management commitment
>
Controls to reflect changing treats
>
Emphasis on setting objectives
>
Monitoring
Mobile devices - stay alert to:
>
Lost / stolen devices
>
Virus & malware
>
Insecure apps
>
Data transferred to cloud
>
Open wi-fi networks
>
Public hot-spots
>
Insecure file transfer
>
Missing usage policies
Data storage - key questions:
>
Which company data can be accessed?
>
Where can this data be stored?
>
What are the legal aspects of company
access to private data?
>
Is it allowed for the IT team to wipe the
device?
>
Consequences for employees violating
the policy
>
Control of data in the cloud when an
employee leaves?
>
Is the policy clearly communicated and
respected?
Member experience and
presentations
There is a strong interest in learning
how others are doing things and we
were happy to have presentations from
3 members on how they have integra-
ted Eurogiro into their IT services.
