India: Privacy Law…..Your personal details end up with raddiwalas (Scrap Dealers)!

Shocking News about how personal information provided to a Mobile Service Provider ended up with a Raddiwala (Scrap Dealer)
http://www.mid-day.com/news/2011/nov/281111-Your-personal-details-end-up-with-raddiwalas.htm

This despite the fact that the corporate involved claims to have a PRIVACY POLICY.

This is yet another glaring case about how policies are incapacitated by weak procedures and controls and a poor execution strategy.
Having Policy is one thing and having an apparatus to implement, enforce and comply with it is another…

I wonder if the corporates in India are aware about the recent Data Privacy Legislation passed in India.

DATA PRIVACY LAW in INDIA
“The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, or “Privacy Rules,” were issued in April to implement India’s 2008 IT Security Act amendment.”

However to my understanding the Law itself is not very clear on how it will be enforced… in the sense who is the Controlling Authority…where can users whose personal information has been compromised seek redress…..

Its a long run …But at least we have made a start…

Fortune 500 Gets “F” In Social Engineering Hacking Test

Fortune 500 Gets “F” In Social Engineering Hacking Test

by Paul Roberts

It was another year, another “F” for the top, U.S. firms targeted in the annual Social Engineering Capture the Flag (CTF) Contest at the DEFCON hacking conference, according to a report released on Monday. Some of the U.S.’s top firms, including Apple Computer, IBM, AT&T, McDonald’s and retail giant Wal-Mart proved easy marks for clever hackers using online reconnaissance and persuasion to extract valuable information. None of the 14 firms targeted were able to prevent clever attackers from using phone calls, e-mail and other soft approaches to wheedle sensitive information out of unwitting employees or leaky servers and IT infrastructure.

The report, from the firm Social-Engineer.org (free but only after registration), compiled the results of the second annual Social Engineering CTF, and found little evidence of improvement over the previous year’s report. Indeed, all 14 firms targeted by the contestants yielded information, with fewer than one in three companies offering any resistance to the appeals and entreaties of the attackers.

Of the firms tested, telecommunications giant AT&T received the highest overall score, while Oracle Corp. received the lowest. However, all the companies would have received a failing mark in a real social engineering penetration test, the report concluded.

“The scary part was that there wasn’t a single company that had a level of security that would make us feel confident that they were secure, no matter how many times we called,” said Chris Hadnagy of Social-Engineer.org.

In the case of AT&T, which received the best overall scores of the 14 firms tested, a contestant hit a brick wall when trying to extract information from an employee at one AT&T retail outlet, but found it easy to simply call another retail outlet and get the information from a different employee, Hadnagy said.

The contest, in its second year, is modeled after a long-standing DEFCON CTF event that tests raw hacking skills. In the Social Engineering CTF, contestants are assigned target companies and then allowed to conduct online reconnaissance on their target using tools like the Google search engine and social networking sites like LinkedIn and Facebook, as well as specialized tools like Maltego. Contestants are not permitted to call or e-mail their targets prior to an allotted 25 minute phone call which is conducted live at the DEFCON Conference in Las Vegas.

Contestants are graded on a number of “flags” they obtain through their online research and direct social engineering attacks. Flags are pieces of information based on non-sensitive data pertaining to the inner works of the target company, Social Engineering.org said. In this year’s contest, organizers made an effort to have two or more companies from each of the vertical industries represented.

Many firms were doomed before the contest formally began. Loosely configured IT systems, such as open FTP servers and verbose internal and external Web pages, yielded a treasure trove of information. Many contestants were able to claim “flags” merely through online research, while other were able to obtain enough information about the company’s operations and structure that crafting convincing social engineering scripts was trivial.

Once the actual social engineering attacks began, none of the 14 companies targeted was able to put up a solid front against the social engineers, and only three employees out of all of those contacted by the contestants offered any resistance at all to the attempts to get them to divulge information.

The firms, most of which have IT security budgets ranging from millions to hundreds of millions of dollars annually, did a poor job of readying their employees to spot and rebuff attempts to get them to divulge information or take other actions – such as clicking on a hyperlink supplied by the attacker – that could open their firm up to malware infection.

To the contrary, employees contacted by phone were inclined to bend over backward to facilitate the social engineer- especially when that person posed as a customer of the company.

Employers need to spend more time, and money, educating employees and talking about the danger that even innocuous information can pose to the company. They also need to more closely audit their Web and application infrastructure to make sure they are not leaking confidential information or too much information about company employees and internal policies or projects, the report concluded.

The conclusions are nearly identical to those of last year’s report, which also warned of the dangers of inadequate or inconsistent training of employees and the ability of motivated attackers to use Google and other tools to discover a wealth of data about the operations of potential targets.

Meridian 2011

Meridian 2011

Hi All
Back after a grinding gruel hosting the 3 day Meridian Conference. An International conference for policy makers around the world involved in CIP and CIIP activities..

As the host for this years conference we have been humbled by the response to the conference and immense appreciation showered by visiting delegates.

Thank you all for making this a success….A special to our team that pulled off a successful event

Risk Appetite and Risk Tolerance

Risk Appetite and Risk Tolerance

Risk Appetite and Risk Tolerance

A guidance paper from the Institute of Risk Management

IRM has produced this guidance paper to provide guidance to directors, risk professionals and others in relation to that part of the UK Corporate Governance Code that states that “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives”. However, we hope that the guidance will have far broader resonance with anyone interested in the subject of Risk Appetite and Risk Tolerance.

Download the executive summary (PDF 1 Mb)

Download the full guidance paper (PDF 2 Mb)

Smartphones and enterprise security

Smartphones and enterprise security

By Ian Kilpatrick.

Smartphones are spreading throughout the business world. Their use is growing across organizations and at all levels within them.

According to Gartner , sales of mobile devices in the second quarter of 2011 grew 16.5 percent year-on-year. Smartphone sales grew 74 percent year-on-year and accounted for 25 percent of overall sales in the second quarter of 2011, up from 17 percent in the second quarter of 2010.

Not only are the numbers of smartphones growing, their versatility is increasing. Where staff used to carry laptops when they went out of the office, to retrieve email and use other applications on the move, they can now carry just a smartphone.

This potentially allows them to send and receive emails, use a variety of applications, link to the company network to access data and use network-based applications, access social networking sites, and carry out online e-commerce and banking transactions.

A smartphone raises key security issues, which many organizations have not fully realised yet or, if they have, they may not have taken appropriate measures to ensure network safety.

The dangers

The biggest danger, of course, is that smartphones go missing. Many of us will have lost a mobile phone in the past or know someone who has. Research by getsafeonline shows that about one in five owners of smartphone devices can expect to lose or have them stolen at some point. Surveys show the level of phone loss in London taxis is at a world-leading, and fairly consistent, 10,000 per month. Yes, that’s right, 10,000 per month!

Smartphones are often used for both business and personal reasons and if they are lost, both sensitive company data and personal data stored on the phone may be exposed. Email exchanges could be seen. Personal data relating to online purchasing or banking might be viewed.

If the phone is connected via a VPN, company networks will be exposed to malware or could be hacked.

Smartphones are now at the stage that PCs were at around 1999. Many people didn’t think security was necessary then, hardly anyone had firewalls, but security concerns were beginning to be a focus. It’s a similar situation now with smartphones.

It doesn’t take long for criminals to think of ways of stealing and using information fraudulently. Some security experts have pointed out that targeting smartphones could potentially be more profitable for criminals than aiming at computers.

Security policies

With the rapid proliferation of smartphones and the very real security risks, organizations now need to factor smartphone use into their security policies and make sure they are managed centrally.

Smartphones have also extended the network boundary even further. Employees may use devices for both company and personal use, bringing dangers to the company network, in the same way that remote workers created new and different security issues for the IT department.

In addition, these devices cross the divide between voice and data, so that companies using them are taking a strategic direction into convergence, perhaps without realising it, and probably without planning for it. They are at the cutting edge of fixed and mobile convergence and users are only rarely required to connect over secure VPNs and even less required to use secure authentication to connect to the network

Fixed/mobile convergence creates other security and financial threats. Unsecured access to PBX systems (traditional and IP) exposes organisations to an increased risk of toll fraud, as well as risks such as DOS attacks, backdoor attacks on the data network, and call recording.

Security tips

There are a number of basic security procedures which organizations and individuals can take to increase security.

- Use the PIN or passcode function to secure the phone. Don’t rely on the
default factory settings.

- Install data wiping facilities so critical information can be destroyed if it’s thought the phone has fallen into the wrong hands. This might happen, if for example, a password is entered wrongly a certain number of times, or when a device has been off the network for a certain period of time.

- Employ time out policies, to prevent further use of the phone, if it is inactive for a certain period of time. This should be initiated from a central management console.

- Install GPS tracking so the phone can be located if stolen.

- Install SIM watch. This reports the new number back to you if the SIM is removed and replaced

- Take a note of your International Mobile Equipment Identity number. The IMEI number is used by the GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing the network in that country. It’s easy to find on most phones by typing *#06# into the keypad.

- Take similar data leakage protection measures as with a PC.

* treat the phone like it’s a PC. Beware of phishing emails, don’t follow links you’re not sure of, don’t download anything suspect, recognise the risks of unsecured WiFi connections, etc.
* stipulate that sensitive, critical information should be made available to users of smartphones on a ‘need to know’ basis
* use two factor authentication (with challenge response) to validate access to the smartphone
* encrypt sensitive data, as many smartphones and security suppliers provide facilities to enforce this.
* run anti-virus. The impact of a virus, both in terms of data loss and financial cost, is considerable

Conclusion

Smartphones are an incredible tool for a whole range of people and their use will proliferate. However, smartphone security is lagging ten years behind the growth curve, especially as they are so easily lost or stolen.

Smartphones carry with them the risks of any computer on a network and at the same time cross the divide between voice and data, which brings security risks of its own. For an organization to remain secure, smartphones need to come within the sphere of the security policy, their use needs to be regulated and active steps should be taken to employ them securely.

Control Systems Security Program (CSSP)

Control Systems Security Program (CSSP)

US CERT, DHS has published a Cyber Security Evaluation tool for National Critical Infrastructure.
Overview
Critical infrastructures are dependent on information technology systems and computer networks for essential operations. Particular emphasis is placed on the reliability and resiliency of the systems that comprise and interconnect these infrastructures. NCSD collaborates with partners from across public, private, and international communities to advance this goal by developing and implementing coordinated security measures to protect against cyber threats.

The Cyber Security Evaluation Tool (CSET) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

Purpose
CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization’s enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits
•CSET contributes to an organization’s risk management and decision-making process
•Raises awareness and facilitates discussion on cybersecurity within the organization
•Highlights vulnerabilities in the organization’s systems and provides recommendations on ways to address the vulnerability
•Identifies areas of strength and best practices being followed in the organization
•Provides a method to systematically compare and monitor improvement in the cyber systems
•Provides a common industry-wide tool for assessing cyber systems

How to Obtain it
CSET is available for download at the following link:
Download CSET here

As an alternative to the downloadable version, a CSET DVD is available from the DHS, National Cyber Security Division. To request a copy, please send an email to: CSET@dhs.gov. Please insert “CSET” in the title block of the email and include your name, organization name, complete street address (no P.O. boxes), and phone number in your email request
Alternatively, the Control Systems Security Program also offers onsite training and guidance to asset owners in using CSET during onsite assessments. These assessments are conducted at no cost to the asset owners. To assist an organization in planning and organizing for an assessment using the CSET, the following actions and items are recommended:

•Identify the assessment team members and schedule a date.
•Become familiar with information about the organization’s system and network by reviewing polices and procedures, network topology diagrams, inventory lists of critical assets and components, risk assessments, IT and ICS network policies/practices, and organizational roles and responsibilities.
•Select a meeting location to accommodate the assessment team during the question and answer portion of the assessment.
•Work with CSSP for onsite or subject matter support.
To request onsite assistance, please send mail to cset@dhs.gov.

Waiting For The Gargantuan

Waiting For The Gargantuan
The pressing together of tectonic plates along the Himalayas can result in a really big one
Pallava Bagla

“The most dangerous place in the world today, I think you could argue, is the Indian subcontinent,” former US president Bill Clinton is said to have remarked, speaking from a geopolitical perspective. That is an argument many would want to take up. But seismologists, alarmed by their assessments, and by the recent Richter 6.8 earthquake in Sikkim, say there could have been no arguing had Clinton been speaking from a geotectonic perspective. The Sikkim temblor, they say, is merely a nudge from the earth. A monster quake could be waiting to happen. When? Where exactly? There’s no predicting in seismology.

The Himalayan faultline, many geologists have concluded, is at places like a spring coiled tight, waiting to release that titanic potential energy as shock waves across the surface of the earth. It is more dangerous than nuclear bombs and lurks right under our feet, across several borders of South Asia. It can strike without warning and cause widespread devastation across all big cities of north India. But it is impossible to tell if it will strike within our lifetime or four or five, or many, generations hence.

“A time-bomb is ticking away,” says Prof C.P. Rajendran, a palaeoseismologist at the Centre for Earth Sciences, IISc-Bangalore. “It’s not a question of if but of when the big one of more than Richter 8 will strike northern India.” His concerns are echoed by Harsh Gupta, noted seismologist and former secretary in the Union ministry of earth sciences. “In a way, yes, there is a ticking bomb,” says Gupta, “because a great earthquake in the Himalayan region is overdue. It could occur any time.”

The basis for this prognosis is the unique geological history of India. Landmasses are but what is visible, above the sealine, of continental plates floating on an ocean of magma at the earth’s core. Some 71 million years ago, the Indian subcontinent started drifting from the African landmass, moved northwards and eventually, over the course of millions of years, collided with the huge Asian landmass. Since then, the Indian plate is being pushed under the Asian landmass at the rate of 5 centimetres per year. The extent across which this push-and-shove is taking place—from Afghanistan to Arunachal Pradesh, an arc of some 2,400 kilometres—leaves lakhs of square kilometres of the continent under threat of a monster quake. The young and restless Himalayas, rising every year by some 5 millimetres, are a looming testimony to the intensity of the subterranean wrestling of plates, the danger building up. “There’s a definite possibility of a great earthquake, of Richter 8 intensity of more, in the Himalayan region,” says Gupta. “There’s no doubt about it. The problem is, no one can guess when or where.”

This tectonic brawling has caused northern India to witness some really big earthquakes in the past. The 1897 Shillong quake (magnitude 8.7) packed maximum energy, but because the region was then sparsely populated, the casualty figure was some 1,500. But it left an indelible mark: the Shillong plateau rose 11 metres. In 1934, the Bihar-Nepal earthquake, of the same magnitude as the Shillong one, claimed 10,000 lives. Both quakes were the result of a big rupture in the crust of the earth, a shearing of plates as they rubbed against each other at the faultline, releasing pent-up stress in seismic waves of uncontainable energy.

According to an estimate published in the journal Science by Vinod K. Gaur of the Indian Institute of Astrophysics, Bangalore, a leading Indian seismologist, great earthquakes of the sort anticipated in the region have a revisit time of some 500 years. Roger Bilham, a seismologist at the University of Colorado, says, “What’s more important today is that the Himalayas are ruptured, along less than half of their extent.” This means tremendous strain is building up every day. Bilham says the stress along the Himalayan faultline, lying a little north of Delhi, hasn’t been relieved in nearly 600 years: the last monster struck in 1505. Based on historical data on earthquakes, and taking into account both magnitude and fatalities in big ones like the Richter 8 quake that hit Kangra in 1905, he estimates two lakh fatalities, should a monster strike.

Vineet Gahalaut, a seismologist at the National Geophysical Research Institute (NGRI), Hyderabad, says, “The reason we expect a great earthquake somewhere in the central seismic region, lying between Dehradun and Kathmandu, is because in so many years, no major earthquake has occurred here. No great earthquake has relieved the tension that has built up.”

Cities like New Delhi, Kanpur, Lucknow, Allahabad and Patna lie within striking distance. There are huge concerns about Delhi. “Almost 70 per cent of Delhi will be flattened,” says Gupta. “This is because the soil on which the city stands is of the soft, alluvial kind, and most of the new buildings are on the flood plains of the Yamuna. Huge earthquakes can lead to a phenomenon called liquefaction—due to vigorous shaking, the soft soil becomes like a gluey mass into which buildings simply sink.”

He says the March 11 Japan earthquake (magnitude 9) and the simultaneous tsunami was an eye-opener. Earthquakes of 9+ magnitude are extremely rare: only four or five such mega earthquakes are known. To put it in perspective, Gupta explains that, since the Richter and other scales are logarithmic (base 31.6), a magnitude 9 earthquake can be said to be 30,000 times bigger than one of magnitude 8: therefore, the Sikkim quake (magnitude 6.8) was thousands of times smaller than the Japan quake. “Imagine what would have happened,” says Gupta, “if an earthquake as big as the one in Japan struck in the Himalayan region.”

In a 2007 assessment, the National Disaster Management Authority (NDMA) found almost 59 per cent of India “vulnerable to moderate or severe seismic hazards”. Startlingly, it also found that most buildings in suburban areas are “non-engineered and built without adhering to earthquake-resistant construction principles…. Traditional houses are being replaced with modern reinforced cement concrete buildings, often without compliance to building codes”.

NDMA says that between 1990 and 2006 India has experienced six earthquakes, resulting in the death of over 23,000 people and causing huge loss to infrastructure. “Very severe earthquakes are likely to occur anytime in the Himalayan region, which could adversely affect the lives of several million people,” the organisation warns.

But a complacent government and civil society do not seem to care. Are we sitting on a time-bomb? S.S. Rai, a seismologist at NGRI, Hyderabad, gives an emphatic “yes”. And what can we do? “Deactivating this bomb is easy—if only we would make all our structures quake-resistant,” says Rajendra. After all, earthquakes don’t kill; the killers are the buildings that collapse.

PCI Council issues point-to-point encryption validation requirements

PCI Council issues point-to-point encryption validation requirements

The PCI Security Standards Council issued point-to-point encryption validation requirements as part of a new program that aims to provide merchants with a list of certified products.

The PCI encryption requirements document, PCI Point-to-Point Encryption Solution Requirements, was released this week and provides vendors, assessors and merchants, with guidelines for hardware-based point-to-point encryption implementations that support PCI DSS compliance. The Council said its requirements focus on ways to secure and monitor the hardware, develop and maintain secure applications, and use secure key management methodologies.

Point-to-point or end-to-end encryption providers have been touting the benefits of encrypting cardholder data from the time a credit card is swiped at a point-of-sale device to the time it reaches a card processor. But merchants have had no easy way of evaluating individual providers to determine whether the equipment, applications and capabilities meet PCI DSS requirements from the time credit card data is captured to its transmission to a processor and bank systems. The problem has resulted in some high-profile data security breaches that highlighted some holes in PCI assessments and so-called end-to-end encryption implementations.

Last year the Council called point-to-point encryption implementations too immature to properly evaluate. Bob Russo, general manager of the PCI SSC, said that many merchants have purchased and deployed hardware-based point-to-point encryption systems, prompting the PCI Council to create the validation program. Testing procedures will be released later this year followed by a new training program for qualified security assessors, Russo said. A certified list of systems will be produced in the spring of 2012.

“Merchants think that buying point-to-point encryption solutions will reduce the scope of what they’re doing and that’s not always the case,” Russo said. “We know people are buying this right now so we wanted to make sure we produced something meaningful as well as a program that certifies some of these things.”

The first phase of the point-to-point encryption program is to focus on requirements for implementations that combine hardware-based encryption PIN transaction security (PTS) devices, where the card is swiped, with hardware security modules, where the decryption takes place. In the second phase, validation requirements will address hybrid systems and pure software point-to-point encryption deployments, Russo said.

The validation document lays out six areas that will be assessed in a point-to-point encryption implementation. The Council will oversee evaluation of the security controls used on the hardware, the applications within the hardware, the environment where encryption hardware is present, the transmissions between the encryption and decryption environments, the decryption environment itself and the key management operations.

The document lays out the responsibilities of device manufacturers, application vendors and point-to-point encryption vendors. It combines validation programs run under the Payment Application Data Security Standards (PA-DSS) and the PCI PIN Transaction Security laboratory, which currently tests point of interaction devices.

A Qualified Security Assessor will evaluate the complete deployment to ensure the hardware, applications and key management processes fully protect card holder data by meeting the PCI DSS requirements, according to the document.

A fully validated point-to-point encryption implementation will reduce the scope of PCI DSS on a merchant’s systems, but the PCI Council cautions that merchants would still be required to be evaluated against PCI DSS to ensure the system is being secured and maintained.

“This scope reduction does not entirely remove or replace all of a merchant‘s PCI DSS compliance or validation obligations,” according to the PCI point-to-point encryption validation document. “Applicable requirements covering the education of staff handling account data, security policies, third-party relationships, and physical security of media will still apply to merchants that have implemented a validated P2PE solution.”

Critical infrastructure: time to begin anticipating and adapting to climate change

Critical infrastructure: time to begin anticipating and adapting to climate change

Despite the uncertainties surrounding climate change, it is time to start developing effective strategies that will keep critical infrastructure running in the face of the adverse impacts that seem increasingly likely to occur.

This consensus emerged from a two-day leadership summit that brought together major US stakeholders from the $1 trillion-plus freight transportation sector with climate change researchers to discuss the issue for the first time.

The meeting was held at Vanderbilt University and was sponsored by the Vanderbilt Center for Transportation Research (VECTOR), Vanderbilt Institute for Energy and Environment (VIEE) and the University of Memphis’ Intermodal Freight Transportation Institute.

“It is increasingly clear that climate change will have potentially large impacts on the nation’s highways, railroads, waterways, airports and pipelines. In all likelihood, these impacts will increase in the future, so we have to learn how to plan ahead,” said George Hornberger, director of VIEE and distinguished professor of civil and environmental engineering.

Weather-related damage to US infrastructure on the rise

According to the University Center for Atmospheric Research, more than 75 percent of natural disasters are triggered directly or indirectly by weather and climate. In the US, more than a quarter of the nation’s gross national product (+$2 trillion) is sensitive to weather and climate events, which affect health, safety, economy, environment, transportation systems and national security. Each year, the US sustains billions of dollars in weather-related damages caused by hurricanes, tornadoes, forest fires, flooding, heavy snows and drought. The threats associated with extreme weather and climate change are substantial and adapting to climate change will be crucial to economic and social stability, for example by making future water, food and energy supplies reliable and sustainable. Contributing to these costs is the problem of the nation’s aging infrastructure, which needs $2.2 trillion in improvements to meet today’s demands, according to the 2009 National Infrastructure Report Card by the American Society of Civil Engineers.

Unless the nation begins taking appropriate measures, these costs are likely to increase: “It appears to us that more extreme weather events – like floods and hurricanes – are becoming more frequent and pronounced and we need to be prepared to adapt to the prospect that what have been episodic events in the past become chronic features of our operational landscape in the future,” observed Craig Philip, chief executive officer of the Ingram Barge Company and a member of the conference steering committee.

The Mississippi River floods in April and May, which were among the largest and most damaging recorded along the waterway in the past century, the flooding on the Missouri that began in June and the above-average wildfire season that burned 1.3 million acres in the month of June in the Southern Plains and Southwest, are dramatic examples of the kinds of natural disasters that experts predict will become increasingly severe and frequent.

“Right now people are waking up to the fact that they will have to adapt, but very few are walking the walk,” commented Mark Abkowitz, co-organizer of the meeting and professor of engineering management at Vanderbilt. “If we’re not careful and begin taking actions soon, we will fall so far behind that playing catch-up will be difficult.”

Reasons for current lack of action

The summit discussions identified several reasons for the current lack of action:

1) Uncertainty in the timing and magnitude of climate change;

2) Insufficient knowledge of how these changes will impact the performance of critical infrastructure systems;

3) The succession of short-term crises that deflect attention and resources; and,

4) Lack of political leadership in this area.

So far, the federal government has focused almost exclusively on mitigation: developing methods that reduce the amount of carbon dioxide released in various industrial processes or sequestering carbon deep underground.

“Regardless of the success of mitigation efforts, we will need to adapt. Even if we could completely stop injecting more carbon dioxide into the atmosphere, the concentration of carbon dioxide is already significantly higher than historic levels so we would still have to handle the consequences,” said Hornberger.

Key initiatives for next five years

Summit delegates identified several key initiatives that should be undertaken in the next five years:

* Identify the critical infrastructure that is most vulnerable to damage and disruption. Of particular importance are bridges, highways, rail lines, airports and other key transportation facilities for which there are no alternatives;
* Assess the cost of impacts to key infrastructure components. Putting a dollar sign on the potential damage for non-action helps determine the benefits of the proposed protective measures;
* Develop better tools and models for performing risk assessments. Right now the climate models are more accurate at the global and regional scale, but they are not capable of predicting the local effects that planners need;
* Define and communicate climate change problems in terms that decision makers can understand;
* Improve dialogue and collaboration among stakeholders.

“There is no reason why we should wait to get started down this path,” said Abkowitz. “As long as our approach remains flexible, we can adapt as better information becomes available.”

ISO/IEC 27005:2011 standard now available

ISO/IEC 27005:2011 standard now available
ISO has announced that ISO/IEC 27005:2011 is now available. The standard provides a framework for implementing a risk management approach to managing threats to information security management systems.

Information security risks pose a considerable threat to businesses due to the possibility of financial loss or damage, loss of essential network services, or loss of reputation and customer confidence. Risk management is one of the key elements in preventing online fraud, identity theft, damage to websites, loss of personal data and many other information security incidents. Without a solid risk management framework, organizations expose themselves to many types of cyber threats.

ISO/IEC 27005:2011 ‘Information technology – Security techniques – Information security risk management’ describes the information security risk management process and associated actions, and supports the general concepts specified in ISO/IEC 27001:2005.

Edward Humphreys, Convener of the ISO/IEC working group that developed the standard comments: “ISO/IEC 27005:2011 is an essential standard for those that want to manage their risks effectively and, in particular, to comply with the popular information security management system standard ISO/IEC 27001. Risk management is critical to good business governance, and this standard helps organizations with advice on the why, what and how of managing information security risks in support of their governance objectives.”

In this second edition, the framework outlined in ISO/IEC 27005 has been reviewed and updated to reflect the content of the risk management documents:

* ISO 31000:2009, Risk management – Principles and guidelines
* ISO/IEC 31010:2009, Risk management – Risk assessment techniques
* ISO Guide73:2009, Risk management – Vocabulary.

The standard is intended to align closely to ISO 31000:2009 in order to help organizations that wish to manage their information security risks in a similar way to the way they manage other risks.

ISO/IEC 27005:2011 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.