The bad guys are out-running the good guys – Can compliance stop them?

Brian Chess, Founder and Chief Scientist, Fortify Software

Judging by the number of public breaches that we keep hearing about, it looks like the bad guys are far outrunning the good guys. We know it’s a big problem because as a company we get called in to sort out the problems most often once the horse has bolted.

In June of this year in the US with section 6.6 of the PCI Data Security Standards (DSS) becomes mandatory in the US will things change? From a UK perspective it’ll be interesting to whether it makes a change for the better. Online merchants that process credit card payments will either have to conduct a code review for their applications or install an application-layer firewall. The standard offers a choice, but there really isn’t any choice at all. If an organization is going to successfully protect its data, it needs to aim for preventing a breach, not passing an audit. This means, first, finding and fixing the vulnerabilities in your software, second, building security into the development process, and third, protecting your applications once they’re deployed.

Hannaford Bros, a supermarket chain based in New England, USA, passed a PCI audit and then got hacked. They lost 4.2 million credit and debit card numbers, which has led to 1,800 cases of fraud to date. Over the last two years, as the PCI standards have slowly been implemented, the number of data breaches has increased from 158 incidents in 2005 to 443 incidents in 2007, for a total of 212 million records. So judging by this, you’ll see the bad guys are still very much in the lead. And that’s why PCI keeps evolving. But, in order to win this battle, companies must invest in security, not just in compliance.

In the spring of 2005, someone broke into a Web application for the Assignment Management System of the United States Air Force. They stole 33,000 personal records. The USAF responded to their breach with a multi-million dollar effort to identify and eliminate their security holes. This initiative incorporated a heavy reliance on source code analysis, in order to fix the problems at the root cause, as well as targeted investments in application firewalls, web application scanning tools, and database firewalls. The key to their approach was having the right motivation. They didn’t launch this initiative to pass an audit. They did it to ensure their software was secure. The result has been a comprehensive and dedicated deployment. As software drives nearly every military activity today, we can all be a little more comfortable knowing they have the right approach to deal with the threat.

The PCI council knows that analyzing the code early is the right thing to do, as they stress the importance of building security into the development process. All of the following quotes come from the PCI council, and they all emphasize the importance of the code.

• “…it is recommended that reviews and scans also be performed as early as possible in the development process.” (1)
• “Tools should be made available to software developers and integrated into their development suite as much as practical.” (1)
• “The reviews or assessments should be incorporated into the SDLC and performed prior to the application’s being deployed into the production environment.” (1)
• “Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines.” (2)
• “Review custom application code to identify coding vulnerabilities.” (2)
• “Cover prevention of common coding vulnerabilities in software development processes.” (2)

(1) Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified. April 15th, 2008

(2) Payment Card Industry (PCI) Data Security Standard, Version 1.1. September, 2006

Bottom line – build security in. If you want to have the best chance of passing a PCI audit, AND preventing a breach, fix the code first, and then monitor it in real-time.

PCI Section 6.6 is a productive step forward and encourages companies to do just this, but as with many standards, companies can interpret the mandates in many ways. A bad interpretation and a weak implementation will mean a false sense of security. Passing a PCI compliance audit is necessary, but compliance alone does not protect your company from a breach. So be ahead of the bad guys, put your efforts into ensuring your applications are secure – that way you’re be out there taking the lead.

www.fortify.com
<>

New Online Community for Information Security Industry www.infosecurityadviser.com

NEWS RELEASE

Monday 30th June 2008 - The team behind the popular Infosecurity Europe show - held in London every spring - has launched an online interactive security forum for the Infosecurity industry with advice, forums, blogs, career path, ask the experts, Q&A and other resources for everyone involved in the challenges of information security. The key difference from other sites is not about the latest news, it is a community where all the content is created by and for the benefit of the global infosecurity community.

"The Infosecurity Adviser portal contains a wide variety of resources, including top-quality blogs, all of which are designed to keep computer users up to date on current and future events in the IT security industry. Registered users of the site can get involved by posing questions to members of the “Ask the Expert” panel, on the forum, add a product review on a technology they have used or comment on any of the content created by the community." said Claire Sellick, event director of Infosecurity Europe.

The most active bloggers at the moment are Members of the Information Security Awareness Forum Board including, Dr David King ISSA chair of the ISAF; Peter Wenham, CISSP from the Communications Management Association, Andy Jones, CISSP from the Information Security Forum; also Jon Collins, Service Director with analyst firm Freeform Dynamics and Chris Potter a partner with PricewaterhouseCoopers. The 2 top rated blogs at the moment are “Top down awareness” by ISAF Blog team member Peter Wenham and “Security awareness - the next generation” by Chris Potter from PricewaterhouseCoopers.

"We also have an exclusive "Ask the Experts" section of the site where users can get free advice from industry experts," Sellick added.

According to Sellick, thanks to the support of the Information Security Awareness Forum and a number of other IT security bodies, the Infosecurity Adviser portal can offer all types of computer users information and resources that will keep them informed on the many aspects of information security they need.

"The site's crisp and concise manner, together with regular updates from a flotilla of industry experts, means that we expect the portal to become a must-visit resource on the Web in a short space of time," she said.

Infosecurity Advisor is supported by the Information Security Advisory Forum (ISAF). Dr David King, ISSA UK and Chair of the Information Security Awareness Forum said, "The new Infosecurity Advisor Portal will help to bring together expertise and advice to those who have questions around information security. This in turn will help to promote security awareness. The Information Security Awareness Forum supports this initiative and welcomes the bringing together of different elements of the industry through the portal mechanism. The awareness forum is also supporting the portal through its blog which is available on the portal website."

Raj Samani, ISSA-UK VP of Comms, “Sometimes you can be left with problems which Google simply cannot answer! It is therefore refreshing to see something out there which can provide practical help to problems which can sometimes seem impossible to deal with on your own.”

“The IT security industry is an industry in transition. For this reason as much as any, it’s great to have a place where industry experts and security professionals on the front line can have a clear and open exchange of views. It’s both useful in its own right, and it all helps move the debate forward.” Said Jon Collins, Service Director with analyst firm Freeform Dynamics

"In my experience, the information security community comes up with some really good questions. I'm looking forwards to the online community being a great way for us all to share experience and get to the answers!", said Chris Potter Partner PwC

For more on the Infosecurity Adviser portal:
http://www.infosecurityadviser.com/
<>

Protecting Virtual Infrastructures with Data Replication

by Ian Masters, UK sales and marketing director at Double-Take Software

Many organisations are adopting virtualisation technologies in their data centre to secure the benefits of increased hardware utilisation, reduced power consumption and simplified management. The reliability of this new infrastructure is likely to be of critical importance but what is the best way to protect virtual servers and keep them highly available?

A virtual infrastructure has a single point of failure: shared disk space. An organisation that relies on tape to protect this environment will struggle to provide the infrastructure with the protection and availability it requires as it can take days to restore virtual systems from tape, if it’s possible at all. Some virtual products come ready equipped with a snapshot-based technology that sends data in periodic chunks. However, the flexibility of this technology is limited and as a result they do not provide the protection, availability and disaster recovery that a business critical virtual infrastructure warrants. No matter which virtualisation vendor’s solutions are deployed, independent data replication products provide availability of virtual infrastructures far more effectively than tape, greatly increase native protection and provide data centre managers with a very useful management tool.

If an organisation is already using an independent data replication solution within its business continuity plan, it may be flexible enough to be used within virtual infrastructures. Data centre managers are likely to maintain a variety of hardware on which they host virtual servers so the high availability solutions needs to have the flexibility to work in any hardware environment. Host-based replication is an asynchronous technology that replicates at the server level and streams replicating changes in real time, as they occur and compiles them on target servers in the order that the operations occurred. Host-based replication is hardware agnostic and therefore ideal for heterogeneous environments so has the flexibility required to protect typical virtual infrastructures. Host-based replication has the additional benefit of providing data centre managers with a simple to use virtual infrastructure migration and management tool.

Many organisations already have a disaster recovery facility or satellite office where they send backup copies of data for disaster recovery. Having a live duplicate of the virtual infrastructure within those locations provides the ultimate level of protection and recovery in the event of substantial site disaster. Host-based replication technologies are able to replicate over any distance so provide organisations managing virtual infrastructures with the best possible protection for business-critical physical and virtual environments.

Virtualising servers is only the first step in modernising a data centre to take advantage of the benefits on offer. Virtual infrastructures are business-critical so organisations need to make sure they are highly available. Deploying an appropriate data replication technology is the only strategy that will provide the protection required. Host based data replication products not only provide high availability but can also help data centre managers better maintain virtual systems by having the ability to provision, convert and migrate the systems both near and far.

Source: Eskenzi PR Ltd.

The real cost of a security breach

by David Hobson, Managing Director of Global Secure Systems (GSS)

In its 2006 annual report for the fiscal year ended 27 January 2007, T.J. Maxx recorded a pre-tax charge of approximately $5 million for costs incurred in connection with the computer intrusion it formally disclosed in January 2007. This charge covers actual costs incurred to investigate and contain the breach, strengthen its computer security and systems, and communicate with customers, as well as technical, legal, and other fees. $5 million may suggest that it got off lightly but is this just the tip of the iceberg? What are the hidden costs of a security breach? What will be the final figure? This article aims to examine the hidden expense of a data breach, both the tangible and intangible costs. It concludes with a ‘top ten tips’ to prevent being the next headline grabber.

IT security in the early 1990's was relatively simple. Data was stored on mainframes, access control was limited and the need to share data was very limited. Today the rules have changed. More data is needed to be shared, access to data is required from almost anywhere and the need to secure that data has grown through regulation and legislation. The user population is much more technical now, and the Internet boom has enabled an increasing number of people to be able to cause more trouble than ever. Most organisations acknowledge that the impact of a security breach to the business will result in financial expense.

It’s going to cost how much!
Firstly, there are the direct and easily correlated costs such as replacing any lost or stolen devices; investing in, or strengthening existing, IT security; and if necessary strengthening the building’s physical security.

In August 2007, Monster had to take action when it discovered that con artists had mined contact information from curriculum vitaes for 1.3 million people, and possibly many more as Monster has since confirmed that this was not an isolated incident. Files were stolen not only from Monster.com but from USAJobs.gov, the federal-government career-listing service operated by Monster. Monster has said it will have to spend at least $80 million on upgrades to its site, which will include security changes. Among them is closer monitoring of the site and limits on the way its data can be accessed.

It doesn’t stop there
Some costs are harder to pin down including contacting those whose records may have been exposed, credit monitoring for those affected, and even the possibility of subsequent legal action taken by people who have suffered a financial loss as a direct result of their records being exploited.

The HMRC, who in December had two CD’s containing 25 million child benefit records go astray in its internal post system, wrote to each person whose personal details were at risk. When tallying this up there is the physical cost of the paper and envelopes, printing the letter and addressing the envelopes, postage, and the harder to guesstimate employee’s time to draft the letter and to physically perform the mail out, to account for.

Customer lawsuits can cause serious headaches for businesses that go far beyond the reputation-slaying negative headlines. Aside from the actual monetary damages, lawsuits often leave companies on the hook for additional training, systems upgrades or -- in the case of a data breach -- credit monitoring for those affected.

In the case of TJ Maxx’s massive security breach, it revealed that all affected customers were offered credit monitoring at its expense. Additionally it disclosed that it has agreed to pay up to $24 million in a settlement with MasterCard and it might not stop there. It also confirmed that it’s had to budget for various litigation and claims that have been, or may be, asserted against it or its acquiring banks on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the Computer Intrusion.

In another instance the Information Commissioner’s Office (ICO) found Marks & Spencer in breach of the data protection act in January this year following the theft in April last year of an unencrypted laptop containing the personal information of 26,000 M&S employees. As a result, the ICO ordered Marks & Spencer to ensure all hard drives on laptops that it uses were encrypted fully by April 2008 facing further prosecution if it failed to comply although M&S have appealed against this decision and a final outcome is yet to be decided. Other tangible costs Marks & Spencer faced were writing to all 26,000 employees affected and the cost of its offer to them for free credit checks. But what is the hidden cost, how many employees loyalty will have been damaged by this incident? We all recognise the cost of recruitment and training.

In 2007, the UK's largest building society Nationwide, received a fine of nearly £1m from the Financial Services Authority after the theft of an employee's laptop unearthed security flaws which could have put its 11 million customers at risk. In the first action taken by the City regulator over such systems and controls issues, Nationwide had faced a £1.4m penalty but was given a reduced fine of £980,000 because of its cooperation.

It runs deeper still
So what other concealed costs are there?

There is bound to be an impact on share price, even if only temporarily, as stakeholders react to the news.

There is the lost marketing investment when a brand is damaged, which is a key impact that UK Boardrooms should be concerned about. This is closely followed by the recovery costs in the form of future/increased marketing budgets to regain market position, rebuild reputation, etc. Imagine the continuing damage if the company’s communications can no longer be trusted. IKEA fell victim earlier this year when a hole in its website security allowed hackers and phishers access to its ‘contact IKEA’ function enabling them to send bulk outbound mail via its email servers. The potential damage to the company's reputation and possibility of email blacklisting could be significant.

There is the cost of customer erosion, especially where the breach has compromised credit card details as in the case of Cotton Traders. Apacs has called the recent hacking attack on its website a “serious” breach, saying the hackers could use the stolen card details for fraud. The clothing company has so far refused to say how many people have been affected, and has tried to alleviate continuing fears by confirming that its customer credit card data is now encrypted on its website, but could this prove too little too late?

There could even be the risk of employee’s jumping ship as internal morale dives when they feel their loyalty is compromised if the company they work for makes headline news for the wrong reasons. Filling vacancies is a costly exercise.

There is even the reality that those unaffected and uninvolved will still end up footing the bill. Again the HMRC data loss can provide a perfect example of this. The Chancellor of the Exchequer at the time of the breach, Alistair Darling, confirmed that banks were having to monitor all 7.25 million bank accounts whose details were on the discs. Although the cost for this monitoring has not been revealed the banks will make sure that they recoup the expense from someone! So either the tax payer, or everyone with a bank account, is going to cover this charge.

This article proves that data loss is not an insignificant issue. Information assurance is business critical and for many organisations, the data they own is their key asset, so why are so many failing to treat it as such? Failing to do so opens the corporate purse with no guarantee that it will ever be closed again. TJ Maxx itself summed it up when it said in its statement : “Beyond this charge [$5 million], we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion.”

Top Ten Tips to Preventing a Breach:

1. Management set the tone for their organisations by their own behaviour. As such, good information practices are obligatory for all stakeholders, not just employees.
2. Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context.
3. Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organisations.
4. Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive.
5. Information assurance is everyone’s job and as such investments in training and awareness programs for all employees are critical.
6. Management should set out the company’s expectations with respect to information assurance in clear, accessible policies.
7. The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures.
8. Investments need to be made in technology that will result in the secure transport and processing of information by the company’s information technology assets.
9. Suitable best practices should be identified and implemented rather than ad hoc approaches implemented.
10. Expert advice should be sought and used at all times to advise and oversee efforts in respect of information assurance from an experienced and objective third-party perspective.

www.gss.co.uk

Source: Eskenzi PR Ltd.

Farms need emergency plans before disasters strike

(Wisconsin) Farmers should have emergency plans before a tornado, fire, or other disaster hits their farm, according to the Wisconsin Farm Bureau Federation. The Farm Bureau posts a farm emergency plan template on its web site, www.wfbf.com, for farmers to make their own list of emergency contacts, family members and employees, a plan to meet away from the farm in an emergency, and a diagram of their farm.

“When an emergency responder pulls into a farm’s driveway, they may not always be prepared for what they are going to find,” said Casey Langan, Director of Public Relations for the Farm Bureau. “They might not know how grain bins operate, how livestock react under stress, how anhydrous ammonia tanks work and the danger involved with handling the product. Therefore a farm emergency plan should include a description and location of production facilities, livestock and equipment to help minimize the devastating effects of a farm disaster.”

The Farm Bureau said current operational procedures exist for local police, fire and emergency response teams, but many of them may have little knowledge of the workings of a farm. An emergency plan should provide the additional safety information that emergency responders will need.

Farms may have equipment, building structures, livestock bio-security measures, farm chemicals and fuels, power usage and generation, and other aspects of raising livestock and growing crops that require special attention by emergency officials or other important partners who respond to the special needs of farms.

The Farm Bureau is recommending that farm families review and update this emergency list with their family and employees, and to have copies posted near telephones and shared with neighbors and emergency responders.

Items to include in a farm emergency plan:

• List of family members, employees or neighbors, who are familiar with your farm business.
• List of emergency contacts.
• Description of medical history or medical information of family members and employees.
• Description of location of the farm and directions from nearest major intersection.
• A general diagram of the farm that includes the location of chemical, fuels, livestock, equipment, overhead and buried utilities, etc.
• Location of spare keys for vehicles or buildings.
• Contact information of businesses providing services such as veterinarian, heavy equipment, electricity, livestock and milk hauling, insurance, financial, etc.
• List of suppliers of chemicals, fertilizer, medications, etc.
• Contact information of medical care provider.
• Telephone grid of farmers to help provide livestock care, emergency feed and water, power, etc.
• Safe storage of farm and personal financial information and computer records in fire-proof boxes or off-site safe deposit boxes.
• Off-site meeting location and contacts for family and employees to gather following a disaster to assess the situation and coordinate response.

The template of an emergency plan can be found under the “Ag Resources” section of www.wfbf.com.

Source: Wisconsin Farm Bureau Federation (USA)

Special Needs Require Special Preparation

Do you or a family member have a disability? Will you be responsible for the care of an elderly adult in case of an emergency or disaster? Do you have small children that will need extra supplies and care in the event of a hurricane? If the answer to any of these questions is "yes," then you should consider now what extra steps to take in your disaster plan.

As the 2008 hurricane season begins, all levels of government, from city councils to the Federal Emergency Management Agency (FEMA) and the Mississippi Emergency Management Agency (MEMA), are working to prepare for potential storms that may strike Mississippi in the coming months.

"An aspect of preparedness that cannot be overstated as we continue to focus on recovery here in Mississippi is that of individual preparedness. We should all be prepared and alert as hurricane season is here once again." said Sid Melton, director of FEMA’s Mississippi Transitional Recovery Office (MS TRO).

Residents should be mindful that disaster preparedness is not a "one size fits all" concept. Those with special needs require special preparations.

"It is critical that Mississippi’s most vulnerable residents and their caregivers take the time now to get a plan," said MEMA Director Mike Womack. "They should consider such details as medication and special transportation when planning for the upcoming hurricane season."

General considerations for those with family members with disabilities:

• Make prior arrangements with your physician or check with your oxygen supplier about emergency plans for those on respirators or other electric-powered medical equipment. Be sure to have electrical back up for any medical equipment.
• Maintain a two week supply of such items as dressings, nasal cannulas and suction catheters.
• Maintain a two week supply of medications, both prescription and non-prescription.
• Keep copies of your medical records.
• Keep copies of prescriptions for medical equipment, supplies and medications.
• Keep extra contact lenses and supplies, extra eyeglasses and extra batteries for hearing aids.
• Make plans now to have accessible transportation in case of evacuation.
• Shelters may be limited in accommodations to meet some of the needs of those with disabilities. Prepare ahead of time to ensure that you will have what you need.

Considerations for those with small children:

• Assemble extra items in your disaster supply kit such as diapers, baby formula, medications, favorite books, crayons and paper, puzzles, favorite toys, a favorite blanket or pillow, pictures of family and pets and any other items that will comfort your children.
• Remember that children’s fears often can stem from their imagination – fears they may be separated from family, someone will be injured or killed, or that they will be left alone. Communication is very important in maintaining your children’s mental well-being in times of crisis.
• Also, keep a copy of your children’s immunization records, including the date of their last tetanus-diphtheria shot.
  

Considerations for those who are responsible for the care of senior citizens:

• Remember to help seniors who live alone. They may need help evacuating from their home, preparing for a storm and dealing with the aftermath of a disaster.
• If an older adult lives in an assisted living facility or nursing home, you should contact the administrator to learn about the disaster plan for that facility.

Other considerations:

• Hearing Impaired - make special arrangements to receive warnings.
• Mobility Impaired - plan for special assistance to get to a shelter.
• Single Working Parent - may need help to plan for disasters or emergencies.
• Non-English Speaking - may need assistance planning for and responding to emergencies.
• People without vehicles - make arrangements for accessible transportation.
• Special Dietary Needs - take steps to ensure you maintain an adequate emergency food supply.

In case of evacuation due to an approaching storm, those who require transportation to a storm shelter should contact the Coast Transit Authority at 228-896-8080.

Additionally, people with special needs should create a network of neighbors, relatives, friends and coworkers to aid them in an emergency. Discuss needs and make sure everyone knows how to operate necessary equipment.

More information regarding disaster plans and planning for special needs can be found at www.msema.org, www.ready.gov and www.fema.gov.

FEMA coordinates the federal government’s role in preparing for, preventing, mitigating the effects of, responding to, and recovering from all domestic disasters, whether natural or man-made, including acts of terror.

Source: FEMA (USA)

The ISAF Web site opens with IT Security cross-industry support

London, UK 9th June 2008 - The Information Security Awareness Forum (ISAF) the cross-industry initiative founded by the ISSA-UK to raise awareness of information security, has formally opened its Web site.

Located at www.theisaf.org, the site seeks to act as a resource that will over time develop in to a focal point for IT security education, news and other relevant information from the Forum.

Launched in February of this year, the ISAF is backed by a number of key organisations, including the ISSA, ISACA, GetSafeOnline, (ISC)², ASIS International, the British Computer Society, Infosecurity Europe and the Institute of Information Security Professionals.

Announcing the opening of the site, the ISAF's chairperson, Dr David King, said that it will help members, as well as the industry generally, pool their expertise and help co-ordinate the Forum's development.

"The Information Security Awareness Forum has been formed to coordinate and build on existing work and initiatives, to improve their overall effectiveness, and ultimately to increase the level of security awareness that will help us all” he said.

"Our new Web site will act as the foundation stone to help us achieve these aims," he added.

Martin Smith MBE, BSc, FSyI, the chairman and founder of the Security Awareness Special Interest Group, supported the opening of the new site, saying that his group strongly recommends the use of the new Forum pages as a first port of call.

"It serves equally well those individuals seeking security awareness knowledge for themselves and their families, and managers of businesses of all sizes and all sectors looking for advice and guidance about how to protect their data from accidental or deliberate disclosure," he said.

Several other leading organisations have voiced their support for the opening of the new ISAF Web site, including the BCS, the Jericho Forum and the NCC:

“The National Computing Centre's members rely on its ability to quickly direct them to trusted best practice. www.theisaf.org provides a highly relevant link in the information chain.”

Danny Dresner, NCC

“Since its inception in 2005, GetSafeOnline.org has been working in partnership with the UK Government, law enforcement and the private sector to raise awareness of internet security issues amongst consumers and micro-businesses. We have always believed that a collaborative approach is the only way to effectively tackle online safety issues – an area that is not only complex, but also relevant to individuals and organizations in different ways. We applaud the initiative to extend this approach through the new Information Security Awareness Forum website."

Tony Neate, Managing Director, Get Safe Online, www.getsafeonline.org

“The new www.theisaf.org website is a great initiative to help improve awareness of infosecurity issues and by coordinating the activities and resources of all the member organisations enables individuals and organisations to quickly find succinct advice to help them. The Information Security Awareness Forum also has a blog on Infosecurity Adviser www.infosecurityadviser.com which is another example of how the forum's members are fulfilling their common aim of improving infosecurity awareness across the entire industry.”

Claire Sellick, Event Director, Infosecurity Europe 2008

“ISSA-UK is delighted with the progress that ISAF has made since its formation as an ISSA-UK Advisory Board initiative in September 07. ISSA-UK congratulates ISAF on the launch of its new website which we strongly believe will support the continued growth and development of Information Security awareness across organisations. It will also provide individuals with a central repository of knowledge and a first point of contact for those seeking help and guidance. This new portal will enable those seeking help to locate good, impartial advice from the leading security organisations, working together in the forum, to communicate awareness to a wider audience.“

Geoff Harris, President of ISSA-UK

“The National e-Crime Prevention Centre welcomes all efforts to protect the UK from electronic crime and the ISAF Web site is an additional and useful site for advice and guidance. Encouraging people and businesses to take action on the available advice is key to reducing the harm to individuals and the economy.”

Ken Rabey, Project Director, National e-Crime Prevention Centre

“Given ISACA’s long-held belief in the importance of educating both institutions and individuals on information security we are confident that the resources on the Information Security Awareness Forum website will help to improve awareness. Having a single website to locate the huge amount of valuable information available from all the member associations is an extremely useful feature.”

Lynn Lawton, CISA, FCA, FIIA, PIIA, International President of ISACA

"ASIS UK Chapter 208 is delighted to support the launch of the ISAF's Web site and encourages all those who want to work together with other security organisations to visit and contribute to the various activities located on the Web pages."

James Willison, Convergence Lead, ASIS UK, Chapter 208

"The IET is pleased to be a member of the Information Security Awareness Forum and believes that the new ISAF Web site will provide a valuable mine of information for both individuals and organisations. We support the development of a co-ordinated approach to the provision of advice and guidance on all matters to do with information security"

Margaret Smith, Member of the IT Sector Panel, The IET

“This coming together of ICT professional bodies, trade associations and interest groups to work together to promote awareness is most welcome and deserves every support from suppliers, users and the many government departments and agencies with responsibilities for the safety and security of those using their systems.”

Philip Virgo, Secretary General, EURIM

“EEMA welcomes the ISAF website initiative which will increase awareness of the online security issues. EEMA is also honoured to be a member and bring a European perspective to the ISAF; time and recourses are a scarce commodity in this day and age and co-ordination in the security space is essential if we are to face up to the issues and challenges of online crime.”

Roger Dean, Executive Director, EEMA

"The BCS is pleased to be a member of the Information Security Awareness Forum and hopes that the endeavours through the new ISAF Web site will signpost both individuals and organisations to resources that they should be aware of both personally and professionally. This is certainly a resource that our 62,000+ members should find useful ongoing.”

Andrea Simmons, CISSP, CISM, MBCS CITP, M.Inst.ISP, BCS Consultant Security Forum Manager

"The CMA, as an early supporter of the Information Security Awareness Forum, fully supports ISAF's pragmatic initiatives to promote industry wide collaboration and particularly welcomes the new ISAF web site (www.theisaf.org). This web site should become the destination (or portal) of choice for people, be they the man or woman in the street or a company Manager, seeking advice and guidance on how to secure information in this electronic and ever more inter-connected world."

Peter Wenham CISSP MICAF CLAS, Director, CMA

"The Jericho Forum welcomes the Information Security Awareness Forum's practical initiatives to promote collaboration between groups working in this crucial area. Collaboration is an essential part of our vision to allow seamless and secure communications between businesses, suppliers and customers across an open, Internet-driven, networked world."

-- Andrew Yeomans, member of Jericho Forum board of management.

Additional Background Information about ISAF Members

A number of professional bodies and organisations involved in information security have come together to form the Information Security Awareness Forum to coordinate and build on existing work and initiatives, to improve their overall effectiveness, and ultimately to increase the level of security awareness in the UK that will help protect us all:

The Information Systems Security Association UK Chapter (ISSA-UK) provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. ISSA-UK is a founding member and primary supporter of ISAF.

The British Computer Society (BCS) is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials.

The Communications Management Association (CMA) is the UK’s premier independent membership body for professionals and organisations focused on exploiting communications, networking and ICT, for business advantage.

The Cybersecurity Knowledge Transfer Network provides a single focal point for UK cyber-security expertise, and provides special interest groups and runs events.

EURIM brings together politicians, officials and industry to help improve the quality of policy formation, consultation and implementation.

Get Safe Online is sponsored by the British Government and leading businesses to give you free objective advice.

The Institute of Information Security Professionals (IISP) is setting the standard for professionalism in information security, speaking with an independent and authoritative voice.

The Information Technologists' Company are all senior IT professionals who have joined the Company in order to give something back to the IT sector and the wider community.

The Information Assurance Advisory Council (IAAC)’s aim is to work for the creation of a safe and secure Information Society. It is a unique, not for profit body with high level support from government and industry backed by world class research expertise.

The Institution of Engineering and Technology (IET) provides a global knowledge network to facilitate the exchange of ideas and promote the positive role of science, engineering and technology in the world.

The Information Security Forum (ISF) delivers practical guidance and solutions to overcome wide-ranging security challenges impacting business information today.

The Information Systems Audit and Control Association (ISACA) is a recognised worldwide leader in information technology (IT) governance, control, security and assurance.

ASIS International is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials.

Infosecurity Europe addresses today’s strategic and technical issues in an unrivalled education programme and showcases the most diverse range of new and innovative products and services from over 300 of the top suppliers on the show floor.

(ISC)² is the globally recognised Gold Standard for certifying information security professionals throughout their careers.

The Jericho Forum is an international IT security thought-leadership group dedicated to defining ways to deliver effective IT security solutions.

The International Underwriting Association of London (IUA) is the world's largest representative organisation for international and wholesale insurance and reinsurance companies.

The Security Awareness Special Interest Group (SASIG) is a subscription free quarterly networking forum open to those who have an interest in, or a responsibility for, raising awareness about security within their organisations.

The National Computing Centre (NCC) has pioneered a methodology for managing the 'human vulnerabilities' in information systems.

The National e-Crime Prevention Centre (NeCPC) is a multidisciplinary and multi-agency network and currently a virtual centre of excellence in e-Crime prevention and enterprise security.

The Police Central E-Crime Unit is a centre of excellence in regard to computer and cyber crime committed under the Computer Misuse Act 1990, notably hacking, maliciously creating and spreading viruses and counterfeit software.

The organisation, EEMA – the European association for e-identity and security – brings together over 135 member organisations (and over 1,500 employees of member organisations) in a neutral environment for education and networking purposes.

For further information visit www.theisaf.org