These are some news about yesterday’s conference.

In this conference, I presented the definition of Information Security Governance and the importance of the roles and responsibilities of senior management. I talked about how Information Security Governance Architecture works and provided an overview of the positioning of Information Security Governance within the context of an organization through its Enterprise Architecture and through its Information Security Management System, hence applied to and monitored from its daily operations.

In the second session, I talked how to implement both ISO/IEC 27001 and ISO/IEC 20000-1 together and the benefits of implementing a management system based upon both standards.

I participated of the debate about frauds and digital certificates with Fábio Leto (CIO at SmartSEC), Rony Vainzof (Opice Blum) and Denise Comerlati Menoncello (Serasa Experian). The debate was very good.

See some photos of the IDC Brazil Information Security & Business Continuity Conference 2010:

Regards,

Denny Roger
denny@dennyroger.com.br

By Denny Roger

Last month, during a lunch with two friends specialists in internal audit, discussed the fact that companies outsource their processes and applications of information technology (IT), including information security. At the end of the conversation, one of my colleagues explained that some IT services are run by external collaborators. Thus, the “master key” is to be administered by service providers.

The dramatic tone of my colleague was not exceptional. Once I remembered that, in organizations, the “third party” or service providers have the administrator password of the computing environment. However, officials of the organization responsible for information security, auditing and internal controls, are kept away from the master key.

What are the threats?
In April 2009, developing activities related to risk analysis in an organization, I detected that there was a confidentiality clause in contracts for services. In other words, all countries would disclose information of the organization were made available for the development of their activities, including administration passwords.

The problem encountered, although it is common to many organizations, was not detected by the legal department. The main question were: a) there was a confidentiality clause between the organization and the supplier who was placing the service providers. But the professionals appointed to the service were not employees of the supplier. The truth is that these professionals have opened a company to issue invoices for the services rendered. The provider allocates its service to the development of activities on the client.

In this case, is no longer an outsourcing to be a “outsourcing delegation”, b) the service provider has not signed the confidentiality agreement between your company and the supplier c) some organizations request that the outside person hired for the job to sign a term responsibility, which, in turn, has no legal validity. The correct is the organization creating the “Statement of Confidentiality” for all service providers. The “Disclaimer” is valid only for employees.

Staff
By the time the supplier receives the approval of the proposed outsourcing of applications and IT processes, begins the process of hiring staff that will be reserved to the customer. The faster people are hired and assigned to the customer, the faster the supplier receives. But when it comes to hire professionals IT is a vast difference in the profile and knowledge of candidates.

The supplier does not have time to assess the skill levels of candidates and selects according to the basic profile and desired salary. Many customers are telling me that some contractors are learning to work managing the IT processes of the organization, bringing new threats to the company’s business.

The supplier does not offer training to professionals who will be allocated in a company. The first step, and perhaps most important, is the third to receive a copy of the information security policy and training about the guidelines and standards of the company, including the code of ethics and conduct.

Conclusion
Organizations should establish guidelines and standards to maintain the security of information applications and IT processes managed by third parties. Risk analysis should cover the agreements with third parties to avoid “outsourcing delegation” without a confidentiality clause.

It is the personal department and create legal terms for employees and service providers. Organizations should request a summary of the professional curriculum that will be allocated for the provision of service. It is recommended that all employees receive training on foreign policy and security standards before it began. Keep the “master key” of your company under the responsibility of officials.

Denny Roger (denny@dennyroger.com.br) is responsible for more than 100 projects about Information Security, including: risk management, maturity level, audits, penetration test, vulnerability management, security incident response, computer forensic investigations, information security policy and implementation of security technologies. As member of the ABNT / CB21 / CE 27, he participated in the development of ISO 27001, ISO 27002 and others ISO 27000 family standards.

Please visit http://idgnow.uol.com.br/seguranca/mente_hacker/idgcoluna.2009-09-30.9660851925/

This month I’ve attend 12 interviews (media printed, electronics and audiovisual). It’s a busy month.

More information about IDC Brazil Information Security & Business Continuity Conference 2010:
http://www.idclatin.com/email_mkt/bra/security10/emkt_bra_10_conf_isbc_2.html

For more information about CNASI, please visit:
http://www.cnasi.com.br/rj/

Regards,

Denny Roger
denny@dennyroger.com.br
www.twitter.com/dennyroger

Event details

The practice of information security in every organization, small and large, requires integrated management of all of the hardware and software solutions, security policies, regulations, personnel training, and other features that are unique to each organization. Thus, management of information security should be agile when making decisions and taking actions so that business decisions are not stifled, providing support in selecting solutions for all of the areas of the organizations so as to support and integrate all and any technologies into its management plan, including challenges to mobile technology.

Security is inserted and directly related to the continuity of business, in order to guarantee the continuity of critical processes, whether or not any occurrences are mapped. To do this, the development of proactive management has been proposed: minimizing threats, monitoring security services and understanding and attacking the consequences of downtime in critical systems. IDC believes that at its conferences it can gather suppliers with diverse solutions and market professionals, in order to provide assistance to companies to monitor and control information security and create an integral management model that ensures the continuity of the business, that meets regulations, and that produces a competitive advantage, without affecting the day-to-day experience of the end user.

Who Should Attend: “C” Level Businessmen and IT, Infrastructure and Security Directors, Managers a Analyst.

March 17, 2010
São Paulo, SP Brazil

Register now: http://www.idclatin.com/email_mkt/bra/security10/emkt_bra_10_conf_isbc_2.html

Regards,

Denny Roger
denny@dennyroger.com.br
www.twitter.com/dennyroger

On March 6, 2010, I participated of the VOL Day I. I talked about Cybercrime and Career Trends in Information Security.

The VOL CON (Viva o Linux Conference) are a series of highly technical Linux conferences that bring together thought leaders from all facets of the open source world – from the corporate and government sectors to academic and even researchers.

Viva o Linux is the biggest Linux community in Latin America.

Photos from the conference are now available and will be updated throughout the week. Be sure to continue checking back for the most current pictures.

View VOL DAY I photos here:
http://volcon.org/volday1/fotos/

Regards,

Denny Roger
denny@dennyroger.com.br
55 11 8136 8025

Follow me on Twitter: http://twitter.com/dennyroger
Professional profile on LinkedIn: http://www.linkedin.com/in/dennyroger
Member of International Association of Emergency Managers (IAEM)

The Kretcheu Vídeo Blog main focus is technology and everything built/based on it. You will find news, how to’s, funny things and everything else you could think of.

In this interview, I’m talking about my presentation in VOL DAY I. The aim of my presentation was to briefly outline the experience in the work carried (information security). Please visit http://www.myinfosecjob.com/2010/02/the-immortals-and-mortals-of-information-security/. Part of my presentation was cover the elements of Cybercrime.

This is a great blog. The topics on the blog are my kind of thing and I have been watching them with great interest.

Please visit the interview: http://www.kretcheu.com.br/?p=182

Regards,

Denny Roger
denny@dennyroger.com.br
55 11 8136 8025

Follow me on Twitter: http://twitter.com/dennyroger
Professional profile on LinkedIn: http://www.linkedin.com/in/dennyroger
Member of International Association of Emergency Managers (IAEM)

Depois do evento fiquei “preso” dentro do avião por causa da chuva. Consegui embarcar mas o avião não conseguiu decolar. Fiquei com alguns artistas da Globo no avião. Logo mais disponibilizo uma foto do que aconteceu no avião antes de decolar. Aguardem!

Abraços,

Denny Roger
denny@dennyroger.com.br

neste último sábado (06/03) estive ministrando uma palestra no VOL DAY I - Rio de Janeiro - organizado pela comunidade do Viva o Linux.

Em breve vou estar publicando as fotos do evento e comentários sobre a palestra e a reação do público presente. Aguardem!

Denny Roger
denny@dennyroger.com.br

Confira o que rolou neste debate quente sobre a liberdade na internet. Acesse:
http://mtv.uol.com.br/debate/naintegra/0203-internet-liberar-ou-controlar

Abraços,

Denny Roger
denny@dennyroger.com.br
55 11 8136 8025

Follow me on Twitter: http://twitter.com/dennyroger
Professional profile on LinkedIn: http://www.linkedin.com/in/dennyroger
Member of International Association of Emergency Managers (IAEM)

Ontem (02/03) tive a oportunidade de estar debatendo sobre a liberdade na internet, conjunto de normas, leis, métodos e procedimentos utilizados para combater o crime na internet.

Entre os participantes deste debate, ao vivo na MTV, estavam: Deputado Julio Semeghini, Deputado Paulo Teixeira, Sérgio Amadeu, Camilla do Vale, Delegado Carlos Sobral e eu.

Na minha opinião, apesar da forte participação do Sérgio Amadeu, todos falamos sobre Governança na internet. Ou seja, debatemos sobre o exercício de autoridade e controle que o governo pode ter sobre a internet. Fato semelhante ao que está acontecendo na França – inclusive estive na França em outubro de 2009 – em relação a uma lei chamada LOPPSI II (Lei de Orientação e Programação para a Segurança Interior, em tradução livre). Uma das propostas da lei francesa é a possibilidade do governo instalar trojans (programas espiões) em computadores para monitorar pessoas suspeitas. Acredito que irão utilizar alguma tecnologia deste tipo, acesse www.accessdata.com/ediscovery.html. No caso da França estão rotulando como um Trojan mas pela minha experiência o governo irá utilizar ferramentas forense para monitorar algumas pessoas.

No Brasil a coisa é um pouco diferente. Algumas pessoas estão preocupadas com invasão de privacidade no caso dos provedores forem obrigados a armazenarem os logs. Ou seja, será possível identificar em quais sites (pornôs ou não… estou brincando.. rs rs rs) você anda navegando, com quais pessoas você está conversando por e-mail, quantas vezes por dia você acessa seu internet banking, entre outras coisas. Tecnicamente falando é muito simples os provedores conseguirem essas informações sobre seus usuários. Inclusive é muito fácil monitorar todo o conteúdo dos e-mails. Agora a questão é quanto vai custar ($$$) para os provedores armazenarem todos esses logs e como será a gestão disso tudo.

O Delegado Sobral fez um excelente comentário: “Não há liberdade sem segurança”. Eu tenho uma outra frase que sempre uso no meio corporativo: “Tudo que a empresa não pode monitorar deve ser bloqueado”. Eu sempre falo isso porque as empresas possuem sistemas de segurança que monitoram todo o ambiente computacional. Eu não posso “desligar” os logs do firewall quando um funcionário está utilizando o recurso da empresa para fins pessoais (por exemplo, acessando o internet banking). Eu não posso desabilitar o filtro de conteúdo da empresa para que um funcionário envie seus e-mails particulares. E caso a empresa esteja monitorando o programa de mensagem instantânea pessoal do seu funcionário ou até mesmo o e-mail particular, pode sofrer uma ação judicial relacionada a invasão de privacidade. Por isso eu sempre falo que tudo que a empresa não pode monitorar deve ser bloqueado.

Bom, este não foi primeiro e nem será o último debate sobre o assunto. Tudo isso tem sido discutido há anos e está evoluindo aos poucos. Um fato positivo é a interação entre os especialistas em segurança da informação, polícia e governo.

Sobre o programa, acontece uma reprise hoje à 01h30 e quinta (04/03) às 15h00 na MTV.

Voce também pode acompanhar os comentários no Mural da MTV. Acesse:
http://mtv.uol.com.br/debate/mural.

Abraços,

Denny Roger
denny@dennyroger.com.br
55 11 8136 8025

Siga me no Twitter: http://twitter.com/dennyroger
Professional profile on LinkedIn: http://www.linkedin.com/in/dennyroger
Membro do International Association of Emergency Managers (IAEM)