Posludio

Actually we are a small security company with the first Colombian 27001 certificate of an ISMS. Two other companies have certificated ISMS but with the old BS7799-2. Our certification is a stone in the shoe for some companies that in Colombia do not have this certificate. The technique, FUD: Fear, Uncertainty and Doubt in some security lists in Colombia. The pattern, questioning the validity of our certificate emitted for our certification body.  Our intentions: Be the bests with facts, not with words.  Moving fast using our small size.

To solve this issue I read a lot and I think that is useful for everybody to know this summary. First of all some definitions:

1. Accreditation: Procedure by which an authoritative body gives formal recognition that a body or person is competent to carry out specific tasks.

2. Certitication: Procedure by which a third party gives written assurance (certificate of conformity) that a product, process or service conforms to specified requirements.

The main goal is the confidence related with the conformity (similar to the PKI problem). In this sense, there are some goverment organization in the country that runs the accreditation function, for instance, UKAS in England, SIC in Colombia. This organizations accredit the certification bodies, whom, in the future, runs the certification process.

Following a similar processIn the same waprocess.In

To achieve the accreditation, the certification body must comply with some requirements, but which are this requirements? For now there are three alternatives for the acreditation related with 27001.

1. ISO/IEC 27006:2007: Of course, this standard is very new, and I could not find references of certifications bodies accredited with this standard

2.EN 45012:1998 modified for information security management systems certification: The certification body BSI is actually accredited with this standard, but the scope does not cover any locations in latin america (Brazil and Mexico, for instance).

3. EA 7/03.

Additionally is possible to achieve some level of confidence, with Multi-Lateral Agreements (MLA). A multilateral agreement, recognize the validity of some kind of certification between accreditation bodies or certification bodies. For example, Icontec, now is not accredited even in ISO9000 by the SIC or another accreditation body, but have MLA with IQNet, given some kind of confidence to his certificated customers.

Another important point here, is that every certification body needs at least one audit of an ISMS in a company to get his accreditation for the accreditation body.

In this sense is important to say, that our certificate is valid only for the companies or people who trust in the independence of our certification body, because for now, they are not accredited and does not have MLA related with ISO/IEC 27001.

However there are very interesting discoveries, like BSI Brasil and BSI Mexico are not accredited certification bodies, neither with UKAS or another accreditation body.

http://www.noticebored.com/html/metrics.html

As Catalin pointed today, an opposite to my beliefs, there is easy to generate meaningful files that have the same digest.  An evidence is in this master thesis.

Thinking in how to make more exciting the work in Fluidsignal Group, I found this nice paper that open me eyes to a wider world: dependability (fiabilidad).

Today I have very good news from Colombia: Fluidsignal Group got yesterday the certification of his Information Security Management System (ISMS) according to the regulations of the international standard ISO-27001:2005. The company is the first in Colombia obtaining this certificate. I am very glad of it. Thanks to all the people that help to achieve this goal.

# apt-get install debian-archive-keyring

Hasta ayer tenia la falsa creencia que estas dos variables siempre tenian que ser balanceadas cuando de programación y encapsulamiento se trata. Sin embargo, olvide alguno de esos conceptos que era conocido pero no tenia claro: Las funciones inline.

Estas funciones permiten obtener la seguridad que proporciona el encapsulamiento y mantener un nivel optimo de velocidad.

En terminos generales es un tema sujeto a muchos debates, debido a que no es una solución definitiva para todos los casos. Para ver un analisis detallado del asunto, por favor dirigirse a esta página:

http://www.parashift.com/c++-faq-lite/inline-functions.html#faq-9.1

El procedimiento que se debe seguir para ejecutar aplicaciones como root en una sesión X de un usuario no privilegiado es el siguiente:

$ xhost LOCAL:
$ su -
Password: **********
# export DISPLAY=:0.0
# xterm &

Hoy fue el examen para la certificación como Auditor en Sistemas de Información (CISA) de ISACA. Infinitamente mas dificil que el ECAES. No queda sino esperar 2 meses por los resultados.

Despues de 10 minutos de tensión por la eliminación involuntaria de un documento importante, aparece como caida del cielo la instrucción salvadora:

grep -a -B100 -A100 "Camus" /dev/hda1

Recupero mi archivo perdido, y grito con fuerza: “Viva unix, grep y la falsa eliminación de archivos”