Posludio

"Aquello que termina o sirve de finalización a algo"

Archive for the ‘Seguridad’ Category

ISO/IEC 27001 acreditation for certification bodies

leave a comment »


Actually we are a small security company with the first Colombian 27001 certificate of an ISMS. Two other companies have certificated ISMS but with the old BS7799-2. Our certification is a stone in the shoe for some companies that in Colombia do not have this certificate. The technique, FUD: Fear, Uncertainty and Doubt in some security lists in Colombia. The pattern, questioning the validity of our certificate emitted for our certification body.  Our intentions: Be the bests with facts, not with words.  Moving fast using our small size.

To solve this issue I read a lot and I think that is useful for everybody to know this summary. First of all some definitions:

1. Accreditation: Procedure by which an authoritative body gives formal recognition that a body or person is competent to carry out specific tasks.

2. Certitication: Procedure by which a third party gives written assurance (certificate of conformity) that a product, process or service conforms to specified requirements.

The main goal is the confidence related with the conformity (similar to the PKI problem). In this sense, there are some goverment organization in the country that runs the accreditation function, for instance, UKAS in England, SIC in Colombia. This organizations accredit the certification bodies, whom, in the future, runs the certification process.

Following a similar processIn the same waprocess.In

To achieve the accreditation, the certification body must comply with some requirements, but which are this requirements? For now there are three alternatives for the acreditation related with 27001.

1. ISO/IEC 27006:2007: Of course, this standard is very new, and I could not find references of certifications bodies accredited with this standard

2.EN 45012:1998 modified for information security management systems certification: The certification body BSI is actually accredited with this standard, but the scope does not cover any locations in latin america (Brazil and Mexico, for instance).

3. EA 7/03.

Additionally is possible to achieve some level of confidence, with Multi-Lateral Agreements (MLA). A multilateral agreement, recognize the validity of some kind of certification between accreditation bodies or certification bodies. For example, Icontec, now is not accredited even in ISO9000 by the SIC or another accreditation body, but have MLA with IQNet, given some kind of confidence to his certificated customers.

Another important point here, is that every certification body needs at least one audit of an ISMS in a company to get his accreditation for the accreditation body.

In this sense is important to say, that our certificate is valid only for the companies or people who trust in the independence of our certification body, because for now, they are not accredited and does not have MLA related with ISO/IEC 27001.

However there are very interesting discoveries, like BSI Brasil and BSI Mexico are not accredited certification bodies, neither with UKAS or another accreditation body.

Advertisements

Written by jalvarez

2007/04/11 at 07:08

Posted in Seguridad

7 myths about security metrics

with 3 comments


http://www.noticebored.com/html/metrics.html

Written by jalvarez

2007/03/06 at 20:25

Posted in Seguridad

A Meaningful MD5 Hash Collision Attack

with one comment


As Catalin pointed today, an opposite to my beliefs, there is easy to generate meaningful files that have the same digest.  An evidence is in this master thesis.

Written by jalvarez

2007/01/10 at 19:48

Posted in Seguridad

From Security to Dependability

leave a comment »


Thinking in how to make more exciting the work in Fluidsignal Group, I found this nice paper that open me eyes to a wider world: dependability (fiabilidad).

Written by jalvarez

2006/11/30 at 10:29

Posted in Seguridad

First Colombian company with ISO-27001:2005

leave a comment »


iso27001

Today I have very good news from Colombia: Fluidsignal Group got yesterday the certification of his Information Security Management System (ISMS) according to the regulations of the international standard ISO-27001:2005. The company is the first in Colombia obtaining this certificate. I am very glad of it. Thanks to all the people that help to achieve this goal.

Written by jalvarez

2006/11/21 at 13:07

Posted in Seguridad

Verificación de autenticidad de paquetes

leave a comment »


# apt-get install debian-archive-keyring

Written by jalvarez

2006/05/22 at 12:00

Posted in Seguridad, Tecnología

Seguridad vs Velocidad

leave a comment »


Hasta ayer tenia la falsa creencia que estas dos variables siempre tenian que ser balanceadas cuando de programación y encapsulamiento se trata. Sin embargo, olvide alguno de esos conceptos que era conocido pero no tenia claro: Las funciones inline.

Estas funciones permiten obtener la seguridad que proporciona el encapsulamiento y mantener un nivel optimo de velocidad.

En terminos generales es un tema sujeto a muchos debates, debido a que no es una solución definitiva para todos los casos. Para ver un analisis detallado del asunto, por favor dirigirse a esta página:

http://www.parashift.com/c++-faq-lite/inline-functions.html#faq-9.1

Written by jalvarez

2006/02/24 at 22:35

Posted in Seguridad, Tecnología