IT KEE

An Introduction to ISO 27001, ISO 27002....ISO 27008
The ISO 27000 series of standards have been specifically reserved by ISO for information security matters. This of course, aligns with a number of other topics, including ISO 9000 (quality management) and ISO 14000 (environmental management).
As with the above topics, the 27000 series will be populated with a range of individual standards and documents. A number of these are already well known, and indeed, are scheduled for publication. For others, the final numbering and publication details have yet to be determined.

An Introduction To ISO 27001 (ISO27001)
The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.
ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme has been introduced by various certification bodies for conversion from BS7799 certification to ISO27001 certification.
The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization".
The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and reflects the principles set out in the OECG guidelines (see oecd.org).

Introduction To ISO 27002 (ISO27002)
The ISO 27002 standard is the rename of the existing ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001.
The standard "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization". The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".
The basis of the standard was originally a document published by the UK government, which became a standard 'proper' in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO ,as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other.
ISO's future plans for this standard are focused largely around the development and publication of industry specific versions (for example: health sector, manufacturing, and so on). Note that this is a lengthy process, so the new standards will take some time to appear.
Introduction To ISO 27003 (ISO27003)
The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself.

ADDITIONAL INFORMATION
ISO committee SC27 will oversee the development, as with other information security standards.However, this is a longer term project, and publication is not expected until late in 2008 or early in 2009.
Its suggested title at the present time is: "Information technology - Security techniques. Information security management system implementation guidance".
The following is the originally mooted broad table of contents:
1. Introduction
2. Scope
3. Terms & Definitions
4. CSFs (Critical success factors)
5. Guidance on process approach
6. Guidance on using PDCA
7. Guidance on Plan Processes
8. Guidance on Do Processes
9. Guidance on Check Processes
10. Guidance on Act Processes
11. Inter-Organization Co-operation

Introduction To ISO 27004 (ISO27004)
ISO 27004 is the official number of the emerging standard covering information security management measurement and metrics. Again, however, it is not expected to be published in the immediate term. However, its development is well underway, being at stage 3, working draft level.
It is intended to help an organization establish the effectiveness of its ISMS implementation, embracing benchmarking and performance targeting within the PDCA cycle.

Introduction To ISO 27005 (ISO27005)
ISO 27005 will be the name of an emerging standard covering information security risk management. As with some of the other standards in the ISO 27000 series, no firm dates have been established for its release. However, it will define the ISMS risk management process, including identification of assets, threats and vulnerabilities.

Introduction To ISO 27006 (ISO27006)
This is the standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. Again it was overseen by ISO's committee SC 27. The previous standard related to this issue was EA 7/03. This has effectively been replaced by the new standard, to meet market demands to better support ISO 27001. It effectively documents the requirements additional to those specified within standard ISO 17021, which identified the more generic requirements.
Its formal title is "Information technology - Security techniques. Requirements for bodies providing audit and certification of information security management systems", and it consists of 10 chapters and four Annexes.
The chapters within the standard are as follows: Scope; References; Terms; Principles; General Requirements; Structural Requirements; Resource Requirements; Information Requirements; Preciess Requirements; Management System Requirements.

An Introduction to ISO 27001, ISO 27002....ISO 27008
The ISO 27000 series of standards have been specifically reserved by ISO for information security matters. This of course, aligns with a number of other topics, including ISO 9000 (quality management) and ISO 14000 (environmental management).
As with the above topics, the 27000 series will be populated with a range of individual standards and documents. A number of these are already well known, and indeed, are scheduled for publication. For others, the final numbering and publication details have yet to be determined.

An Introduction To ISO 27001 (ISO27001)
The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.
ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme has been introduced by various certification bodies for conversion from BS7799 certification to ISO27001 certification.
The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization".
The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and reflects the principles set out in the OECG guidelines (see oecd.org).

Introduction To ISO 27002 (ISO27002)
The ISO 27002 standard is the rename of the existing ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001.
The standard "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization". The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".
The basis of the standard was originally a document published by the UK government, which became a standard 'proper' in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO ,as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other.
ISO's future plans for this standard are focused largely around the development and publication of industry specific versions (for example: health sector, manufacturing, and so on). Note that this is a lengthy process, so the new standards will take some time to appear.
Introduction To ISO 27003 (ISO27003)
The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself. ADDITIONAL INFORMATION ISO committee SC27 will oversee the development, as with other information security standards.However, this is a longer term project, and publication is not expected until late in 2008 or early in 2009.
Its suggested title at the present time is: "Information technology - Security techniques. Information security management system implementation guidance".
The following is the originally mooted broad table of contents:1. Introduction2. Scope3. Terms & Definitions4. CSFs (Critical success factors)5. Guidance on process approach6. Guidance on using PDCA7. Guidance on Plan Processes8. Guidance on Do Processes9. Guidance on Check Processes10. Guidance on Act Processes11. Inter-Organization Co-operation

Introduction To ISO 27004 (ISO27004)
ISO 27004 is the official number of the emerging standard covering information security management measurement and metrics. Again, however, it is not expected to be published in the immediate term. However, its development is well underway, being at stage 3, working draft level.
It is intended to help an organization establish the effectiveness of its ISMS implementation, embracing benchmarking and performance targeting within the PDCA cycle.

Introduction To ISO 27005 (ISO27005)
ISO 27005 will be the name of an emerging standard covering information security risk management. As with some of the other standards in the ISO 27000 series, no firm dates have been established for its release. However, it will define the ISMS risk management process, including identification of assets, threats and vulnerabilities.

Introduction To ISO 27006 (ISO27006)
This is the standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. Again it was overseen by ISO's committee SC 27. The previous standard related to this issue was EA 7/03. This has effectively been replaced by the new standard, to meet market demands to better support ISO 27001. It effectively documents the requirements additional to those specified within standard ISO 17021, which identified the more generic requirements.
Its formal title is "Information technology - Security techniques. Requirements for bodies providing audit and certification of information security management systems", and it consists of 10 chapters and four Annexes.
The chapters within the standard are as follows: Scope; References; Terms; Principles; General Requirements; Structural Requirements; Resource Requirements; Information Requirements; Preciess Requirements; Management System Requirements.

Technology Shift Creates Offshore Opportunities For US Core Systems
Recent events indicate that the US market for core banking systems will experience increasing rates of technology change, primarily driven by offshore suppliers. Offshore suppliers have experienced tremendous uptake for their new core system technology in developing markets, but are now developing strategies to penetrate the US market -- and recent wins in the US market suggests the US market is warming up to the idea.
Boston, MA (PRWEB) April 12, 2007 -- New research report by Mercator Advisory Group: Recent events indicate that the US market for core banking systems will experience increasing rates of technology change, primarily driven by offshore suppliers. Offshore suppliers have experienced tremendous uptake for their new core system technology in developing markets, but are now developing strategies to penetrate the US market -- and recent wins in the US market suggests the US market is warming up to the idea.
In 2003 Fidelity Information Systems bought Alltel and acquired the Corebank product. Corbank was rewritten in 2003 to implement a component-based development environment that utilizes web services and modeling as implementation and development methodologies. In August 2005 Oracle purchased a controlling interest in i-flex Solutions product, FLEXCUBE (that implements a component and model-based development and execution methodology), to replace its existing core system with an eye towards lowering the bank's operating costs while also speeding the introduction of new bank products and services. And just this March Metavante announced that it will implement the Temenos Core Banking product for large financial institutions in the US market. Tim Sloane, Director of the Debit Service for Mercator Advisory Group and the author of the report indicates that these events likely indicate a strategic shift that will slowly ripple through the core system market;
"These moves by Metavante and People's Bank are clearly the most significant proof point that these new architectures will, at a minimum, be carefully evaluated by US financial institutions on a very broad scale. But it is important to recognize that these adopters have carefully investigated and then embraced these new architectures, so it appears extremely likely that more US financial institutions would come to the same conclusion -- that these new architectures and integration tools will simultaneously lower operating costs while increasing the speed of deploying new and enhanced products and business processes."
Highlights of this report include:
Despite financial institutions resistance to foreign suppliers for core systems, foreign suppliers have made recent gains, as the i-flex win with People's Bank demonstrates.
These foreign-born interlopers have established beachheads through key US players including Oracle, Sun, IBM, Fidelity, and Metavante.
It is significant that these new core systems rely on component libraries, and business process management (BPM) solutions to enable rapid development and deployment while keeping maintenance cost slow.
It is also significant that many of these suppliers rely on modeling tools to manage the complexity that evolves as changes are made to applications that interlinked to other applications through SOA. Modeling tools are proving to be a critical tool that prevents unintended consequences in a SOA environment.
These new solutions all embrace the Service Oriented Architecture. While any SOA implementation will lower the cost of integration as compared to a monolithicapplication, it is unclear if these SOA implementations share a common approach to core services, such as security, which is required to achieve the highest efficiencies.
Since the majority of core system activity takes place in FI's with assets less than $250 million, deployment of these products as a service willbe critical to broad acceptance.
Members of Mercator Advisory Group have access to these reports as well as the upcoming research for the year ahead, presentations, analyst access and other membership benefits. Please visit us online at www.mercatoradvisorygroup.com.

IBM and Fidelity complete Corebank on Java and slot this into IBM's NEFSS strategy

The full conversion of Fidelity’s Corebank retail back office system from Cobol to Java has been completed, with the new version running in a test environment. This has been achieved using a transformation tool from a company called Relativity. Delivery of the version to IBM Japan is due by the end of 2004, where it will form the basis for the implementation at Suruga Bank (IBS, November 2004).
The conversion has been done in phases, says Fidelity’s chief technology officer, John Brady. Each iteration was reviewed by IBM, which was ‘diligent and demanding’. The work started in February and, with improvements to the Java code, the performance of the ported system has improved by 800 per cent. There have been two benchmark tests in IBM’s Montpellier labs, with a third under way. The last set of tests were more or less in line with the last set of tests for the Cobol version, he says.
Fidelity will maintain and enhance both versions. This is a market-driven decision, says Fidelity’s senior vice president, marketing and sales support, Michelle Bowen. The MVS/Cobol environment is still attractive to many banks, for reasons of trust. Some banks might be interested in running the Cobol version on the zSeries mainframe, perhaps with the Java version for outlying operations or for a subset of their central operations, such as internet banking.
Bowen confirms that Suruga Bank has signed solely for the Java version. However, the enhancements needed for the Japanese market were made in the Cobol version, prior to the conversion, following the Japan-centric tie-up between Fidelity and IBM a year or so back (IBS, November 2003). The bank is replacing most of its systems within the IBM-headed project; its general ledger and direct debits systems are exceptions. The project will start early 2005 and will include a number of enhancements to meet the bank’s requirements. There are intended to be phased roll-outs during 2006 and 2007; it has not yet been decided whether lending or deposits will be the first emphasis for Corebank.
In the wider context of Fidelity’s clutch of retail banking solutions, the intention is to continue selling and marketing the three main solutions - Corebank, Systematics and the Sanchez-derived Profile. However, the supplier is moving to a common front-end, comprising the Webtone-derived Touchpoint delivery channel platform, combined with the Hamilton & Sullivan-derived internet banking solution. Webtone was acquired by Sanchez in July 2003; Hamilton & Sullivan was acquired by Fidelity, not long after the March 2003 acquisition of Alltel. A conversion of Touchpoint from C++, Oracle and Tuxedo to J2EE is under way.
A loan origination component, a result of another earlier acquisition (of Corporate Solutions International by Alltel in 1999), will also be supplied to each back office system.
The first recruit of Touchpoint combined with one of the Fidelity back office systems, Systematics running on a service bureau basis, is New England-based Webster Bank. Functionality from the Sanchez teller system, Profile for Windows, is also being moved into Touchpoint, with the latter ultimately to be positioned as the upgrade path.
The three back office systems might end up sharing other components as well. ‘Each system is really focused on a different segment,’ says Bowen. Strengths from one system might be leveraged for others. A prime example is the Alltel-derived ALS commercial and consumer lending system, with the designs being used within the IBM Japan project to flesh out the lending functionality of Corebank.
The functionality being added to Corebank could be of interest to the Danish savings banks, which is where the system was originally developed. The other sole user of the system to date, BICS in France, is actually in the process of replacing its narrow version of Corebank; this is blamed by Bowen on a move to conform with the systems of its parent, Banques Populaire. BICS had not been using the system for core processing but had taken the customer information, product catalogue and product distribution portions.
Suruga Bank has effectively bought into IBM’s Next Evolution in Financial Services Systems (NEFSS), but what is this and how does it fit with the supplier’s overall banking systems strategy? In the words of IBM’s director and global core systems transformation executive, Pablo Suarez, NEFSS defines, ‘how to contain change, in an operational environment, while going to J2EE’. It is made up of a number of components, including a J2EE compliant back office system, external system adaptors, and domestic funds transfer solutions. In the case of Suruga, the back office system is Corebank but it could be any other offering.
IBM’s strategy is based on the belief that the large banks have done a ‘terrific job’ of optimising their silos. If banks are plotted on a chart showing their performance in 2003, based on cost income ratios and return on equity, then the UK banks look good, the Scandinavians do reasonably well, but the Germans lag considerably behind. However, Suarez thinks that cost cutting is no longer sufficient. A bank such as RBS looks extremely efficient, with a cost income ratio of slightly over 40 per cent and return on equity of almost 30 per cent, but its inability to reach double digit revenue growth means it is not looked upon as being successful at present.
However efficient the silos, those silos still exist. They cannot support complex, inter-dependent products and relationships, do not provide a consolidated customer view, nor multi-dimensional management information. Inflexibility and old technology hamper the development and support of new products. They do not support new and more complex risk management frameworks, nor efficient and effective delivery capabilities.
IBM’s rallying cry is this: ‘We believe that banks need to reconstruct their back office as a way to optimise cost, grow through differentiation, and enhance risk management’. This means moving from traditional ‘monolithic’ models based around business units or products, to a ‘component-based model’ focused on customer segments and competencies. The new world has three layers comprising distribution, manufacturing (component-based product construction) and operations (including shared facilities). A component is defined as a group of cohesive activities and business processes; sharing components across various lines of business can bring substantial savings and differentiation.
Suarez gives the example of collections and recovery, a set of activities which are replicated in every asset-based business. In a component-based operational model, collections and recovery is performed at an enterprise level, eliminating redundancy in people, processes, applications and infrastructure.

Bank of America
This sounds fine in theory, but hasn’t the industry been talking for years about breaking down the silos? IBM has a component business model which can be applied to a bank’s existing business model to highlight the main areas of focus, depending on the goals. The business transformation goes hand-in-hand with the application and technology transformation. The latter portions come back to NEFSS. Suarez says that not only could NEFSS include a different back office system, such as Temenos’ Globus or I-flex Solutions’ Flexcube, but it could, in the future, comprise different components from different J2EE-based systems.
Suruga Bank is one of the first to opt for the component-based transformation coupled with NEFSS (Suarez emphasises that NEFSS is not a Japan-specific initiative). He gives Bank of America and Deutsche Bank as examples of others that IBM has worked with in this sort of capacity. With BoA, the emphasis was on simplifying its IT environment to seek a faster response to customer needs and market changes, plus substantial cost savings. With Deutsche Bank, the aim has been for loan origination to become a single component across different areas of retail lending. At a ‘major UK bank’, IBM is helping to convert and reengineer an in-house developed, RPG and AS/400-based system which is used in 57 overseas subsidiary operations. The resultant solution will support the transformation of those operations and will also become applicable to larger, retail-oriented subsidiaries. Similarly, IBM is working with Bank of Tokyo-Mitsubishi to develop a shared regional bank system, with a focus on extending services such as deposits and loans, through a manufacturing approach, and reducing costs. The shared back-end will also allow the regional banks to focus on front-end activities.

SAS pushes BI back to mainframe
12th April 2007
By Madan Sheina
SAS Institute hasn't given up on the mainframe as a key platform for analysis after integrating its flagship business intelligence product with IBM's System z and introducing new sub-capacity pricing for customers.
-->


WHITE PAPERS
Best Practices for Resolving Business Critical Application Problems ... View Article
A Lifecycle Approach to Software Quality - Venturing Beyond the QA Imperative ... View Article

The Cary, North Carolina-based company has revealed a new pricing structure for its Enterprise Intelligence BI platform, which it claims allows IBM's System z mainframe customers to scale up their application environments.
SAS said the move towards so-called sub-capacity pricing is reflective of an industry trend towards server consolidation.
SAS has partnered with IBM and its BI and analytic systems have run on mainframes for decades.
"It only makes sense to ensure the mainframe can support advances in BI," said Jim Davis, chief marketing officer of SAS.
SAS isn't the only BI vendor betting on the mainframe. IBM recently outlined a licensing strategy for its zSeries Integrated Information Processor (zIIP) that lets customers host data-heavy BI and data warehousing processing workloads on its zOS operating system at an affordable cost. Like SAS, IBM wants to recast the mainframe as a more affordable platform for BI.
"A lot of BI applications have moved off the mainframe because there was a perception that it was too costly to host them there," said Jim Stallings, general manager of IBM's System z mainframe division in a recent interview.
Our View
The mainframe is alive and kicking, especially in mission-critical, high-volume transactional environments like financial services. Research shows that mainframe revenues are rising and MIPS capacity is at an all-time high. These are points not lost on BI vendors. However, cost has always been the barrier for mainframe computing.
Vendors like SAS and IBM are now introducing new pricing strategies that make it a more affordable proposition. For vendors with a vested interest in keeping the mainframe alive, like IBM, the move is also an attempt to reverse the flow of mainframe data and workloads to distributed environments and pull big iron data warehousing applications back onto the mainframe.