How did the ISO/IEC 27001 Standard come about?

After this standard appeared in 1990 as a safety standard, the International Standards Organization published it as ISO 17799 in the early 2000s. And, five years later, it changed its name to ISO 27001.

This is how this regulation has gone through three revisions to reach the current one, which was published in February 2022 and whose transition period for companies is expected to end in October 2025.

Each organization that has this standard or wants to implement it, should be aware of the changes that the new version implied:

1. a) Renaming the standard from “Code of Practice for Information Security Controls” to “Code of Practice for Information Security, Cybersecurity and Privacy Controls”.
2. b) New nomenclature and structure by changing from 14 domains to only 4 major domains (organizational, physical, technological and people).
3. c) Reduction from 114 to 93 controls (11 new):

1. Threat intelligence
2. Information security for the use of cloud services
3. ICT Readiness for Business Continuity
4. Physical Security Monitoring
5. Configuration management
6. Deleting Information
7. Data masking
8. Data Leak Prevention
9. Activity monitoring
10. Web Filtering
11. Secure Coding

1. d) The changes in the clauses are as follows:

• Clause 4. When identifying the internal context and environment of the organization, cyberspace should be considered. When identifying stakeholders, include groups that will be contributing to the control of privacy and cybersecurity.
• Clause 5. Include cybersecurity and privacy protection in the Information Security Policy.
• Clause 6. In risk management, consider personal and cyberspace assets. In addition to planning the changes that will be implemented.
• Clause 7. Consider resources to cover privacy and cybersecurity.
• Clause 8. No modification.
• Clause 9. Monitor new controls.
• Clause 10. Upgrading must consider technological changes in cyberspace.

The main reason for updating is to adapt to the new work reality of many companies around the world. And in this dynamic, remote work and the control of new cyberattacks occupy an important place.

Take into account the 4 actions for the 2022 version of the ISO/IEC 27001 Standard

In view of the changes, the main actions expected from companies are the following:

1. Update the risk treatment process considering the new controls.
2. Update the statement of applicability.
3. Modify existing policies and procedures.
4. Include safety metrics and indicators.

Do you have questions or would you like to learn more?

At Itera we can provide you with consulting services and solutions on cybersecurity, cloud and ISO/IEC 27001 standard matters.

Contact a specialist:

seguridad@iteraprocess.com

Eliminate inefficient and time-consuming administrative tasks on your databases, without the need to provision infrastructure or maintain software.

It is now possible to deploy and scale the relational database engines of your choice in the cloud or on-premises. Simply put: you can achieve high availability by implementing Amazon RDS by our Itera specialists.

What is Amazon RDS and how does it work?

Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it easy for you to configure, operate, and scale a database in the cloud.

How can Amazon RDS help you?

• Build web and mobile apps
• Support growing applications with high availability, performance, and storage scalability.
• Take advantage of pricing flexibility by paying only for what you use, allowing you to adapt to different app usage patterns.

Learn more about the benefits of Amazon RDS!

1.- Migrate to managed databases

Innovate and build new applications with Amazon RDS and stop worrying about self-managing your databases, which can be time-consuming, complex, and costly.

2.- Say goodbye to legacy databases

Leave behind costly and punitive commercial databases by migrating to Amazon Aurora. When you migrate to Aurora, you’ll get the scalability, performance, and availability of commercial databases at one-tenth the cost.

See you in the cloud!

Reap the benefits of more than a decade of proven operational experience, security best practices, and cloud-based database innovation.

In the face of technological advances, the change in the ways of interacting and the growing need for increasingly personalized customer experiences, the financial services industry faces the challenge of digitalization.

One of the key points in the digital transformation that will allow financial institutions to continue boosting their business lies in the proper management of the information they collect and this, of course, derived from a strategy designed according to their specific needs.

Adapting to change

Beyond the digitization of their processes and services, the financial institutions that will obtain the best results will be those that achieve a true business transformation that impacts the organizational culture, as well as their products and the way in which their services are more accessible and innovative.

That’s right: innovate to meet the needs of the market.

And, in that sense, legacy systems are not exactly the best option due to their monolithic and inflexible nature that makes them less and less efficient and more expensive.

Cloud Powers Innovation

Unlike traditional on-premise data centers, the cloud allows it to be scalable, have high availability and security, to which is added the ability to incorporate technologies such as Artificial Intelligence, Machine Learning or Internet of Things (IoT) in its digital offer.

This evolution leads financial institutions towards the visualization and predictive analysis of data, leading them to make better decisions that also give them the ability to interconnect information and processes to generate new solutions.

In short: to be Data Driven.

Analytics + Agility

The Amazon Web Services (AWS) platform that Itera puts at the service of financial institutions allows them to create innovative cloud solutions according to the specific requirements of each organization, providing them with data analytics capabilities to obtain information that is useful for the business.

To that end, Itera works with data warehouses using Amazon Redshift; consolidating the design and creation of data lakes with S3 Lake Formation; making it easy to extract, transform, and load data using Amazon Glue; enabling database replication using Amazon Relational Database Service (Amazon RDS); and simplifying both building and visualizing analytic dashboards with Amazon QuickSight.

These are just some of the services we have for your company that will help you transform your traditional data centers into a cloud infrastructure that generates efficiency, flexibility and improvement in time-to-market, as it allows you to develop products with greater agility.

As an AWS Advanced Partner in Ibero-America, at Itera we promote innovation and competitiveness through the support of our specialists with a loud-centric approach, guaranteeing the construction of tailor-made solutions that meet the business needs of financial institutions.

Contact one of our experts!

Cyber threat and vulnerability management has never faced so many challenges. While there are many digital vulnerability scanning tools to prevent different attacks and detect different types of cyber threats, the effectiveness of these digital tools lies in applying good cybersecurity practices in your company.

Prevent the hijacking of your information

One of the most recognized viruses or malware is ransomware. It is a type of malware or malicious code that infects in order to prevent the use of your computers or systems.

How does ransomware work? The cybercriminal takes control of your computers or systems that they have infected and Kidnaps by encrypting the information, blocking the screen, preventing you from accessing it completely because you no longer have authorization. In those cases, to regain control of your information, you will have to pay the ransom in order to have access to your systems again.

Ransomware is just one example of what can happen in your organization as a result of not having cybersecurity measures in place that can provide you with advanced digital protection.

The absence or lack of updating of cybersecurity tools puts your company at risk from:

✓) Theft and/or leakage of information

✓) Data penetration

✓) Virus infection

✓) SQL Injection

✓) DDoS

✓) Zero-Day Attacks

✓) Hash Exploitation

Protect your business from cyberattacks

Implement international frameworks or standards. These are frameworks that aim to facilitate the solution of cybersecurity problems. For example, when you apply ethical hacking (EH) scanning and application vulnerability analysis to your systems, you are carrying out digital security processes in accordance with best practices such as OWASP methodologies, NIST standards, and cybersecurity tools.

Follow these best practices to strengthen your company’s cybersecurity and prevent malware

1. Update your systems
2. Patches
3. Block open ports
4. Classifies the most sensitive and confidential information
5. Monitor systematically
6. Implement and automate your processes
7. Raise awareness among your employees

To consolidate the above, we recommend that you carry out a cybersecurity diagnosis in your company, based on the following actions:

• Perform vulnerability scans or tests
• Run Pentesting Tests
• Conducts audits of ISO/IEC 27001:2013, NIST, 27018
• Identify the processes of each of your systems
• Identify the criticality of your organization’s assets
• Set the frequency of scans (running vulnerability scanning tools).
• It has a ReadTeam service

Learn about some advantages that your company acquires by having adequate cybersecurity measures in place:

✓ Prevents a ransomware event that can result in a $20 million ransom payment.

✓ Build trust with your customers

✓ Get corporate security

✓ Help developers have fewer bugs thanks to pentesting.

✓ Avoid millions of dollars in losses in sensitive data and/or unrecognized purchases.

And when elaborating on the benefits offered by the implementation of digital security measures in your company, these capabilities that you can obtain stand out:

• Identifies technical vulnerabilities that cannot be detected by an organizational vulnerability analysis.
• Identifies and classifies findings according to international risk management standards such as CVSSv3.1
• Develop a solution and continuous improvement plan based on the findings detected
• It classifies vulnerabilities according to their level of risk: critical, high, low, informative.
• It provides evidence of exploitation and the impact it generates in your organization.

When you carry out this type of good practice, you reinforce the security in the code of your applications, avoiding large cybersecurity gaps, gaps that digital criminals take advantage of.

Do you have questions or would you like to learn more?

At Itera we can provide you with consulting services and solutions, pentesting, vulnerability testing, social engineering, ReadTeam service and audits, among others.

Contact a specialist: seguridad@iteraprocess.com

Contact an account executive: irma.monroy@iteraprocess.com

Cyber threat and vulnerability management has never faced so many challenges. While there are many digital vulnerability scanning tools to prevent different attacks and detect different types of cyber threats, the effectiveness of these digital tools lies in applying good cybersecurity practices in your company.

Prevent the hijacking of your information

One of the most recognized viruses or malware is ransomware. It is a type of malware or malicious code that infects in order to prevent the use of your computers or systems.

How does ransomware work? The cybercriminal takes control of your computers or systems that they have infected and Kidnaps by encrypting the information, blocking the screen, preventing you from accessing it completely because you no longer have authorization. In those cases, to regain control of your information, you will have to pay the ransom in order to have access to your systems again.

Ransomware is just one example of what can happen in your organization as a result of not having cybersecurity measures in place that can provide you with advanced digital protection.

The absence or lack of updating of cybersecurity tools puts your company at risk from:

✓) Theft and/or leakage of information

✓) Data penetration

✓) Virus infection

✓) SQL Injection

✓) DDoS

✓) Zero-Day Attacks

✓) Hash Exploitation

Protect your business from cyberattacks

Implement international frameworks or standards. These are frameworks that aim to facilitate the solution of cybersecurity problems. For example, when you apply ethical hacking (EH) scanning and application vulnerability analysis to your systems, you are carrying out digital security processes in accordance with best practices such as OWASP methodologies, NIST standards, and cybersecurity tools.

Follow these best practices to strengthen your company’s cybersecurity and prevent malware

1. Update your systems
2. Patches
3. Block open ports
4. Classifies the most sensitive and confidential information
5. Monitor systematically
6. Implement and automate your processes
7. Raise awareness among your employees

To consolidate the above, we recommend that you carry out a cybersecurity diagnosis in your company, based on the following actions:

• Perform vulnerability scans or tests
• Run Pentesting Tests
• Conducts audits of ISO/IEC 27001:2013, NIST, 27018
• Identify the processes of each of your systems
• Identify the criticality of your organization’s assets
• Set the frequency of scans (running vulnerability scanning tools).
• It has a ReadTeam service

Learn about some advantages that your company acquires by having adequate cybersecurity measures in place:

✓ Prevents a ransomware event that can result in a $20 million ransom payment.

✓ Build trust with your customers

✓ Get corporate security

✓ Help developers have fewer bugs thanks to pentesting.

✓ Avoid millions of dollars in losses in sensitive data and/or unrecognized purchases.

And when elaborating on the benefits offered by the implementation of digital security measures in your company, these capabilities that you can obtain stand out:

• Identifies technical vulnerabilities that cannot be detected by an organizational vulnerability analysis.
• Identifies and classifies findings according to international risk management standards such as CVSSv3.1
• Develop a solution and continuous improvement plan based on the findings detected
• It classifies vulnerabilities according to their level of risk: critical, high, low, informative.
• It provides evidence of exploitation and the impact it generates in your organization.

When you carry out this type of good practice, you reinforce the security in the code of your applications, avoiding large cybersecurity gaps, gaps that digital criminals take advantage of.

Do you have questions or would you like to learn more?

At Itera we can provide you with consulting services and solutions, pentesting, vulnerability testing, social engineering, ReadTeam service and audits, among others.

Contact a Contact an account executive: irma.monroy@iteraprocess.comspecialist: seguridad@iteraprocess.com

Adopting new technologies as a fundamental part of the evolutionary process of digital transformation involves knowing, identifying and understanding new risks, incidents, events, vulnerabilities and threats that companies may be facing.

What is Information Security Assessment?

It is a process that helps organizations identify, analyze, and enforce security controls at the site or workstation.

In this sense, and to avoid any cyber threat or risk, we must carry out an assessment or checklist, with which it is possible to take corrective measures immediately to avoid a great cost in the future.

What is information security?

It is the set of preventive and reactive measures, both of organizations and of technological systems, that allow safeguarding and protecting information, as well as maintaining the confidentiality, integrity and availability of data.

What controls should we evaluate for information security?

We must use the ISO/IEC 27001:2013 standard, considered one of the most important International Standards on the subject and which allows the assurance, confidentiality, integrity and availability of data or information, as well as the systems that process it.

In this sense, ISO/IEC 27001:2013 contains “Annex A” which, in turn, has 14 domains, 35 control objectives and 114 controls to, depending on the risk analysis and the statement of applicability that is made, allow us to select those that apply, while justifying those that are excluded.

In the following image you can see annexes 5 to 18:

Benefits of Information Security Assessment:

• Provides structure of the management system.
• Reduce the risk of having a security incident.
• It offers greater security to companies.
• It increases the prestige of the organization.
• Improves customer confidence.

How can we help strengthen security in your organization?

From the Delivery Force area, at Itera we suggest implementing different types of policies and controls to maintain and preserve the integrity and confidentiality of information, all based on compliance with international standards such as ISO/IEC 27001:2013 and ISO/IEC 27002:2022.

Do you have questions or would you like more details?

At Itera we can provide you with consulting services and solutions on audits, Information Security Management Systems (ISMS), cybersecurity, cloud and compliance with ISO/IEC 27001:2013 standards, as well as ISO/IEC 27002:2022.

To receive a free consultation, contact our team of specialists: seguridad@iteraprocess.com

Multi-Factor Authentication (MFA) is an access management component that requires users to prove their identity using at least two different verification factors before gaining access to a website, mobile app, or any other online resource.

How does MFA work?

This component adds a layer of protection to the login process. When an account or app is accessed, users must go through additional identity verification.

For example, in the AWS Console for Sign-in as Identity Access Management, you use the One-Time Password (OTP), as shown in the following image:

Types and/or categories of authentication used in MFA for more secure login:

• Biometrics (face analysis, fingerprints, and voice recognition).
• SMS codes.
• One-time OTP passwords.
• Swiping a card, a PIN or a fingerprint.
• Downloading a VPN client.
• Placement of a Hardware Token.

How can we help strengthen security in your organization?

From the Delivery Force area at Itera we suggest implementing different types of policies and controls to maintain and preserve the integrity and confidentiality of information, all in compliance with international regulations such as ISO/IEC 27001:2013.

Some of the policies we can implement may include:

• Access Control Policy.
• Password Policy.
• Encryption Policy.
• Data Protection Policy.

For several years, the use of MFA has been part of a security filter in the accesses of any platform or system, being a component that has demonstrated a level of responsibility both for the development of the platforms and for their users.

MFA is a service that is currently in the cloud and complements cybersecurity processes.

Do you have questions or would you like to learn more?

At Itera we can provide you with consulting services and solutions on cybersecurity, cloud and ISO/IEC 27001:2013 standard matters.

Contact a specialist: seguridad@iteraprocess.com

Companies believe they will suffer a breach in customer data next year.

Social engineering is a malicious practice that aims to obtain sensitive information, doing so through the manipulation of legitimate users so that they reveal it to the attacker.

Every day there are new companies that have been damaged through social engineering.

Learn about the most vulnerable asset types for your organization:

• Information.
• Instances or servers.
• Hardware or software.
• Processes.
• Customer or employee databases.

Care! The most frequent social engineering strategies are:

1. Spear phishing

It is related to phishing, although this method is a bit more complex. It is a campaign aimed at employees of a particular company, from which cybercriminals want to steal confidential data.

1. Phishing

It is a very old method that is still used today to deceive users, sending spam emails in order to obtain any type of data or confidential information such as; usernames, passwords, access keys and passwords, among others.

1. Vishing

It is carried out by telephone. The attacker pretends to be a trusted employee, requesting confidential data: passwords, customer account access, systems, names of databases, instances and/or servers, among others.

What to do to prevent or in case of a possible attack?

• Raise awareness among users on social engineering issues.
• Phishing and Vishing tests.
• Report any spam email to a security officer in order to avoid any risk or threat within your organization.
• Avoid entering data into insecure Web sites or portals.
• Be cautious in links that arrive by message or email.

Do you have questions or would you like to learn more?

At Itera we can provide you with consulting services and solutions.

Contact a specialist:

delfino.vazquez@iteraprocess.com

seguridad@iteraprocess.com

This document provides a set of generic information security controls references, including an implementation guide.

It is designed to be used by organizations:

27001. a) Within the context of an information security management system (ISMS) based on ISO/IEC 27001.
27002. b) To implement information security controls based on internationally recognized best practices.
27003. c) To develop its specific information security management guidelines.

Overview

• Status : Published
• Publication date : 2022-02
• Edition : 3
• Number of pages : 152
• Technical Committee: ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection.
• ICS:35.030 Computer security.

Main changes

The development of the new standard contemplates the reduction of controls, going from the 114 existing in the 2013 version to 93 controls in the new ISO/IEC 27002:2022 version. Some controls from the 2013 version have been grouped together and 11 new controls are defined.

New Controls

In total, 11 new controls are defined, which correspond to:

• Threat Intelligence.
• Information security for the use of cloud services.
• ICT readiness for business continuity.
• Physical security monitoring.
• Configuration management.
• Deletion of Information.
• Data masking.
• Data leak prevention.
• Activity monitoring.
• Web Filtering.
• Secure Coding.

Do you have questions or would you like to learn more?

At Itera we can provide you with services, solutions and consulting for ISO/IEC 27001:2013 and 27002 standards, among others.

Contact a specialist:

seguridad@iteraprocess.com

delfino.vazquez@iteraproces.com

Fountain:

https://www.iso.org/standard/75652.html

Wiz discovered information about a set of vulnerabilities in Linux virtual machines in the Azure cloud. This occurred when using the proprietary agent functions of the Open Management Infrastructure (OMI) platform.

A few days after this announcement, Microsoft released the corresponding patches on September 14.

What to do about it?

Experts recommend updating OMI to the latest versions, making sure that all potentially dangerous services are disabled.

The risk to sensitive information and the security for customers that their data is protected are essential today for any company that wants to remain in the global market.

Your incomplete list looks like this:

• Azure automation.
• Azure auto-update.
• Azure Operations Management (OMS) Pack.
• Azure log analysis.
• Azure configuration management.

“Customers should update vulnerable extensions for their cloud and on-premises systems as updates become available as scheduled,” the company’s support response states.

Get to know Azure Notebooks

It will probably be very difficult to find a software and application company that does not use Microsoft Azure services. They are widely recognized as essential tools that facilitate the software development process, especially from the operational side of the problem.

That’s why many companies are looking for reliable and experienced developers with Azure knowledge that they can use in their work.

Modern business applications combine many areas of development. They are familiar and easy to understand. But that all changes when you start adding new technologies and approaches, creating distributed, scalable computing platforms that leverage big data and machine learning.

This is where Azure Notebooks comes in handy, giving you a place to learn analytics using familiar languages in a playground where you can test code and visualizations, share results with colleagues, and add descriptive text around your code, as well as results for presentations to management and your team.

Sources:

https://revistabyte.es/ciberseguridad/microsoft-vulnerabilidades-en-azure/

https://azure.microsoft.com/es-mx/blog/new-azure-vmware-solution-updates-and-global-expansion-drives-customer-success/

Do you have questions or would you like to learn more? At Itera we can help you.

Contact a specialist: seguridad@iteraprocess.com