Monday, January 9, 2012

Pass the ITIL V3 Foundation exam in six easy and (almost) free steps




If you know something about IT operations (not just development) and your IQ is in triple figures then passing the ITIL V3 Foundation exam should be no big deal and no big investment. (If in doubt, read the testimonials in the comments below). Follow these six nine eight steps:
[updated 25/3/2011 ]
  1. Read itSMF's An Introductory Overview of ITIL® V3. Free.
  2. You might like to read the ITIL V3 Foundation syllabus. Free.
  3. Then read Taruu's study guide. Free. [update: sadly no longer available]
  4. If you like learning by video, watch these YouTube videos from Charles Sturt University. Free.
  5. Read our brief guide on how to pass multi-choice exams. Free.
  6. Do as many of these practice exams as you can stand. Free.
  7. If you need to look something up, use Google Books to refer to the core ITIL books. Free.
  8. If you need more, buy Passing Your ITIL Foundation Exam - The Official Study Aid (updated to 2009 syllabus) - not free of course, but not too expensive: $36+sh on Amazon (some sellers have it for $29 - hope this is not the old edition).
  9. Register with Prometric or Pearson Vue to do your exam (On Prometric you won't find it under "ITIL", that would be too customer-friendly. Look under "Information Technology (IT)" then choose "EXIN' or "ISEB" - both offer ITIL via Prometric, I think - it keeps changing) (warning: Pearson Vue site has rotating shots of photogenic people staring meaningfully out at you). Not free - a couple of hundred dollars depending on where you are in the world. OK we lied about the free but there is no way to get around paying for this step, sorry.
There is a high probability you will pass, but if you fail, we accept no liability sorry. If you really want the certification (or you just don't believe us about doing it without training), the next step might be to do one of the online traning courses such as those from ITSMSolutions or ITIL Training Zone or Taruu (or countless others). Or for a cheaper option the Art of Service book-and-training seems to sell a lot on Amazon (and I hear good comments about it). It's a buyer's market out there right now - shop around.
If you want a comprehensive reference book of all the content in ITIL's five core books, buy Foundations of IT Service Management Based on ITIL V3. Not free but much less than the ITIL books: $53+sh second-hand on Amazon.
If your boss is paying, you'll want the complete set of the actual ITIL books: the ITIL Lifecycle Publication Suite, Version 3.

Sunday, January 8, 2012

BS7799中ISMS和RA的讨论

BS7799中ISMS和RA的讨论

http://blog.chinaunix.net/space.php?uid=76840&do=blog&id=2569776


 事实上,我们从事信息安全工作的,在为客户提供方案时,客户要求往往是主导。如果客户就要求东,你就不能过于强调西。当然,引导客户需求是我们的责任,但往往并不能完全如自己意,否则,就是教条了。所以,我们应该看到,好的咨询顾问,在坚持一些基本原则和大的方法论的基础上,会适当根据客户需求来调整具体策略和方法的,并且要为此而使这种调整具有合理性和可行性。客户的要求肯定是有其道理的,这一点必须承认,否则就永远只会抱怨甲方难缠了。

具体到ISMS建设上面,应该说不存在一个完全固定和标准的操作模式的,只需要记住PDCA,就知道,这个东西是不断在完善不断在调整的,重要的不是从哪里开始,而是你要给予这个体系自我适应和调整的能力。
企业信息安全建设一穷二白的时候,很多安全问题非常明显的,甚至一些很简单的安全集成方案也能解决大部分问题,那何不先买台防火墙?买台防DDoS?至于说还有其他什么问题,后面我再评估一下行不行?然后再补漏,再调整,尽管有可能前面的举措有不尽适当之处,有可能使得投资效率受到影响,但我先解决燃眉之急了,后面怎么都好说。但你不能说做ISMS时RA不重要,实际上,你在真正做RA之前所做的工作,是一种凭借直觉、经验、行业特点也可能是简单分析判断之后的成果,用软件设计来讲,只是一种原型而已,是毛坯。它能解决问题,但到底是否彻底完全解决了问题,还有没有其他问题,只能通过补充RA来实现。要让信息安全管理真正从自发状态达到自觉状态,RA是很关键的,我们为什么要做7799?不是纯拿个证书来唬人的,而是要让人知道,我们的信息安全建设,不是一时之举,不是零敲碎打的个案,而是企业整个管理体系的一个组成部分。ISMS建设方法是有其深层次道理的,不能否认,但可以灵活对待。

有些企业,在还没有做7799之前,你不能说它就没有建立起这个体系,它也有各种安全措施,也有日常管理制度,甚至也有内审机制,他们缺的只是把这个已有的可能不全面可能效率不高的体系与国际标准和最佳实践相比较,从而找出差距而已。这时候,我先做RA,是很对路子的,找到问题,找到不足,然后对症下药。看看已有的策略体系有什么问题,调整更新,看看现有的控制措施有什么不足,更新改造。
什么都没有绝对化的,有时候你可以顺应环境,有时候你有可以引导环境,但一些原则,还是应该保持的,至少可以少走弯路。

POLICY, STANDARD, GUIDELINE, AND PROCEDURE




Relationships Among Security Policies, Standards, Procedures, Baselines, and Guidelines

From : cisco press ccie professional development network security technologies and solutions

Security Triad Principles - CIA





CIA:
1. Confidentiality
2. Integrity
3. Availability

Two new components:

·         Accountability. Someone is personally accountable and responsible for the protection of an asset or set of assets. The emphasis here is on the 'someone' and the 'personally accountable'. Often this does not work in the organisational setup but it still should be the goal;
·         Auditability. This component has two parts, firstly that any position that a system is found in should be able to be backtracked to determine how it got into that state and secondly, that an ongoing process of management review or audit should be undertaken to ensure that the systems meet all documented requirements.
These two new components are derived from BS 7799 (BS 7799 2002), ISO 27002 (ISO 27002 2005) and ISO 27001 (ISO 27001 20005).

Overview of ISO 27001 certification process


THE MAJOR STEPS TOWARDS BS7799-2 COMPLIANCE


Step1: Define the information Security Policy ------> Information Security Policy
Step2: Define the scope of the ISMS ------->Scope of the ISMS
Step3: Undertake risk assessment ------->Risk Assessment
Step4: Manage the risk -------> Area of risk to be managed
Step5: Select control objectives and Controls -------> Selection Rationale
Step6: Prepare Statement of Applicability --------> Statement of Applicability

From http://www.iwar.org.uk/comsec/resources/bs7799/works.htm

An Introduction to Regulation and Standardization


An Introduction To Corporate
Regulation and Standardization
Hide table of contentsGlossary

Standards

Table of Contents

IntroductionOptional StandardsMandatory standardsRegulatory Requirements    CAA        Airspace Policy        Consumer Protection      Economic Regulation      Safety Regulation      ATOL   FSA   Ofgem   Ofcom   ORR      Functions      Duties   Ofwat   Postcomm      Function   SummaryThe Law - An overview   Sources of the Law   Legislation      Primary Legislation      Secondary Legislation      Autonomic Legislation   Common Law   European Law   European Case Law   Precedent      European Court of Justice      House of Lords      Court of Appeal      High Court      Judicial ReviewThe Court System   The European Court of Justice   The House of Lords   The Court of Appeal   The High Court   Crown Court   County Courts   Magistrates' Court   Privy Council   Other CourtsCivil Actions   Contract      Offer and Acceptance      Consideration      Intention to Create Legal Relations      Privity of Contract      Formal Requirements      Contractual Terms   Tort      Duty of Care      Breach of Duty      Harm Resulting from Breach      Principle in Hedley Byrne and Heller      Exclusion of Liability      DamagesCriminal OffencesThe Law Related to Fraud   Introduction   Definition of Fraud   Principal Types of Fraud      Misrepresentation of Material Facts      Bribery and Corruption      Money Laundering      Theft of Money or Property      Theft of Trade Secrets      Breach of Fiduciary Duty      Miscellaneous Statutory and Common Law Offences      Frauds to Documents      False Statements by Company Directors      Dishonest Suppression of Documents      Dishonest Procuring By Deception of the Execution of a Valuable Security      Frauds on Investors - Insider Dealing      Offences on Insolvency      Bankruptcy Fraud      The Enterprise Act 2002      Frauds on the Public      Interference with Gas Meters      Pretended Auction      Misleading Prices      Fraudulent Mediums      Offence of Fraudulently Receiving Programmes      Computer Frauds - Unauthorised Access + Intent + Modification      Conspiracy to Defraud      Frauds on the European CommunityI've been hit - what do I do?Private Individual   Do Nothing   Criminal Route with the Police      The CPS Process      General Principles      The Decision to Prosecute      Review      The Full Code Test      The Threshold Test   Selection of Charges      Diversion from Prosecution      Mode of Trial      Accepting Guilty Pleas      Prosecutors Role in Sentencing      Re-starting a Prosecution      The Civil Route   So what do I Do?Corporate   Sample Fraud Reporting and Investigating Policy (FRIP)      Background      Scope of policy      Suspicion reporting and confidentiality      Actions constituting fraud      Other concerns      Investigation responsibilities      Authorisation for investigating suspected fraud      Disciplinary procedures      Administration      Approval      FRIP Appendix   Do Nothing   Criminal Route with the Police   The Civil Route   So what do I Do?Appendix A - ISO 27001 Taxonomy      Information Security Management      Auditing, Certification and Accreditation Criteria      Non UK National Standards      Management Guidelines      Data Protection and Privacy      Other Standards of Note      AbbreviationsAppendix C - ReferencesLegal Glossary

PDCA - Plan - Do - Check - Act


File:PDCA Cycle.svg

Plan - Do - Check - Act

The ISO 27001 Perspective: An Introduction to Information Security Contents


Working in Information Security field, need to know ISMS and RA.

http://security.practitioner.com/introduction/index.htm


The ISO 27001 Perspective: An Introduction to Information Security

Contents

Initial review questions
What is 'Information Security'?
Introduction to information security mechanisms
    Information security standards
    ISO 27002
    ISO 27001 (formerly BS 7799 Part 2)
The 'Information Security Management System' (ISMS)
    Overview
    Organisation decides to implement ISO 27001
    Management commitment, assign project responsibilities
    Define the information security policy
    Define the scope of the ISMS
    Perform the risk assessment (RA) for the scope of the ISMS
    Decide how to manage the risks identified
    Select objectives and controls to be implemented
    Implement controls
    Undergo certification
    Reviewing the management system
    Improving the ISMS
        Corrective action
        Preventive action
    Things to watch
        Commitment
        Information security policy
        Scope of the ISMS
        The risk assessment process
        Selection of controls / the SoA
        Implementing controls
        The audit process
The process of risk assessment and risk management
    Introduction to risk
    Introduction to risk management
    The risk management process
        The generic ISO risk process
        Risk analysis
        Risk Evaluation
        Risk Treatment
        Monitoring and review of the risk management process
        Risk reporting and communication
        Risk policy, roles and responsibilities
        Quantitative risk assessment
        Problems with the quantitative approach
        Qualitative Risk Assessment
        Comparing the Two Approaches
Risk management standards
        Risk assessment methodology based on AS/NZS 4360
        The risk register
        Benefits of good risk management
    Risk mitigation    Risk financing
        Risk acceptance
        Risk transfer: the concept of insurance
        Types of insurance
        Self-insurance
        Problems with insurance
Risk management tools
    Overview
    Business processes
    Modelling risk in a business manner
    Choosing the correct tool
ISO27002 - Code of Practice for Information Security Management
    Commentary
    Things to watch
    ISO 27002 Clause 5: Security policy
        Information security policy
        Commentary
        Security policy checklist
        Things to Watch
    ISO 27002 Clause 6: Organisation of information security
        Internal organisation
        External parties
        Commentary
        Things to Watch
    ISO 27002 Clause 7: Asset management    Information classification
        Commentary
        Things to Watch
    ISO 27002 Clause 8: Human resources security
        Prior to employment
        During employment
        Termination or change of employment
        Commentary
        Things to Watch
    ISO 27002 Clause 9: Physical and environmental security
        Secure areas
        Equipment security
        Commentary
        Things to Watch
        ISO 27002 Clause 10: Communications and operations management
        Operational procedures and responsibilities
        Third party service delivery management
        System planning and acceptance
        Protection against malicious and mobile code
        Backup
        Network security management
        Media handling
        Exchange of information
        Electronic commerce services
        Monitoring
        Commentary
        Things to watch
    ISO 27002 Clause 11: Access control
        Business requirement for access control
        User access management
        User responsibilities
        Network access control
        Operating system access control
        Application and information access control
        Mobile computing and teleworking
        Commentary
        Things to watch
    ISO 27002 Clause 12: Information systems acquisition, development and maintenance
        Security requirements of systems
        Correct processing in applications
        Cryptographic controls
        Security of system files
        Security in development and support processes
        Technical vulnerability management
        Commentary
        Things to watch
    ISO 27002 Clause 13: Information security incident management
        Reporting information security events and weaknesses
        Management of information security incidents and improvements
        Commentary
        Things to watch
    ISO 27002 Clause 14: Business continuity management
        Aspects of business continuity management
        Commentary
        Things to watch
    ISO 27002 Clause 15: Compliance
        Compliance with legal requirements
        Compliance with security policies and standards and technical compliance
        Information systems audit considerations
        Commentary
        Things to watch
    Certification
    Why does my organisation need certification?
    Accredited certification
    What does 'Accredited' mean?
    Different types of audit
    How does the certification scheme work?
    Six step certification process
    Summary
Appendix A - References
AppendiX B - Some examples of Risks & Their Drivers
    Financial Risks
    Operational Risks
    Hazard Risks
    Strategic Risks
Appendix C - A Sample Risk Register
Appendix D - Consequences
    Three by Three
    Five by Five
    Using a 5 layer impact matrix
Appendix E - Probability of Ocurrence
    Three by Three - Threats
    Three by Three - Opportunities
    Five by Five
    Ten by Ten
Appendix F - Risk ratings
    Risk Reduction
Appendix G - Risk Terms and Definitions
Appendix H - Further Reading
List of Figures
Glossary

Wednesday, January 4, 2012

在加拿大创业


在加拿大创业

许多加拿大人喜欢成为企业拥有人。在2004年,全加拿大有240万人属于自雇人士(self-employed ),而这个数字还在不断增长。
无论您是否曾在自己祖国拥有自己的生意,又或者您感到目前是开创自己第一个企业的正确时机,您会高兴知道有许多政府机构都提供不同的项目、服务及支持,来帮助您在加拿大成功创业。事实上,许多这类项目及服务对那些已经在加拿大创业、并希望其业务继续增长的人士来说,也有帮助。

拥有生意的好处

人们开始创业有许多原因,可能是因为您想:
  • 成为自己的老板。
  • 发展并应用自己的理念。
  • 保持独立性,并能由自己选择工作量的多少。
  • 建立财务自主性。
虽然拥有自己的公司有许多好处,但每个新的企业拥有人也同时需要熟悉加拿大政府制定的法规和规则,并准备克服这些法规和规则所可能带来的挑战。这些法规的存在,就是为著帮助您经营企业,让您沿着成功之路前进。其中的一些法规包括:
  • 联邦及省政府制定的法规和规则
  • 联邦及省政府对特定企业种类的牌照制度(licensing)
  • 卫生及安全规定
  • 环境保护规定
  • 雇员(如果您的公司雇有员工)保护规定,包括薪酬和劳工标准

企业架构种类

您需要作出的决定之一,就是您的企业如何架构。加拿大主要有三种企业架构:
独资经营(Sole proprietorship) — 这是在加拿大开创企业最简单的方式。作为独资经营者,您是自己公司的唯一拥有人,并需承担公司所有责任与债务。采用这种企业架构,您必须到所在省份的适当机构注册您的企业名称。企业所赚取的都要在您个人所得税中申报。
合资公司(Partnership) — 合资公司是由两个或两个以上人士共同拥有的公司,拥有人分享利润并分担债务责任。合资公司的收入通常会在合资人的个人所得税中申报。合资协议可分为以下两种:
  • 普通合夥公司(general partnership)内,合夥人需对债务及职责承担相等的责任。
  • 有限合夥公司(limited partnership)由一名或几名合资人控制企业,并分担全部债务及责任;其他合夥人(一人或几人)只是有限度控制或根本不控制企业,他们也需分担全部债务及职责,但负担的范围仅限于其原初投资部分。
公司(Corporation) — 这种情况下,公司与其拥有人(也称为“股东”,英文称作shareholders)属独立的法律实体(legal entity)。这些公司可在联邦或省级层面成立, 它们的英文名称中拥有Limited(简称Ltd.)、Incorporated(简称Inc.)或Corporation(简称Corp.)。这些公司的收入必须与个人所得税分开申报。
每一种公司架构都有利有弊。请向律师、会计师或您的银行寻求专家建议。

商业编号

在加拿大,联邦政府会给每家公司编发一个独一无二的9位数字商业编号(Business Number,简称BN)。如果您希望在加拿大税务部(简称CRA)注册一个或更多以下的商业账户,您就需要有一个商业编号。
  • 货劳税/协调销售税(GST/HST)账户
  • 薪金账户(如果您雇有员工,并且将会代作扣除)
  • 公司所得税账户
  • 进/出口生意账户
为申请商业编号,您需要准备以下文件:
  • 社会保险号码(Social Insurance Number简称SIN)
  • 企业名称、地址及业务活动
  • 企业架构
  • 会计周期及公司年度截止期
要获取商业编号,请联系加拿大税务部
电话: 1-800-959-5525
网站: www.cra-arc.gc.ca/menu_e.html

货劳税/协调销售税账户

如果您公司一年销售额达到三万元以上,那么您的企业就必须在加拿大税务部拥有一个货劳税(Goods and Services Tax,简称GST)或协调销售税(Harmonized Sales Tax,简称HST)账户。这包括货物销售(例如商品)以及提供服务(包括任何为他人所做的工作,例如房屋粉刷,建筑施工,或者商业服务,如文书管理)。
一旦设立了货劳税/协调销售税账户,您就需要收取5%的货劳税,或者14%的协调销售税,并每年向加拿大税务部报告您收取及支付的数额。这跟您的个人所得税及公司收入税是分开申报的。
您必须拥有一个商业编号(BN),才可开设货劳税/协调销售税账户。
欲开设货劳税/协调销售税账户,请联系加拿大税务部:
电话: 1-800-959-5525
网站: www.cra-arc.gc.ca/menu_e.html
在魁北克省,则需要跟魁北克省财政厅(Ministère du Revenu du Québec)联系:
电话: 1-800-567-4692
网站: www.revenu.gouv.qc.ca

企业计划将帮助您取得成功

成功的企业拥有人会告诉您,他们的成功并非偶然,而是经过一步步的精心计划。一项企业计划可帮助您:
  • 找出自己企业的重点。
  • 认清目前市场(例如您的客户是哪些人,您所提供的货物或服务的一般价格是什么)。
  • 计划如何把您的企业推出市场。
  • 详述企业的运作模式。
  • 确定目前及预计的财务情况。
  • 确认任何已知的风险。
您应该尽量亲自撰写自己的企业计划,一旦完成了,就应该经常审核,并随着企业的成长作出修改。
撰写企业计划听起来很难,但只要遵循这些指南的逐步和样本,您就发现到撰写企业计划的价值和用处。

专家建议

成功创业和经营,可以令人非常振奋,但要做到这个目标,也并不容易。您需要清楚知道自己已填写好所有表格,和已依足所有需要遵从的规章法则和规则。您需要的是一支专家队伍,帮助您迈出正确的第一步,并坚守正确的路向。
  • 律师(lawyer)可以帮助您成立公司,并在法律文件和合约方面提供协助。
  • 会计师(accountant)可以助您准备公司的账本或财务记录(包括应支付的及应收的款项),帮您确定您需要多少财务帮助来开始您的生意,助您填写以及/或者申报您个人或公司所得税,并为您准备任何财务报告。
  • 指导者(mentor) 可以为您提供有关行业的建议及信息,并帮您建立联系。指导者可能是一位经验丰富的退休人士,也可能是另一位生意拥有人,甚至是与您有业务关系的供货商。
  • 您的银行将建议您如何或在哪里可以取得您创业所需要的资金,为您提供合适的企业账户,助您选择最适合您的贷款、信贷和保险,帮您制定企业计划,甚至帮助您管理您的现金流量。
要获得最佳建议,请与RBC商业顾问商谈:
电话: 1-877-769-2520
网站: www.rbcroyalbank.com/sme/working-with.html
 加拿大银行家协会(Canadian Bankers Association)“小生意起步(Getting Started in Small Business” brochure)”宣传册,第2页
加拿大银行家协会“小生意起步”( Canadian Banker’s Association, Getting Started in Small Business)
RBC 皇家银行,欢迎创业

用商业保险来保护您的生意

如果您经营自己的生意,无论是零售商店、咨询服务、进/出口生意,或者打算制造及分销消费品或商业物品,您都应该拥有商业保险。
更多详情

全国链接:

加拿大政府,加拿大商业(Canada Business)
加拿大工业部 (Industry Canada)
加拿大税务部(Canada Revenue Agency , 简称CRA)
加拿大商业服务中心(Canada Business Service Centres)

各省链接

要了解您所在省份创业的更多信息,请使用这些链接:
阿尔伯达(Alberta)
不列颠哥伦比亚(British Columbia) (PDF)
马尼托巴(Manitoba)
新不论瑞克(New Brunswick)
纽芬兰(Newfoundland)
西北特区(Northwest Territories)
新斯科舍(Nova Scotia)
努那乌特(Nunavut)
安大略(Ontario)
爱德华王子岛(Prince Edward Island)
魁北克(Quebec)
萨斯喀彻温(Saskatchewan)
育空(Yukon)