The Information Security Management System (ISMS), first published in 2005 as part of the

International Standards Organization (ISO) 27001 standard, includes processes for

governance, compliance, risk management, internal audit, quality management and
continuous process improvement. Adopting this has improved the information security
practices and mitigated risks for thousands of organizations that have registered their
compliance with ISO, from small businesses to large government agencies.
In my experience, there are three major benefits to implementing the ISMS and the best
practices it represents:

1.Money saved to invest in other areas. Companies that adopt the standard dont need to
spend money and time think of hundreds of thousands of dollars to reinvent what has
already been developed as a baseline. Organizations can start work immediately and get
systems in place. And many of the management practices in ISMS can be connected with
other compliance programs related to enterprise risk management.

2.Ongoing organizational improvements. By design, the ISMS process engages an
organizations leadership in assessing risks and identifying ways to manage and mitigate
them. The ISMS establishes processes for ongoing audits of business practices. And it
prompts regular reassessments of security risks to determine if changing conditions in
business, technology or society require new protections. And adopting these best practices on
information security strengthens a companys compliance effortsincluding government
rules that relate to data security, such as HIPAA and data breach notification laws and
industry-run standards such as payment card industry (PCI) security standards.

3.The flexibility to emphasize data privacy and personally identifiable information in security
plans. The ISMS was created to address threats and vulnerabilities to sensitive information.
The standard is under constant review and receives regular updates to help ensure that it stays
relevant to changing conditions. Information security experts recognize the ISMS as the
perfect standard upon which to build protections for personally identifiable information.
Tenable Nessus is a powerful network security vulnerability scanner that can scan for, detect
and report on over 30,000 network security vulnerabilities. This article will show you how to
use Nessus to perform network vulnerability scans against your network. Vulnerability
scanning is an important task every network administrator should perform on a regular basis.
Using a tool such as Tenable Nessus can make your job much easier in detecting potential
network security vulnerabilities. Other useful tools including some free network security
tools can be found in my article called Free Network Security Tools.
Creating a Policy
Before you can run a Nessus scan, youve got to create a policy. Nessus Policies track the
vulnerabilities you want to scan for.
1) Open up the Nessus interface by browsing to https://localhost:8834 on the machine you
installed Nessus (Figure 2). Enter the username and password created earlier and click Log
In.
2) Click on the Policies tab at the top of the screen.
3) Click the Add button to create a new policy.
4) Give the scan a name and make sure Safe Checks and Silent Dependencies are
checked leave the remaining scan options the default (Figure 3). Click Next.
5) Enter credentials for the scan to use. You can use a single set of credentials or multiple
sets. Click Next when youre ready to continue.
6) The plugins tab will let you choose which families of scans youd like to perform. Nessus
will have all plugins selected by default. Click the Yellow dot to disable any of the Families,
or click on the text of the Family to see a list of individual plugins. You can also use the
Enable All or Disable All buttons to help you pick the right groups of plugins (Figure 4).
Click Next.
7) On the preferences screen, you will need to tailor the preferences to the machines you are
scanning. Use the Plugin drop down box to select each plugin item and specify settings as
needed. For example, if you are performing database, web or email scans, you will need to
enter credentials for Nessus to use in the scanning process (Figure 5). Click Submit once
finished.
Performing a Scan and Using the Reports
The Nessus scan is really the heart of Nessus as this process performs the vulnerability
assessment against the machines you specified in your policy.
1) In Nessus, click the Scans tab and then click Add.
2) Give the scan a name and select the policy you set up earlier.
3) In the Scan targets box, enter the list of machines you wish to scan. You can also import a
list using the Targets file box. Click Launch Scan to begin the scan.
4) Depending on how many devices you are scanning, Nessus may take a while. When the
scan is complete click on the Reports tab.
5) You will see the name of the scan you just completed. Double click on the san name to
drill into the report.
6) Once in the report, you will see a listing of each host scanned along with the total number
of High, Medium, Low vulnerabilities found (Figure 6).
7) Double click on the host name to drill into a list of the vulnerabilities found. Drilling into
each vulnerability and Plugin ID will give you a detailed description of the vulnerability
found along with possible mitigation strategies (Figure 7).
That covers the basics of how to use Nessus. By frequently scanning your network for
vulnerabilities, you'll go a long way in protecting your network.
What is ISO 22301 Business Continuity Management?
ISO 22301 is the international standard for business continuity management, and builds on
the success of British Standard BS 25999 and other regional standards. Its designed to
protect your business from potential disruption. This includes extreme weather, fire, flood,
natural disaster, theft, IT outage, staff illness or terrorist attack. The ISO 22301 management
system lets you identify threats relevant to your business and the critical business functions
they could impact. And it allows you to put plans in place ahead of time to ensure your
business doesnt come to a standstill.
What are the benefits of ISO 22301 business continuity management?
Identify and manage current and future threats to your business
Take a proactive approach to minimizing the impact of incidents
Keep critical functions up and running during times of crises
Minimize downtime during incidents and improve recovery time
Demonstrate resilience to customers, suppliers and for tender requests