Simplifying ISO 27001 Clause A.10.10

Clause A.10.10 revolves around monitoring with the objective of detecting unauthorized information processing activities.  Though there can be many ways to do the same,   automation is the most preferred way to do so owing to the size and amount of logged data.  It becomes humanly insane task to review logs manually.

But when I look at the various sub clauses of the Standard, I tend to infer the following points - 

1. It is not mandatory to have an SIEM or any automated solution for real time log collection and Analysis.  Clause A.10.10.1 states - "Audit Logs recording User Activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring."  That means logging is important whether or not you do it real time is not compulsory.  A review is indeed required.
2. Added to the above is Clause A.10.10.2 stating - "Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly". Going by this the standard is not asserting on Automated or manual process, the organization may choose to do it manually or automate it depending on the business requirements.  If in your procedures you mention out that the activity would be done on a manual basis, it would be fine as long as you can evidence that the logs are being reviewed and monitoring is being conducted with regular reports rolling.
3. Nothing in ISO 27001 is mandatory.  Not even the clause A.10.10, You may choose or not choose a control to adopt it and develop the "Statement of Applicability" limiting the Scope and extent of adopting ISO 27001 standard.  The scope may be limited to geographic locations, systems, facilities, departments, personnel involved, operations etc.  However, due caution needs to be taken while developing the Statement of Applicability to provide a valid business driven reason to exclude any of the controls and related scope.  Be cautious that Auditors may call out the inter-dependencies of the systems and or operations citing the touch points and may therefore press that their is a non-conformity.

Overall, specifically with regards to the clause A.10.10, I see no problem with the manual approach as long as it is duly documented and followed. Auditors generally would tend to call out a "Need For Improvement" in their observations and there would be time given till re-certification Audit.  It hence would be appropriate to define a plan and lay-out a way forward to achieve automation over a period of time.  Auditors would be fine if they see that their is an intent to achieve and they would then Audit accordingly.

As I conclude, please note that ISO 27001 doesn't tell you How to do it. The standards lays out What is to be done and that too from the Best Practice standpoint.

Use of Technology for Payment Transactions

The days when we used to make payments with hard cash are long gone.  With the advent of new age technology, Bank cards (Debit/Credit) and the Internet Banking, we all do go for convenience payment sitting in the comfort of our home and / or office.  The payments made in this way are something that can be tracked without dealing with the trouble of paper receipts.  

That's said, it is critically important to review the options before making payments with the use of technology as along with the convenience of making payment, technological advancements have provided the newer ways for attacks and scams.  Initially there were Phishing Attacks where the attacker would host a Dummy Site for the target bank and get the required information and enjoy the proceedings.  As the users started getting smarter and the Banks started implementing tighter security norms and getting the fake sites down, there came the Vishing Attack or where the attacker posing as the genuine Phone Banker or Customer Service Associate tries to extract relevant information including Sensitive Personal Information and PIN/CVV/CVC of the Card being discussed about. In many instances the Customers Do fall pray to such calls and they end up loosing their hard earned money.  Typical Case to be read here - Paying bill online costs man Rs 50,000

Now the main points to be noted while making online payments or while getting on for online transactions  are - 

1. For making online payments, ensure that you register the organization, to whom you want to make payment, at your Bank's Internet Banking site
2. If you find it cumbersome to register the Biller at your Bank's site, please ensure that you make the payment from the Official Site of the Biller and also by creating your own Account on that site
3. Ensure that you DO NOT use any third party website for any online Bill Pay, as they may claim  to facilitate the transaction, but this is NOT always safe

Another aspect that needs to be taken care of is the payment through IVR System of the Biller or the Bank.  It is pretty important to note the following points - 

1. Never reveal Sensitive Information like CVC/CVV/PIN during an Automated Call or while talking to the Phone Banker or Customer Service Representative
2. It is critical to note that you never get a Call from either the Bank or the Biller stating to share your sensitive information to enable the payment through Phone Banking or IVR.  A Payment through IVR or Phone can only be initiated when you would call the Bank or the Biller to make such Payments
3. Please ensure that if anyone claiming to be from the Bank or from the Biller seeks to gain your PIN/CVV/CVC and other information that is generally not sought by Banks / Biller, disengage yourself from the call and raise a written complain with your Bank / Biller through netbanking/biller website. This will trigger a automated response to your mail box.  Do not reply to that address and just wait for an official mail from your bank (delivered in netbanking inbox) and or Biller (delivered at your Registered email address).  
4. You have a choice to refer the case to the Consumer Forum / RBI / Appellate Tribunal depending on your choice and party involved. When you refer the case to concerned authority you wold need to provide details around the transaction that is being referred, the person's name (if you remember), time you made the call, duration of the call and summary of the call proceedings.  Remember that IVR calls are always recorded and in such a case your claims can be verified at the Bank / Biller's side.

So, to be safe is in your hands and to ensure that you don't fall pray to such cases is totally in your hands.  You need to be really careful for not disclosing the sensitive information to anyone or on any weblink that you may get claiming to be of a bank.

Please ensure to verify the Website address as it would always have some altered information if it would be from the imposter. And the most important thing - if you suspect that your information has been compromised - raise a Red Flag Complain immediately with the Bank.  Bank's Do provide you with all the required help to protect against any fraudulent activity in your account.  In case you know that someone gained your personal information and has misused it, please lodge a written complain with the bank before you head to the Law Enforcing Agency.  A Copy of the Complain raised with Bank always helps you in your case and the Banks then have to ensure that they do cooperate in your case to get you the rightful justice.

However, in the current technological era, the old saying "Better to be Safe than Sorry" as well as "Precaution is Cure" still stand true.  So take due precautions to not let someone defraud you...its your information and you have the right to refusal for imparting the same...