DOCSLIB.ORG

Technical Report RHUL–MA–2015–3 4 March 2015

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Technical Report RHUL–MA–2015–3 4 March 2015 The Value of Threat Models in Enterprise Security Testing of Database Systems & Services Timothy D. Williams Technical Report RHUL–MA–2015–3 4 March 2015 Information Security Group Royal Holloway University of London Egham, Surrey, TW20 0EX United Kingdom www.ma.rhul.ac.uk/tech Student Number: 100758891 Name: Timothy D. Williams The Value of Threat Models in Enterprise Security Testing of Database Systems & Services Supervisor: Dr. Lorenzo Cavallaro Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London I declare that this assignment is all my own work and that I have acknowledged all quotations from the published or unpublished works of other people. I declare that I have also read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences and in accordance with it I submit this project report as my own work. Signature: Date: Academic Year 2013/2014 Copyright c 2013/2014 by Timothy D. Williams Abstract The Value of Threat Models in Enterprise Security Testing of Database Systems & Services by Timothy D. Williams Master of Science in Information Security Royal Holloway, University of London 2013/2014 This thesis explores the value of threat models in organisation-wide security testing of databases. Factors that drive security testing are explored. Different types of security testing, different approaches to threat modeling and different database technologies are considered. The importance of metadata management, particularly for newer schema- less databases, is highlighted. An integrated approach to database security testing is proposed which includes white-box, black-box and grey-box techniques. Sequence de- pendencies affecting database security testing are identified. The need for explicit archi- tecture tiers in database security testing is explained. An approach to threat modeling and testing based on zones is proposed. Potential benefits of the proposed approach are described. The main conclusion is that further research is needed, both theoretical and applied, into the best ways for organisations to plan, execute and respond to database security tests. It is possible that a similar threat-based approach could be applied to testing other architecture components. A number of other possible research topics are identified including: threat information exchanges, threat model tool development and penetration test data management. Keywords: database security, threat modeling, security testing, functional testing, penetration testing, enterprise security, governance, compliance, cybersecurity. iii iv Acknowledgements I am very grateful to my family and in particular to my lovely wife Fiona for supporting me as I have had to prioritise MSc study time and work commitments over time that I would normally have enjoyed with them. I would like to thank my mother Diana for checking late drafts for errors. I am fully responsible for any remaining errors. This project would not have taken shape without the guidance and support of my supervisor Dr. Lorenzo Cavallaro to whom I will feel for ever indebted. My background understanding of systems thinking and software quality assurance owes a great deal to the wonderful Dr. Gerald M Weinberg to whom Phil Stubbington virtually introduced me in an online forum in 1999. I am enormously grateful to Jerry (as he likes to be known) for his writings, for his online mentoring over the years and for the privilege in November 2012 of finally meeting him in person. The way in which I think about information risk management problems and security architecture solutions owes much to what I have learned about “defence in depth” since 2005 through working on secure public sector projects. Although these sources may have indirectly influenced my thinking, only the sources listed in the Bibliography have been relied upon and no classified information is disclosed in this thesis. For making me think hard about metadata management issues and improving my understanding of metadata solutions I am very grateful to my former colleague George McGeachie. For raising my understanding of PostgreSQL security I would like to thank Simon Riggs. For introducing me to attack monitoring in 2010 I would like to thank Joerg Weber. For being a dedicated independent security researcher [11] and supportive work colleague I would like to thank Jerome Athias. A special mention is due to Wayne Grundy for his recommendation in 2010 that I read “The Pyramid Principle: logic in writing and thinking” by Barbara Minto [239]. Whenever I was getting stuck it was a great help to re-read and reflect on the helpful advice that this book provides. I would also like to thank members of the Information Security Group at Royal Holloway, and in particular Dr. Chez Ciechanowicz and Emma Mosley, for their support and understanding during the difficult period following my father’s death at the start of January 2014. v I dedicate this work to the memory of my father Anthony David Williams. I consider myself blessed that along with strong faith, wise words and happy memories Dad passed on his optimistic outlook, enquiring mind and interests in practical details. vi Contents 1 Introduction1 1.1 Audience..................................2 1.2 Motivation.................................3 1.3 Goals....................................6 1.4 Scope....................................6 1.5 Approach..................................7 1.6 Structure..................................8 1.7 Summary Findings............................. 12 I Enterprise Context 15 2 Enterprise Information Governance 17 2.1 Corporate Governance........................... 18 2.2 General Legal Obligations......................... 19 2.3 Specific Legal Requirements........................ 21 2.4 Summary.................................. 22 3 Good Practices 23 3.1 Enterprise Risk Management........................ 23 3.2 Business Analysis.............................. 24 3.3 Data Management............................. 25 3.4 Architecture Frameworks.......................... 25 3.5 IT Service Management.......................... 26 3.6 Cyber Security Frameworks........................ 27 3.7 Lifecycle Models.............................. 28 3.8 Summary.................................. 31 4 Metadata Management 33 4.1 Prerequisites for Database Security.................... 33 4.2 Value of Metadata............................. 34 vii 4.3 Metadata History............................. 35 4.4 Metadata Classification.......................... 35 4.5 Metadata Security............................. 38 4.6 Summary.................................. 38 5 Security Testing 41 5.1 Security Testing Overview......................... 42 5.2 Software Quality Assurance........................ 42 5.3 Security Test Planning........................... 44 5.4 Timing of Security Testing......................... 44 5.5 Security Testing Techniques........................ 45 5.6 Security Testing Methodologies...................... 47 5.7 Security Testing Challenges & Opportunities............... 48 5.8 Summary.................................. 51 6 Threat Modeling 53 6.1 What is Theat Modeling?......................... 53 6.2 Why is Threat Modeling Valuable?.................... 54 6.3 When are Threat Models needed?..................... 55 6.4 Threat Modeling Approaches....................... 55 6.5 Summary.................................. 61 II Database Security Testing 63 7 Database Security Management Review 65 7.1 Overview of Database Security Management............... 65 7.2 Core Database Services.......................... 67 7.3 Database Service Management...................... 69 7.4 Limits of Database Security Management................. 71 7.5 Summary.................................. 72 8 Database Security Technical Review 73 8.1 Traditional Technical Database Security.................. 74 8.2 Database Technology Trends....................... 74 8.3 New Database Security Limitations.................... 75 8.4 Worked Examples of Database Security Attacks.............. 76 8.5 Database Security Test Alignment..................... 78 8.6 Summary.................................. 79 9 Database Security Testing Framework 81 9.1 The Need for Database Security Threat Models.............. 81 9.2 Framework Development Decisions.................... 82 9.3 Framework Description........................... 85 9.4 Framework Rationale............................ 86 9.5 Principles.................................. 90 9.6 Summary.................................. 92 viii III Potential Improvements 93 10 Evaluation 95 11 Conclusions 97 12 Future Directions 99 IV Appendices 103 A. Typographic Information 105 B. Bibliographic Information 107 C. Glossary of Terms 109 D. Enterprise Risk Management 115 E. Software Testing Standards 117 F. NIST Cyber Security Framework 119 Bibliography 120 ix x List of Figures 1.1 Database Security Testing Concept....................1 1.2 Information Security Management process................3 2.1 Corporate Governance Summary...................... 18 3.1 ISO/IEC 9126 Software Quality Attributes................ 25 3.2 ITIL Service Catalogue........................... 27 4.1 Data Value Chain............................. 34 6.1 Threats, Requirements, Mitigations Interplay............... 58 6.2 Vulnerabilities of Countermeasures.................... 59 7.1 DAMA Data Security Management processes............... 70 8.1 NoSQL Data Models............................ 75 xi xii List of Tables 1.1
Load more

Recommended publications
  • Product Certification
    Product Certification A comprehensive guide to BSI’s product certification services KITEMARK™ Table of contents 1 BSI Overview - NRTL service for the US and Canada in coalition with MET labs 2.15 - RADMAC - EN 442 radiators and convectors 2.16 BSI Overview 1.1 - STB Mark - certification in Belarus 2.16 What is Product Certification? 1.2 - Keymark - EU construction standards 2.16 Why choose BSI for Product Certification? 1.3 - REAS - Electrical Products to Australia & New Zealand Market 2.17 - EFSG - European Fire & Safety Group 2.17 - VCA certification - Vehicle Certification Agency 2.18 2 Product Certification Schemes and Services - NCS International 2.18 BSI Kitemark 2.2 Benchmark 2.4 3 Section 3 – EU directives CE marking 2.5 ATEX Equipment Directive (94/9/EC) | (99/92.EC) 3.1 Verification Certificate 2.7 Boiler Efficiency Directive (92/42/EEC) 3.2 Green Deal 2.9 Gas Appliances Directive (GAD - 2009/142/EC ) 3.3 GS Certification (pending) 2.10 Lift Directive (LD 95/16/EC) 3.4 Gap Analysis 2.10 Marine Directive (MED 96/98/EC) 3.5 Other Schemes BSI can offer: 2.11 - IEC Certification Schemes for Electronic Products 2.11 Low Voltage Directive (2006/95/EC) 3.6 - IEC Quality Assessment System for Electrtronic Components 2.12 Non Automatic Weighing Instruments Directive (NAWI) - CCA certification - CENELEC Certification Agreement 2.14 90/384/EEC | 93/68/EEC | SI 2000/323) 3.7 - ENEC mark - applicable for Electro technology 2.14 Personal Protective Equipment Directive (PPE 89/686/EEC) 3.8 >> ii Pressure Equipment Directive (PED 97/23/EC)
    [Show full text]
  • The British Standards Institution Annual Report and Financial
    Inspiring trust for a more resilient world. The British Standards Institution Annual report and financial statements 2020 Through our unique combination of expertise, we share knowledge, innovation and best practice to help individuals and organizations realize their potential and embed resilience into their everyday business to the benefit of their communities. For over a century, we have been the business improvement company that forges consensus and advocates best practice to enable organizations to turn standards of best practice into habits of excellence. By Royal Charter In this report the ‘Company’ refers to The British Standards Institution, a Royal Charter Company, Companies House number ZC0202, which is the parent company for the financial statements. ‘BSI’, ‘BSI Group’ or ‘Group’ means the Company and its subsidiaries. The BSI logo, ‘Kitemark™’, the ‘Kitemark™’ device, ‘Supply Chain Solutions™’ and ‘Entropy Software™’ are registered trademarks of The British Standards Institution in the UK and are registered, or in the process of registration, in other jurisdictions. Throughout this report, the word ‘underlying’ is defined as ‘before exceptional items and excluding the effects of material disposals’. Strategic Report Corporate Governance Financial Statements Our purpose Strategic report 1 Our purpose 2 At a glance 4 Highlights of 2020 Inspiring trust 5 Chairman’s review 8 Our business model 10 Our strategy 12 Key performance indicators for a more 14 Chief Executive’s review 20 Business review 30 Principal risks and uncertainties 34 Sustainability overview 36 Sustainability review resilient world 40 Standards review 44 Financial review Corporate governance 49 Introduction by the Chairman 50 Board of Directors Our mission 52 Group Executive 54 Corporate governance report To share knowledge, innovation and best practice to help 57 Statement of Directors’ responsibilities in respect of the financial statements people and organizations realize their potential and make 58 Report of the Audit Committee excellence a habit.
    [Show full text]
  • International Standards Make a Global Trading Nation
    International standards make a global trading nation “International standards and their process of development and ongoing maintenance form the bedrock of smooth and efficient trade, supply chains, free and competitive markets and reduce technical barriers to trade.” Ross Wraight, President of the International Federation of Standards Users and Chief Executive of Standards Group Limited November 2019 International standards make a global trading nation International standards create a common language to do better business: a passport to trade The UK is a leader in international standards development, delivering UK soft power globally and enabling innovation and economic growth at home International standards give UK consumers a voice across the world European regional standards remove market frictions across Europe and are part of the international standards system UK trade policy should maximize the strategic opportunities from UK standards leadership and deliver trade deals supported by common international standards International standards are a passport to trade. International standards from ISO and IEC are a cornerstone of the WTO rules-based trading system. They are adopted through BSI as British Standards to create a common language for trading partners: they deliver simpler market access globally. The use of international standards lowers technical barriers, reduces production and supply chain costs, builds confidence in business services and enhances consumer trust. The UK occupies a strong leadership position in shaping international standards. The UK is a leading player in international standards, with more participants in ISO standards development work than any other country. UK stakeholders participate through BSI’s membership of the international and European regional standards organizations.
    [Show full text]
  • Annual Report 2019 "Journey to a New Strategy"
    annual report 2019 Journeyto a new strategy 2019 ANNUAL REPORT 2 MESSAGE FROM THE ISO SECRETARY-GENERAL 4 OUR PERFORMANCE 8 OUR HIGHLIGHTS 24 ISO WEEK IN CAPE TOWN 30 OUR MEMBERSHIP 36 OUR PARTNERSHIPS 42 OUR INITIATIVES 56 OUR OFFICERS 60 OUR FINANCES 64 MESSAGE FROM THE ISO PRESIDENT ISO Annual Report 2019 | 1 MESSAGE FROM THE ISO SECRETARY-GENERAL – SERGIO MUJICA A NEW STRATEGY DEFINING AN AMBITIOUS DESTINATION 2019 was a very important year for ISO, one in which our organization prepared itself for the next major step in its journey. At the same time, as we looked at ways to meet future challenges, we didn’t slacken the pace for a minute. The overall picture of 2019 is one of an organization that is delivering like never before, all the while managing an important transition toward our next strategy. This year’s report aims to give a clear idea of the direction in which we are heading, why we have chosen that route, and how we are going to get there. At the same time, I would like to take you through some of the year’s achievements of which I am most proud. In 2019, we continued to meet, and even surpass, expectations. For example, we published 1 638 documents, a greater number than in any other year. These included standards like ISO/IEC 27701 that will play a significant role in addressing threats to online privacy, standards to enable sustainable, integrated urbanization through Building Information Modelling, and ISO 56002, the new standard for innovation management.
    [Show full text]
  • The British Standards Institution Annual Report and Financial Statements 2015
    The British Standards Institution Annual report and financial statements 2015 The British Standards Institution Annual report and financial statements 2015 Making excellence a habit. At BSI we help to develop excellence by driving the success of our clients through standards. We enable others to perform better, manage risk and achieve sustainable growth. For over a century our experts have been challenging mediocrity and complacency to help embed excellence into the way people, processes and products work. We make excellence a habit. In this report the ‘Company’ refers to The British Standards Institution, Strategic report a Royal Charter Company, which is the parent company for the financial 01 Highlights of our year statements. ‘BSI’, ‘BSI Group’ or ‘Group’ means the Company and its subsidiaries. 02 Our business The BSI logo, ‘Kitemark™’, the Kitemark™ device, ‘Supply Chain Solutions™’ 04 Our strategic initiatives and ‘Entropy Software™’ are registered trademarks of The British Standards 06 Key performance indicators Institution in the UK and are registered, or in the process of registration, 07 What is Organizational Resilience? in other jurisdictions. Throughout this report the word ‘underlying’ is defined 08 Organizational Resilience as ‘before exceptional items and excluding the effects of material disposals’. 12 Chairman’s statement 14 Chief Executive’s review 17 Our business model 18 Business review 18 Performance by geographical region 19 Performance by business stream 22 Principal risks and uncertainties 24 Standards review 27
    [Show full text]
  • Standards Matter to Consumers How Standards Benefit Us All, Every Day Standards Matter
    Standards matter to consumers How standards benefit us all, every day Standards matter Standards matter Standards are everywhere and affect people every day. Our mobile phones, our washing machines, the cars we drive and the toys our children or grandchildren play with are all made to specific ‘standards’ that help to ensure that they are easy to use, work properly and are as safe as possible. Standards don’t just deal with products. Services What are standards? such as healthcare, tourism, energy providers, A standard is a document that sets guidelines and banking and insurance are also covered by standards good practice for organizations to follow. It is not that deal with issues such as staff training and compulsory for organizations to use (sign up to) qualifications, information provision, customer a standard, although if a standard supports service, complaints handling and billing. There are legislation (for example, in the case of toys or also standards to tackle key issues such as social domestic appliances) a manufacturer or supplier responsibility, the management of sustainable events may demonstrate their compliance with the (see Olympic case study on p. 11) and the accessibility requirements of the law by using the standard. of public buildings. As standards are voluntary, consumers can feel Standards matter to everyone. They protect us confident that organizations choosing to use them and give us the information that we need to make take issues such as safety, accessibility and customer informed choices. Standards help to make products service seriously. Organizations might show evidence and services: of compliance with specific standards by advertising • Safer – reducing accidents and saving lives.
    [Show full text]
  • The British Standards Institution Strategic Report 2015 Making Excellence a Habit
    The British Standards Institution Strategic report 2015 Making excellence a habit. At BSI we help to develop excellence by driving the success of our clients through standards. We enable others to perform better, manage risk and achieve sustainable growth. For over a century our experts have been challenging mediocrity and complacency to help embed excellence into the way people, processes and products work. We make excellence a habit. In this report the ‘Company’ refers to The British Standards Institution, Strategic report a Royal Charter Company, which is the parent company for the financial 01 Highlights of our year statements. ‘BSI’, ‘BSI Group’ or ‘Group’ means the Company and its subsidiaries. 02 Our business The BSI logo, ‘Kitemark™’, the Kitemark™ device, ‘Supply Chain Solutions™’ 04 Our strategic initiatives and ‘Entropy Software™’ are registered trademarks of The British Standards 06 Key performance indicators Institution in the UK and are registered, or in the process of registration, 07 What is Organizational Resilience? in other jurisdictions. Throughout this report the word ‘underlying’ is defined 08 Organizational Resilience as ‘before exceptional items and excluding the effects of material disposals’. 12 Chairman’s statement 14 Chief Executive’s review 17 Our business model 18 Business review 18 Performance by geographical region 19 Performance by business stream 22 Principal risks and uncertainties 24 Standards review 27 Financial review 31 Social responsibility review Corporate governance 34 Board of Directors 36 Group
    [Show full text]
  • Faster, Smarter, Better
    Faster, smarter, better Using standards to tackle the recession raising standards worldwide™ Checklist Which standards can help you beat the recession? Standards have a proven history of supporting and contributing to business growth in the UK and around the world. But they are only as effective as the organization putting them into action. Choosing the standards that fit your business needs is an essential part of the equation. What are your biggest challenges? And what are you hoping to achieve? Review this quick checklist to find out which standards could be helping your business survive and thrive in the recession. Act early to decrease cost and inefficiency: 1 ISO 9001 Quality management; ISO 14001 Environmental management Keep trading continuously: 2 BS 25999 Business continuity Hold on to your best customers: 3 ISO 9001 Quality management; BS 10001 Customer satisfaction Hold on to your best staff: 4 ISO 14001 Environmental management; SA8000 Social accountability; BS OHSAS 18001 Occupational Health and Safety Diversify and innovate: 5 Kitemark; ISO 9001 Quality management; ISO 14001 Environmental management; all product standards Keep control of inventory: 6 ISO 9001 Quality management Increase market presence: 7 Management Systems certifications and Kitemark Work on improving your business: 8 ISO 9001 Quality management Avoid unnecessary risk and debt: 9 BS 31100 Risk management; ISO IEC 27001 Information security management; ComplytoSupply™ Work to create and maintain competitive advantage: 10 ISO 9001 Quality management; Kitemark; all product standards To find out more about how these standards and quality marks can help your business beat the recession, visit www.bsigroup.com Faster, Smarter, Better | Using standards to tackle the recession A proven history, with measurable results Standardization has existed for over 100 years, and the numbers of standards continues to grow.
    [Show full text]
  • The Growing Role of Human Factors and Usability Engineering for Medical Devices
    The growing role of human factors and usability engineering for medical devices What’s required in the new regulatory landscape Bob North, Human Centered Strategies The growing role of human factors and usability engineering for medical devices: What’s required in the new regulatory landscape Background Medical errors have been cited as the cause of nearly 100,000 deaths per year in the US healthcare system by the US Institute of Medicine in 1994 in its book, To err is human: Building a safer health system. According to the World Health Organization’s website, similar trends exist for European healthcare systems, with estimates that 8 to 12 per cent of hospitalizations involve adverse events and that as many as 18 per cent of patients report having experienced a medical error-induced problem. Costs in the UK alone for hospital infection intervention is estimated at £1 million per year. Adverse events over the past two decades have shown disturbing trends in post-market events that are attributable to design issues regarding the user interface (UI) of medical devices. Infusion pumps, automatic electronic defibrillators, ventilators, and combination products such as drug auto-injectors, have a history of use-related design problems resulting in overdoses, improper therapy delivery, incorrect diagnoses and dangerous delays in therapy. As part of the systematic process to reduce errors by regulatory bodies, medical device companies in the US and EU have been introduced to the disciplines of Human Factors and Usability Engineering (HF/UE). HF/UE has been applied in the automotive, aerospace, and telecommunications industries for more than 60 years, but has only recently been applied in the medical industry.
    [Show full text]
  • The British Standards Institution Annual Report and Financial Statements 2016
    The British Standards Institution Annual report and financial statements 2016 ...making excellence a habit. The British Standards Institution Annual report and financial statements 2016 Making excellence a habit At BSI we help to develop excellence by driving the success of our clients through standards. We enable others to perform better, manage risk and achieve sustainable growth. For over a century our experts have been challenging mediocrity and complacency to help embed excellence into the way people, processes and products work. We make excellence a habit. A successful business is... Trusted Secure Responsible Robust Innovative Agile Resilient Highlights of 2016 Contents Strategic report Strategic report Revenue Underlying operating profit 01 Highlights of 2016 02 Our business model £401.8m +21% £50.1m +42% 12 Our strategic initiatives 2015: £331.1m 2015: £35.4m 14 Key performance indicators 15 Chairman’s statement 17 Chief Executive’s review Operating profit Cash 20 Business review 20 Performance by geographical region £47.3m +39% £48.1m -6% 23 Performance by business stream 2015: £34.1m 2015: £51.0m 26 Principal risks and uncertainties 28 Standards review 32 Financial review Net asset value Average employees 36 Social responsibility review £82.9m +6% 3,835 +9% Corporate governance 2015: £78.4m 2015: 3,525 40 Board of Directors 42 Group Executive 44 Corporate governance report • Strong global performance despite economic, 49 Statement of Directors’ responsibilities political and social uncertainty 50 Report of the Audit Committee
    [Show full text]
  • The British Standards Institution Annual Report and Financial Statements 2016
    The British Standards Institution Annual report and financial statements 2016 ...making excellence a habit. The British Standards Institution Annual report and financial statements 2016 Making excellence a habit At BSI we help to develop excellence by driving the success of our clients through standards. We enable others to perform better, manage risk and achieve sustainable growth. For over a century our experts have been challenging mediocrity and complacency to help embed excellence into the way people, processes and products work. We make excellence a habit. A successful business is... Trusted Secure Responsible Robust Innovative Agile Resilient Highlights of 2016 Contents Strategic report Strategic report Revenue Underlying operating profit 01 Highlights of 2016 02 Our business model £401.8m +21% £50.1m +42% 12 Our strategic initiatives 2015: £331.1m 2015: £35.4m 14 Key performance indicators 15 Chairman’s statement 17 Chief Executive’s review Operating profit Cash 20 Business review 20 Performance by geographical region £47.3m +39% £48.1m -6% 23 Performance by business stream 2015: £34.1m 2015: £51.0m 26 Principal risks and uncertainties 28 Standards review 32 Financial review Net asset value Average employees 36 Social responsibility review £82.9m +6% 3,835 +9% Corporate governance 2015: £78.4m 2015: 3,525 40 Board of Directors 42 Group Executive 44 Corporate governance report • Strong global performance despite economic, 49 Statement of Directors’ responsibilities political and social uncertainty 50 Report of the Audit Committee
    [Show full text]
  • ISO Annual Report 2018 | 3 MESSAGE from the ISO SECRETARY-GENERAL – SERGIO MUJICA
    annual report 2018 advancing the global agenda 2018 ANNUAL REPORT 4 MESSAGE FROM THE ISO SECRETARY-GENERAL 6 OUR PERFORMANCE 10 OUR HIGHLIGHTS ▸ AIMING SQUARELY FOR THE SDGs ▸ STRENGTHENING OUR MEMBERS, SECURING OUR FUTURE ▸ CLOSING THE GENDER GAP ▸ ENABLING GLOBAL TRADE AND BUILDING CONFIDENCE ▸ EVERYONE GETS HOME SAFE ▸ FOOD YOU CAN TRUST ▸ MANAGING RISKS ▸ BUILDING CONSUMER TRUST ▸ SAVING RESOURCES, SAVING LIVES – LOW-IMPACT, LOW-COST TOILETS 32 ISO WEEK IN GENEVA 38 OUR MEMBERSHIP 44 OUR PARTNERSHIPS 50 OUR INITIATIVES 60 OUR PRINCIPAL OFFICERS 64 OUR FINANCES 68 MESSAGE FROM THE ISO PRESIDENT ISO Annual Report 2018 | 3 MESSAGE FROM THE ISO SECRETARY-GENERAL – SERGIO MUJICA STRONG MEMBERS BUILD A STRONG ORGANIZATION The ISO name is well known throughout the world. equality, how the Central Secretariat and our members Many people know us from using our standards, while, are performing, and how we’re meeting, and helping for others, our visibility comes from over one million others to meet, all of the SDGs. companies that are proud to state that they’ve made While the challenges faced are global, it is in developing ISO standards part of doing business better. However, countries where they are most critical and urgent. It is in ISO is first and foremost a member-based organization. these same countries where capacity building has great This means that our global recognition is built on the initi- potential to bring lasting transformation. These are just ative and collective energy of the 162 national members some of the reasons why member-focused capacity who, together, call themselves ISO.
    [Show full text]