Information security management best practice based on ISO/IEC 17799; the international information security standard provides a framework for ensuring business continuity, maintaining legal compliance, and achieving a competitive edge.Security matters have become an integral part of daily life, and organizations need to ensure that they are adequately secured. While legislatures enact corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. laws, more and more businesses are seeking assurance that their vendors and partners are properly protecting information assets from security risks and are taking necessary measures to ensure business continuity. Security management certification provides just such a guarantee, thereby increasing client and partner confidence. A number of best practice frameworks exist to help organizations assess their security risks, implement appropriate security controls, and comply with governance Governance makes decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. requirements as well as privacy and information security regulations. Of the various best practice frameworks available, the most comprehensive approach is based on the implementation of the international information security management standard, ISO/IEC ISO/IEC International Organization for Standardization/International Electrotechnical Commission (ITU-T M 3000) 17799, and subsequent certification against the British standard for information security, BS 7799. This ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 17799/BS 7799 frame work is the only one that allows organizations to undergo a third-party audit. Organizations today must deal with a multitude of information security risks. Terrorist attacks, fires, floods, earthquakes, and other disasters can destroy information processing information processing: see data processing. information processing Acquisition, recording, organization, retrieval, display, and dissemination of information. Today the term usually refers to computer-based operations. facilities and critical documents. Theft of trade secrets and the loss of information due to unexpected computer shutdowns can cause businesses to lose their commercial advantage. The CGI/FBI Computer Crime and Security Survey states that total losses in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. in 2004 as a result of computer security breaches reached $141,496,560. Organizations often tackle security issues as part of their efforts to comply with a variety of regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. , such as the Sarbanes-Oxley Act See SOX. (SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. ) and the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ). It is becoming increasingly clear, however, that to address all aspects of security, organizations need to implement a more comprehensive approach using a methodical me·thod·i·cal also me·thod·ic adj. 1. Arranged or proceeding in regular, systematic order. 2. Characterized by ordered and systematic habits or behavior. See Synonyms at orderly. compliance framework. Compliance is not always straightforward. As META Group notes in its white paper, "Unraveling Security and Risk Regulation," legislation governing gov·ern v. gov·erned, gov·ern·ing, gov·erns v.tr. 1. To make and administer the public policy and affairs of; exercise sovereign authority in. 2. regulatory requirements often lacks the specificity organizations need to know how to comply. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. META Group, companies and institutions affected by such legislation must decide for themselves which security controls are appropriate for their organizations. An increasing number of businesses, moreover, are seeking to obtain security certification A certification issued by competent authority to indicate that a person has been investigated and is eligible for access to classified matter to the extent stated in the certification. from third-party organizations, given that certification guarantees that the controls implemented meet information security requirements. Certification enables organizations to comply with increasing demands from financial institutions and insurance companies for security audits. In addition, it builds trust in an organization's capacity to implement appropriate security controls to manage and protect confidential client and business information. Some best practices that facilitate the implementation of security controls include Control Objectives for Information and Related Technology (COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). ), ISO/IEC 17799/BS 7799, Information Technology Infrastructure Library (ITIL (Information Technology Infrastructure Library, www.itil.co.uk) One of the more comprehensive as well as non-proprietary and publicly available sets of guidelines for "best practice" IT services management, owned by the British Office of Government Commerce (OGC). ), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE octave (ŏk`tĭv) [Lat.,=eighth], in music, the perfect interval between the 1st and 8th tones of the diatonic scale. The upper note of a perfect octave has a frequency of vibration twice that of the lower, and in modern Western notation the two ). Focus on the ISO/IEC 17799 standard is warranted, given that it provides the most comprehensive approach to information security management. The other best practices focus more on IT governance, in general, or on the technical aspects of information security. (See Table 3.) Moreover, ISO 17799/BS 7799 is the only best practice framework that allows organizations to undergo a third-party audit and become certified See certification. . Implement-ing an overarching o·ver·arch·ing adj. 1. Forming an arch overhead or above: overarching branches. 2. Extending over or throughout: "I am not sure whether the missing ingredient . . . compliance framework using ISO/IEC 17799 and BS 7799 requires a methodical information security management system that facilitates the planning, implementation, and documentation of security controls and ensures a constant process review. ISO/IEC 17799: An Information Security Management Standard ISO/IEC 17799:2000 Information Technology--Code of Practice for Information Security Management defines information security as the preservation of information confidentiality, integrity, and availability. The goals of information security are to ensure business continuity, to maintain legal compliance, and to achieve competitive edge. For example, organizations with a committed client base and an established partner network need to demonstrate to their partners, shareholders, and clients that they have identified and measured their security risks and implemented a security policy and controls that will mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. these risks. Such controls might include, for example, the use
of digital certificates for electronic transactions, the drafting and
testing of business continuity plans, the use of secure backup media and
the implementation of appropriate access controls.In drafting a security policy and implementing appropriate security controls, organizations comply with legal requirements and demonstrate their commitment to securing information assets and to protecting the confidentiality of personally identifiable customer information. They also provide their business partners and clients with greater confidence in their capacity to prevent and rapidly recover from any interruptions to production or service levels. Proper security ultimately results in minimizing business damage. Implementing ISO/IEC 17799 involves putting in place a cost-effective cost-effective, n the minimal expenditure of dollars, time, and other elements necessary to achieve the health care result deemed necessary and appropriate. execution plan that includes appropriate security controls for mitigating mit·i·gate v. mit·i·gat·ed, mit·i·gat·ing, mit·i·gates v.tr. To moderate (a quality or condition) in force or intensity; alleviate. See Synonyms at relieve. v.intr. To become milder. identified risks and protecting the confidentiality, integrity, and availability of an organization's information assets. It also involves ongoing monitoring to ensure that these controls remain effective. In sum, ISO/IEC 17799 enables organizations to manage information security as a coherent and global business process that extends beyond the very narrow approach to security that focuses uniquely on technical aspects or computer infrastructure. ISO/IEC 17799 comprises 10 security domains and seeks to address security compliance at all levels: managerial, organizational, legal, operational, and technical. It includes 36 control objectives, consisting of general statements of security goals for each of the 10 domains. The standard also includes 127 controls that identify specific means for meeting the control objectives. Organizations implement these controls to mitigate the risks they have identified. The ISO 17799/BS 7799 security domains are: 1. Security Policy--Demonstrate management commitment to, and support for, information security. 2. Organizational Security--Develop a management framework for the coordination and management of information security in the organization; allocate To reserve a resource such as memory or disk. See memory allocation. information security responsibility. 3. Asset Classification and Control--Maintain an appropriate level of protection for all critical or sensitive assets. 4. Personnel Security--Reduce the risk of error, theft, fraud, or misuse of computer resources by promoting user training and awareness regarding risks and threats to information. 5. Physical and Environmental Security--Prevent unauthorized access to information processing facilities and prevent damage to information and to the organization's premises. 6. Communications and Operations Management--Reduce the risk of failure and its consequences by ensuring the proper and secure use of information processing facilities and by developing incident response procedures. 7. Access Control--Control access to information to ensure the protection of networked systems and the detection of unauthorized activities. 8. Systems Development and Maintenance--Prevent the loss, modification, or misuse of information in operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and application software. 9. Business Continuity Management--Develop the organization's capacity to react rapidly to the interruption INTERRUPTION. The effect of some act or circumstance which stops the course of a prescription or act of limitation's. 2. Interruption of the use of a thing is natural or civil. of critical activities resulting from failures, incidents, natural disasters, or catastrophes. 10. Compliance--Ensure that all laws and regulations are respected and that existing policies comply with the security policy in order to ensure that the objectives laid out by senior management are met. Figure 1 suggests a structure for the standard's 10 domains. This structure is driven from the top down, such that the impact is felt from the management or organizational level all the way to the operational level. [FIGURE 1 OMITTED] Implementation Considerations ISO/IEC 17799 is highly flexible and can be used by a variety of organizations. Organizations should determine what their primary security objectives are and adapt their use of the standard to these objectives as they strive for information security governance Information Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management. . Table 1 provides an overview of ISO/IEC 17799 uses. Organizations also must consider how to efficiently manage ISO/IEC 17799 standard implementation, given that this standard, although flexible, is quite complex and touches on a number of different security areas. The important documentation and accountability requirements of BS 7799 certification only add to this challenge. One solution is to use a governing tool that will guide the deployment team, enable collaboration Working together on a project. See collaborative software. across the organization, and automate To turn a set of manual steps into an operation that goes by itself. See automation. the documentation process. A number of such solutions are currently available on the market and offer varying levels of functionality. Certification Process Organizations that base information security management systems (ISMS ISMS Information Security Management System ISMS Integrated Safety Management System ISMS Illinois State Medical Society ISMS In-flight Safety Monitoring System ISMS Indian Society for Medical Statistics ISMS Integrated Environmental, Safety, and Health Management System ) on BS 7799 specifications can apply to become certified. An organization that obtains certification is said to be ISO/IEC 17799 compliant and BS 7799 certified. Development, implementation, maintenance, and continual improvement Continual Improvement (also called incremental improvement or staircase improvement) is a process or productivity improvement tool intended to have a stable and consistent growth and improvement of all the segments of a process or processes. of a documented ISMS are fundamental to certification. To guide organizations through this process, BS 7799 uses the Plan-Do-Check-Act (PDCA PDCA Purebred Dexter Cattle Association PDCA Painting and Decorating Contractors of America PDCA Purebred Dairy Cattle Association (USA) PDCA Pile Driving Contractors Association PDCA Pug Dog Club of America ) model that is common to other management systems. Table 2 provides an overview of PDCA cycle phases as they relate to an ISMS. Once an organization has developed, implemented, and documented its ISMS, an accredited accredited recognition by an appropriate authority that the performance of a particular institution has satisfied a prestated set of criteria. accredited herds cattle herds which have achieved a low level of reactors to, e.g. certification body carries out a third-party audit. The BS 7799 audit includes both a documentation audit and an implementation audit. Security auditors AUDITORS, practice. Persons lawfully appointed to examine and digest accounts referred to them, take down the evidence in writing, which may be lawfully offered in relation to such accounts, and prepare materials on which a decree or judgment may be made; and to report the whole, together assess whether an organization's ISMS scope covers all aspects of operations. They also ensure that the risk assessment reflects the organization's business activities and that the assessment's results are reflected in the risk treatment plan. Finally, the implementation audit verifies that the organization has effectively implemented its security policies and controls and that processes have been set in place to ensure the ISMS's review and improvement. A number of critical factors can affect success or failure in the certification process. Key success factors include adopting an implementation approach that is consistent with the organization's culture, ensuring that the security policy reflects business objectives, and providing proper training for employees. Another key success factor is the use of a governing system that ensures the timely update of security policies as well as organization-wide collaboration and knowledge-sharing. However, the single most important success factor in obtaining BS 7799 certification is management commitment to, and support of, an ongoing, organization-wide information security management process. Indeed, without management commitment, certification cannot succeed. Other obstacles to obtaining certification include insufficient knowledge of the approach adopted and poor understanding of security requirements, risk assessment, and risk management processes. Once certification is achieved, organizations can expect to undergo periodic monitoring audits and must reapply Re`ap`ply´ v. t. & i. 1. To apply again. reapply vi → volver a presentarse, hacer or presentar una nueva solicitud for certification every three years. It is important that organizations use a governing system to automate the BS 7799 compliance and certification process, given the documentation and accountability requirements. Benefits of Implementing the ISO/IEC 17799/BS 7799 Framework ISO/IEC 17799 compliance and BS 7799 certification provide important advantages on many levels. BS 7799 certification serves as a public statement of an organization's ability to manage information security. It demonstrates to partners and clients that the organization has implemented adequate information security and business continuity controls. It also demonstrates the organization's commitment to ensuring that its information security management system and security policies continue to evolve and adapt to changing risk exposures. Certification is a mark of distinction that sets organizations apart from their competition and provides partners, shareholders, and clients with greater confidence. Furthermore, given the reduced level of risk to which ISO/IEC 17799 compliant organizations are exposed, these organizations will spend less money recovering from security incidents, which may also translate into lower insurance premiums. Finally, an indication of the importance of ISO/IEC 17799 compliance is the fact that international invitations to tender are beginning to require that organizations be ISO/IEC 17799 compliant. Security Compliance Trends The approach to compliance is evolving from one focused on technical elements to an understanding of compliance as a coherent business process (not a project) that intimately involves all aspects of an organization. This new perspective, where compliance is managed and measured as a business process, is leading some larger organizations to appoint a chief security officer or a chief risk officer to ensure that security compliance is dealt with on a organization-wide and ongoing basis. Al Passori of META Group, in his article "CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. Primer for Three Standard Deviations In statistics, the average amount a number varies from the average number in a series of numbers. (statistics) standard deviation - (SD) A measure of the range of values in a set of numbers. ," predicts that by 2009/10, 35 percent of the Global 2000, i.e., the 2,000 largest companies worldwide, will have adopted at least one international security framework. The increasing interest in security frameworks is due to new governance legislation, to a growing awareness of the importance of information security, and to security audit demands by financial institutions and insurance companies. Initially implemented primarily in Europe Europe (y  r`əp), 6th largest continent, c.4,000,000 sq mi (10,360,000 sq km) including adjacent islands (1992 est. pop. 512,000,000). and Asia, ISO/IEC 17799
has been adopted as a national standard in many countries, including
Australia Australia (ôstrāl`yə), smallest continent, between the Indian and Pacific oceans. With the island state of Tasmania to the south, the continent makes up the Commonwealth of Australia, a federal parliamentary state (2005 est. pop. , Brazil Brazil (brəzĭl`), Port. Brasil, officially Federative Republic of Brazil, republic (2005 est. pop. 186,113,000), 3,286,470 sq mi (8,511,965 sq km), E South America. , the Czech Republic Czech Republic, Czech Česká Republika (2005 est. pop. 10,241,000), republic, 29,677 sq mi (78,864 sq km), central Europe. It is bordered by Slovakia on the east, Austria on the south, Germany on the west, and Poland on the north. , Finland Finland, Finnish Suomi (swô`mē), officially Republic of Finland, republic (2005 est. pop. 5,223,000), 130,119 sq mi (337,009 sq km), N Europe. , Iceland Iceland, Icel. Ísland, officially Republic of Iceland, republic (2005 est. pop. 297,000), 39,698 sq mi (102,819 sq km), the westernmost state of Europe, occupying an island in the Atlantic Ocean just S of the Arctic Circle, c. , Ireland Ireland, Irish Eire (âr`ə) [to it are related the poetic Erin and perhaps the Latin Hibernia], island, 32,598 sq mi (84,429 sq km), second largest of the British Isles. , Japan,
the Netherlands Netherlands (nĕth`ərləndz), Du. Nederland or Koninkrijk der Nederlanden, officially Kingdom of the Netherlands, constitutional monarchy (2005 est. pop. 16,407,000), 15,963 sq mi (41,344 sq km), NW Europe. , New Zealand New Zealand (zē`lənd), island country (2005 est. pop. 4,035,000), 104,454 sq mi (270,534 sq km), in the S Pacific Ocean, over 1,000 mi (1,600 km) SE of Australia. The capital is Wellington; the largest city and leading port is Auckland. , Norway, Spain, and Sweden.Continually con·tin·u·al adj. 1. Recurring regularly or frequently: the continual need to pay the mortgage. 2. striving toward fuller maturity, ISO/IEC 17799 is already one of the most widely referenced information security frameworks. As the editor of Information Security Magazine, Lawrence Walsh, notes, "Even as the ISO undertakes a major review of the standard, ISO 17799--and its British Standards British Standards are the national standards of the UK. The standards body which produces them is BSI British Standards, a division of BSI Group. It is incorporated under a Royal Charter and is formally designated as the National Standards Body (NSB) for the UK. Institution (BSI BSI - British Standards Institute ) cousin--are rapidly becoming the canon for information security management." Michael Rasmussen Michael Rasmussen (born June 1 1974 in Tølløse) is a Danish professional road bicycle racer who rode for the Dutch team Rabobank.[] Specializing in climbing, Rasmussen has shown a propensity for attempting spectacular stage wins in mountain stages in which he breaks away , of the Giga Information Group, adds that "ISO 17799 has become the de facto standard Hardware or software that is widely used, but not endorsed by a standards organization. Contrast with de jure standard. de facto standard - A widespread consensus on a particular product or protocol which has not been ratified by any official standards body, such as ISO, for defining (at a high level) an information security program/architecture." A revised version Revised Version n. A British and American revision of the King James Version of the Bible, completed in 1885. Revised Version Noun of BS 7799 was expected to be published at the end of June 2005. Originally, the name of this revised standard was going to be ISO 24743. However, during the early part of 2005 it was determined that it would be called BS ISO/IEC 17799 (BS 7799-1). The revised standard was designed to be more user-friendly and incorporates changes in technology, technical upgrades, and compatibility issues. The standard also provides additional controls as well as enhancing and revising existing controls. With the release of this new version, an increase in the adoption of this standard worldwide, especially in North America North America, third largest continent (1990 est. pop. 365,000,000), c.9,400,000 sq mi (24,346,000 sq km), the northern of the two continents of the Western Hemisphere. , can be expected. (See Figure 2.) In the current context of increased information security, privacy, and governance regulations, organizations are required to assess their risks, adopt appropriate controls, and document their efforts to demonstrate compliance. Lack of security compliance can result in business loss, as well as severe civil and criminal penalties, including fines and prison sentences. Moreover, a growing demand also exists for security certification to increase confidence in the security of information held by companies and institutions. A comprehensive, flexible framework for implementing cost-effective compliance, deployed via a governing system that maintains security policies and controls, is essential for organizations falling into several regulatory realms. The ISO/IEC 17799/BS 7799 best practice framework provides a set of best practices and controls that address the essential issues of information confidentiality, availability, and integrity existing at the heart of regulatory efforts. This comprehensive approach to information security management enables organizations to build client and partner trust in their capacity to secure their information assets and ensure business continuity.
Table 1: Uses of the ISO/IEC 17799 Standard
Type of Company Size Primary Objective Use of the Standard
Small Fewer Raise the ISO 17799 contains
Enterprise or than 200 awareness of the the security topics
Organization employees management that should be
regarding dealt with as a
information foundation for
security information
security
management.
Medium Fewer Create a corporate The standard
Enterprise than 2,000 culture of contains the
(centralized or employees compliance practices required
decentralized) to put together an
information
security policy.
Large More Obtain security Use BS 7799-2 to
Enterprise than 2,000 certification at implement, maintain
employees the end of the review, and improve
process an information
security management
system (ISMS)
Table 2: Information Security Management Systems and the PDCA Model
PDCA Phase Description
Plan (establish * Define the ISMS scope and the organization's
the ISMS) security policies
* Identify and assess risks
* Select control objectives and controls that
will help manage these risks
* Prepare the Statement of Applicability (SoA)
documenting the controls selected and
justifying any decisions not to implement, or
to only partially implement, certain controls
Do (implement and * Formulate and implement a risk mitigation plan
operate the ISMS)
* Implement the previously selected controls to
meet the control objectives
Check (monitor and * Conduct periodic reviews to verify the
review the ISMS) effectiveness of the ISMS
* Review the levels of acceptable and residual
risk
* Periodically conduct internal ISMS audits
Act (maintain and * Implement identified ISMS improvements
improve the ISMS)
* Take appropriate corrective and preventative
action
* Maintain communication with all stakeholders
* Validate improvements
Table 3: Quick Comparison of Security Best Practices
Best Practices and
Compliance Frameworks Description/Scope
CERT Security Practices A set of recommended best practices
for improving the security of computer
network systems
Common Criteria for A technical standard that certifies the
Information Technology levels of defense conferred by the
Security Evaluation security measures implemented in
(ISO 15408) information systems
Control Objectives for COBIT is an international standard for
Information and (Related) IT governance that seeks to bring
Technology (COBIT) together business control models and
IT control models.
Guidelines for the GMIS is an international standard that
Management of IT Security lays out guidelines for information
(GMITS) (ISO 13335) security management and consists of a
number of technical reports covering
information security management concepts
and models, techniques, IT security
management and planning, and selection
of safeguards.
Information Technology A supplement to Committee of Sponsoring
Infrastructure Library Organizations of the Treadway Commission
(ITIL) (COSO) and COBIT that proposes best
practices for IT service management
Operationally Critical An assessment and planning framework
Threat, Asset, and for security that enables companies to
Vulnerability Evaluation identify and analyze risks and develop
(OCTAVE) a plan to mitigate those risks. The
OCTAVE approach can be implemented
using two assessment methods: one for
large companies (OCTAVE Method) and
one for small businesses (OCTAVE-S).
System Security A model for assessing the security
Engineering Capability maturity level of an organization.
Maturity Model (SSE-CMM) Five security levels exist, from 1
(performed informally) to 5 (continuously
improving). SSE-CMM does not describe a
way of doing things but rather reports
widespread practice.
Best Practices and
Compliance Frameworks Offers Certification?
CERT Security Practices No
Common Criteria for Yes
Information Technology
Security Evaluation
(ISO 15408)
Control Objectives for No
Information and (Related)
Technology (COBIT)
Guidelines for the No
Management of IT Security
(GMITS) (ISO 13335)
Information Technology No
Infrastructure Library
(ITIL)
Operationally Critical No
Threat, Asset, and
Vulnerability Evaluation
(OCTAVE)
System Security No
Engineering Capability
Maturity Model (SSE-CMM)
Best Practices and
Compliance Frameworks Comparison with ISOAEC 17799
CERT Security Practices ISO/IEC 17799 addresses a more
comprehensive set of information
security issues.
Common Criteria for ISO/IEC 17799 focuses on the
Information Technology organizational and administrative
Security Evaluation aspects of security whereas ISO
(ISO 15408) 15408 focuses on the technical
aspects of information systems.
Therefore, they are complementary.
Control Objectives for COBIT and ISO/IEC 17799 are
Information and (Related) mutually complementary, with
Technology (COBIT) COBIT providing a broader coverage
of IT governance in general and
ISO/IEC 17799 focusing more
specifically on security and
providing certification.
Guidelines for the The two standards are complementary.
Management of IT Security While GMITS describes high level
(GMITS) (ISO 13335) concepts for IT security management,
ISO/IEC 17799 specifies controls that
can be used to develop and
implement an information security
management system (ISMS).
Information Technology ITIL and ISO/IEC 17799 are
Infrastructure Library complementary and can be used
(ITIL) together. ITIL can be used to improve
general IT processes and controls and
ISO/IEC 17799 can be used to improve
security controls and processes.
Operationally Critical OCTAVE is an evaluation activity, not
Threat, Asset, and a continuous process. BS 7799, on the
Vulnerability Evaluation other hand, implements a continuous
(OCTAVE) process for risk management and
compliance based on the PDCA
model. As such, an OCTAVE method
could be created and incorporated
into the planning segment of the
PDCA cycle used in BS 7799.
System Security BS 7799 provides a process for the
Engineering Capability continuous improvement of information
Maturity Model (SSE-CMM) security. As such, SSE-CMM and BS 7799
complement each other and BS
7799-certified organizations may seek
to be recognized as SSE-CMM Level 5
organizations.
References Alberts, Christopher et. al., "Introduction to the OCTAVE Approach." CERT Coordination Center The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with internet security problems. . Available at www.cert.org/octave/approach_intro.pdf (Accessed 3 June 2005). BSI. "Information and Communication Technology: Frequently Asked Questions." Available at www.bsi-global.com/ICT/Security/faqs.xalter (Accessed 3 June 2005). BSI. Information security management systems--specification with guidance for use. 2002. Computer Security Institute. "2004 CSI/FBI Computer Crime and Security Survey." Available at www.gocsi.com (Accessed 3 June 2005). Information Systems Audit and Control Association Information Systems Audit and Control Association (ISACA) is an international professional association for information system audit. ISACA is an affiliates member of IFAC[1] and IT Governance Institute. (ISACA (Information Systems Audit and Control Association, Rolling Meadows, IL, www.isaca.org) A membership association dedicated to information systems auditing and security. Founded as the EDP Auditors Association in 1969, ISACA provides certification in auditing and security (see CISA and CISM). ). "COBIT Mapping: Mapping ISO/IEC 17799: 2000 With COBIT." Available at www.isaca.org/Template.cfm?Section= Research2 & Template (1) A pre-designed document or data file formatted for common purposes such as a fax, invoice or business letter. If the document contains an automated process, such as a word processing macro or spreadsheet formula, then the programming is already written and embedded in the =/ContentManagement/ContentDisplay.cfm & ContentID=15056#cobiti so (Accessed 3 June 2005). ISO/IEC. ISO/IEC 17799: Information Technology--Code of Practice for Information Security Management. 2000. META Group. "Unraveling Security and Risk Regulation," white paper. January 2005. National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. (NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. ). "International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management--Frequently Asked Questions." November 2002. Available at csrc.nist.gov/publications/secpubs/otherpubs/revisofaq.pdf(Accessed 3 June 2005). Passori, A1. META Group. "CIO Primer for Three Standard Deviations," 6 January 2005. Available at www.metagroup.com/us/resCenter/displayResoureeCenter.do?areaPrefix=ITLVM (Accessed 3 June 2005). Rasmussen, Michael. Giga Information Group, Inc. "IT Trends 2003: Information Security Standards The term "standard" is sometimes used within the context of information security policies to distinguish between written policies, standards and procedures. Organizations should maintain all three levels of documentation to help secure their environment. , Regulations and Legislation." 5 December 2002. Available at images.telos.com/files/external/Giga_IT_Trends_2003.pdf (Accessed 3 June 2005). At the Core This article * Introduces various best practices for security controls * Lists the 10 security domains of ISO/IEC 17799 * Describes benefits of implementing ISO/IEC 17799 * Talks about security trends Rene Saint-Germain is the president of Callio Technologies (www.callio.com), the software provider of a process framework for deploying and maintaining security compliance certification. He is an expert in risk assessment and contingency contingency n. an event that might not occur. planning, with broad experience with Fortune 500 companies and government agencies at all levels. Mr. Saint-Germain is a frequent speaker at security-related conferences. Contact him at rstg@callio.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion