naa
Information Security
Management Best Practice
Based on ISO/IEC 17799
The international information security standard provides a framework for ensuring
business continuity, maintaining legal compliance, and achieving a competitive edge
Rene Saint-Germain
S
ecurity matters have become
an integral part of daily life,
and organizations need to
ensure that they are ade-
quately secured. While legis-
latures enact corporate governance
laws,
more and more businesses are
seeking assurance that their vendors
and partners are properly protecting
information assets from security risks
and are taking necessary measures to
ensure business continuity. Security
management certification provides just
such a guarantee, thereby increasing
client and partner confidence.
A number of best practice frame-
works exist to help organizations
assess their security risks, implement
appropriate security controls, and com-
ply with governance requirements as well
as privacy and information security reg-
ulations. Of the various best practice
frameworks available, the most compre-
hensive approach is based on the imple-
mentation of the international informa-
tion security management standard,
ISO/IEC 17799, and subsequent certifi-
cation against the British standard for
information security, BS 7799. This ISO
17799/BS 7799 frame work is the only
one that allows organizations to undergo
a third-party audit.
Organizations today must deal with a
multitude of information security risks.
Terrorist attacks, fires, floods, earth-
quakes, and other disasters can destroy
information processing facilities and crit-
ical documents. Theft of trade secrets
and the loss of information due to unex-
pected computer shutdowns can cause
businesses to lose their commercial
advantage.
The
CCI/FBI Computer Crime
and
Security Survey states
that total losses
in the United States in 2004 as a result of
computer security breaches reached
$141,496,560. Organizations often tackle
security issues as part of their efforts to
comply with a variety of regulatory
requirements, such as the Sarbanes-Oxiey
Act (SOX) and the Health Insurance
Portability and Accountability Act
(HIPAA). It is becoming increasingly
At the Core
This article
• Introduces various best practices
for implementing security controls
• Lists the
10
security domains of
ISO/IEC 17799
• Describes the benefits of imple-
menting ISO/IEC 17799
• Talks about security trends
clear, however, that to address all aspects
of security, organizations need to imple-
ment a more comprehensive approach
using a methodical compliance frame-
work.
Compliance is not always straightfor-
ward.
As
META Group notes in its white
paper, "Unraveling Security and Risk
Regulation," legislation governing regula-
tory requirements often lacks the speci-
ficity organizations need to know how to
comply. According to META Group,
companies and institutions affected by
such legislation must decide for them-
selves which security controls are appro-
priate for their organizations.
An increasing number of businesses,
moreover, are seeking to obtain security
certification from third-party organiza-
tions,
given that certification guarantees
that the controls implemented meet
information security requirements.
Certification enables organizations to
comply with increasing demands from
financial institutions and insurance com-
panies for security audits. In addition, it
builds trust in an organization's capacity
to implement appropriate security con-
trols to manage and protect confidential
client and business information.
Some best practices that facilitate the
implementation of security controls
60 The Information Management Journal . July/August 2005
评论0
最新资源