Information Security Management Best Practice Based on ISO/IEC 17799

Article excerpt

The international information security standard provides a framework for ensuring business continuity, maintaining legal compliance, and achieving a competitive edge

Security matters have become an integral part of daily life, and organizations need to ensure that they are adequately secured. While legislatures enact corporate governance laws, more and more businesses are seeking assurance that their vendors and partners are properly protecting information assets from security risks and are taking necessary measures to ensure business continuity. security management certification provides just such a guarantee, thereby increasing client and partner confidence.

A number of best practice frameworks exist to help organizations assess their security risks, implement appropriate security controls, and comply with governance requirements as well as privacy and information security regulations. Of the various best practice frameworks available, the most comprehensive approach is based on the implementation of the international information security management standard, ISO/IEC 17799, and subsequent certification against the British standard for information security, BS 7799. This ISO 17799/BS 7799 frame work is the only one that allows organizations to undergo a third-party audit.

Organizations today must deal with a multitude of information security risks. Terrorist attacks, fires, floods, earthquakes, and other disasters can destroy information processing facilities and critical documents. Theft of trade secrets and the loss of information due to unexpected computer shutdowns can cause businesses to lose their commercial advantage. The CGUFBI Computer Crime and security Survey states that total losses in the United States in 2004 as a result of computer security breaches reached $141,496,560. Organizations often tackle security issues as part of their efforts to comply with a variety of regulatory requirements, such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). It is becoming increasingly clear, however, that to address all aspects of security, organizations need to implement a more comprehensive approach using a methodical compliance framework.

Compliance is not always straightforward. As META Group notes in its white paper, "Unraveling security and Risk Regulation," legislation governing regulatory requirements often lacks the specificity organizations need to know how to comply. According to META Group, companies and institutions affected by such legislation must decide for themselves which security controls are appropriate for their organizations.

An increasing number of businesses, moreover, are seeking to obtain security certification from third-party organizations, given that certification guarantees that the controls implemented meet information security requirements. Certification enables organizations to comply with increasing demands from financial institutions and insurance companies for security audits. In addition, it builds trust in an organization's capacity to implement appropriate security controls to manage and protect confidential client and business information.

Some best practices that facilitate the implementation of security controls include Control Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE). Focus on the ISO/IEC 17799 standard is warranted, given that it provides the most comprehensive approach to information security management. The other best practices focus more on IT governance, in general, or on the technical aspects of information security. (See Table 3.) Moreover, ISO 17799/BS 7799 is the only best practice framework that allows organizations to undergo a third-party audit and become certified. Implement-ing an overarching compliance framework using ISO/IEC 17799 and BS 7799 requires a methodical information security management system that facilitates the planning, implementation, and documentation of security controls and ensures a constant process review. …