Security Standards and ISO 17799

Many companies are adopting comprehensive security standards for their organizations. If your organization is involved in government-related work, a standard is probably already in place and you will be expected to follow it. The consequences can be quite dire if a policy violation occurs.

Increasingly, the need for security standards is being recognized worldwide. One of the security standards that is gaining acceptance is the ISO 17799 standard. This section briefly discusses this standard.

The International Standards Organization has published the ISO 17799 standard. This standard is referred to as the "Code of Practices for Information Management." The most recent version of this standard was published in August of 2000. ISO 17799 identifies the major steps necessary to secure the IT environment.

This document outlines 10 areas of focus. An organization that successfully completes the work necessary to address these 10 areas can apply for certification. Auditors are brought in to verify that the areas are covered. This audit is comprehensive, and it requires advanced preparation.

Here are the 10 areas:

Security Policy The security policy includes the process for evaluating expectations, and it demonstrates management's support and commitment to security.

Security Organization The organization has a structure in place that is responsible for security. This includes security coordinators, appropriate management delegation, and incident-response processes.

Asset Classification and Control This section deals with assessment and inventory of the organization's information infrastructure and assets to determine whether an appropriate level of security is in place.

Personnel Security This section evaluates the human resources aspects of the business operation. Clear outlines of security expectations, screening processes, and confidentiality agreements are evaluated. This section also deals with how incident reporting occurs, and who is responsible for dealing with them.

Physical and Environmental Security This section deals with the policies and methods used to protect the IT infrastructure, physical plant, and employees. Aspects of backup power, routine maintenance, and onsite security are covered in this section.

Communications and Operations Management Preventative measures (such as antivirus protection, monitoring system logs, remote communications security, and incident response procedures) are evaluated in this section.

Access Control This section evaluates protection mechanisms from internal and external intrusions. Issues such as password management, authentication systems, and event logging are part of this section.

Systems Development and Maintenance This section evaluates the measures that are taken in system development and software maintenance activities. This includes network deployment and expansion.

Business Continuity Management This section evaluates the organization's plans for dealing with man-made and natural disasters. The focus here is on how recovery will occur should an interruption occur.

Compliance This section evaluates how well the organization complies with regulatory and legal requirements. This section evaluates compliance with internal privacy policies.

This standard, when introduced in 1995, did not gain initial acceptance. Many in the industry did not feel that it was thorough enough to be a serious standard. Critics of the standard felt that the certification was oriented more toward giving advice than to providing a comprehensive certification process. This has been largely addressed in later revisions of the standard.

The August 2000 version is gaining acceptance worldwide. Even if your organization does not want to accomplish certification using this standard, it is a useful place to begin the development of internal documents to self- accreditation.