A newly revised global standard for managing information security could aid companies that need to comply with a spate of tough new government regulations, according to experts.
ISO 17799, published by the Geneva, Switzerland-based International Standards Organization (ISO), is considered by many to be the most widely embraced information security management standard in the world. First adopted in 2000, ISO 17799 serves as a code of practice for designing policies and technical architecture aimed at protecting sensitive financial and customer information. Revisions to the standard, released in June, aim to make it easier to understand and implement.
Although more of a guideline than an actual mandate, ISO 17799 lays out a series of steps companies could follow when building an architectural framework for managing information security. All told, 134 controls on information are grouped in 11 key areas. Its recommendations run the gamut, from advocating written security policies to training employees to inserting controls on how information is stored, accessed, protected and monitored, including physical security of equipment and facilities.
In other words, it addresses many of the same requirements for information security already imposed on companies by business laws like the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and others. The difference is that the ISO's recommended best practices are entirely
"ISO 17799 is an umbrella standard that allows you to measure your business and apply the controls across multiple regulations and guidelines. It shows you the legislative and governance areas you should drill into and gives you an indication of the best practices you should actually apply," said Steve Crutchley, an information security consultant in Reston, Va.
According to Michael Rasmussen, an analyst with Forrester Research in Cambridge, Mass., "Each detailed section has a control statement followed by implementation guidance. This makes the standard more actionable, as well as relevant, to today's environment focused on controls for regulatory compliance."
About 1,800 organizations worldwide, including only 22 in the U.S., have attained ISO registration against the 17799 standard, according to the Information Security Management Systems International User Group.
Among them is EDS, a huge Plano, Texas-based IT consulting firm with revenue approaching $21 billion. More accurately, it is EDS' Global Security Operations Center (GSOC), which employs 100 people in Herndon, Va., that brandishes the ISO registration, which was earned in 2004. The GSOC provides a range of information security services, including round-the-clock intrusion detection services.
"We pursued accreditation because it provides us with market differentiation," said Bill Casti, EDS' standards compliance manager, noting that only one other managed services provider has attained the ISO 17799 certificate. Buoyed by confidence in the company's Information Security Management System, which passed ISO audits, new customers are approaching EDS while existing customers are requesting additional services, Casti said.
EDS' implementation of the ISO practices started with a business impact analysis and a formal risk assessment. The company compiled a list of threats to information security and ranked them based on their potential impact on the organization. Those of high risk were targeted for action while lower priority threats often were ignored. "In some cases the cost of the risk was lower than the cost of mitigating the risk," Casti said.
Analyzing processes also helped spot redundant business processes. "We found, for example, that it's very helpful to have a generic process for doing IDS [Intrusion Detection Services] that we can tailor for specific customers' needs, rather than writing an entirely new process for every customer. Which makes us more efficient from an enterprise standpoint," Casti said.
He said EDS' implementation costs were minimal, although the process was rigorous and labor-intensive. Training focused mainly on formalizing work behaviors that employees had been doing by rote, such as specifying in writing how to dispose of various media. Most of the training had little to do with technology issues, though. For example, ISO auditors trained employees to keep important company documents facedown on their desks when outsiders visited the workspace.
"The training reinforced what people already knew formatting it into a consistent process that they can understand without having to be real technical about it," Casti said. "They don't have to be Unix administrators to know it's probably a good idea to turn off computer monitors if potential customers are walking through the area."
EDS decided to pursue the 17799 accreditation because it already was registered for ISO 9001. "That means we were able to leverage a lot of the same processes and all of the standard's documentation that we had already compiled for ISO 9001," Casti said.
And when it came to regulatory compliance, ISO 17799 gave EDS a "consistent, repeatable process that's validated by a third-party accrediting agency and based on a globally accepted standard," said Casti.
Indeed, the heightened regulatory climate is forcing more companies to examine systems and processes to satisfy not only regulators but customers as well. "A lot of organizations now are insisting that their partners in the supply chain demonstrate due diligence in security. And ISO 17799 is a really good, quick way of doing that," Crutchley said.
Even so, it's important to remember that 17799 is merely a framework for building information security architecture. "It's like the framing of a house. It lets you see what the rooms look like without walls, but it's up to the company to fill out the drywall, the carpeting and all the rest," Rasmussen said.
For companies pondering a leap into the ISO accreditation waters, Casti imparts a last bit of advice. "We learned that the involvement of senior management was critical to success. Unless your management is fully engaged, the process is going to fail."
Garry Kranz is a freelance business and technology writer in Richmond, Va. He can be reached at firstname.lastname@example.org.