Tip of the Day: Standards

Published: 2006-08-27
Last Updated: 2006-08-28 16:48:35 UTC
by Swa Frantzen (Version: 3)
0 comment(s)
When I got interested in security in a more formal way than securing my unix boxes I administered in the early 90s, the first standard I found was RFC1244 (now obsoleted by RFC2196). Being technical staff in a university environment I found it overly complex at the time.

And since I'm still convinced many of us even today still think of security as a technical problem and not as the management problem it is, I'll try to promote thinking of security as a management problem:

Security in essence is managing risk.


In the late 90s I rediscovered some information security standards:
  • BS 7799 part 1
  • and a bit later BS 7799 part 2.
I learned to appreciate this as they do have interesting content to bridge the gap between the technical level that wants to fix things but often fails to see the management part and the management level that fails to understand the mechanisms and just wants it to support the business and cost as little as possible.

So what's out there from a standard point of view? And what do they address?

'7799 family

ISO17799:2005

"Code of practice for information security management"

ISO17799 was formerly known as BS7799 part 1. "BS" Stands for British Standard. It is a standard that suggests a best practice and I find it often useful to grab my copy when e.g. writing requirements for a backup system as it makes me think about a dozen things backup needs to cover and makes sure that if I leave one of them out that I did it intentionally.

I also use it when writing policies as it tells me what I should cover in the policy in addition to what I come up myself.

It exists since 1994 and has been reviewed a few times. The pitfalls I knew in the pre 2005 version are mostly out of it. It addresses a wide range of items you want to control in a corporate viewpoint. It does go into detail on how you could gain that control. But it stays away from technical details.

This standard will be renamed to ISO27002 in the future.

ISO27001:2005

"Information Security Management System Requirements" (ISMS)

ISO27001 was formerly known as BS7799 part 2. It exists since 1999. It tells you how to build a management system that manages your information security. It might seem even less technical and the size might be deceiving as it tells you to do a risk assessment for all your assets as one of the things it tells you to do. Now the implications of that are huge.

ISO27001 can be certified. A third party auditor can certify that you implemented it and it is seen as a quality label of your information security. I've seen a few RFPs that required a certificate to be able to content for the contract in the past.

The link to ISO17799 comes from the last thing to complete when doing it all and the first thing the auditor wants to see: The Statement of Applicability. It is a list of control suggested in ISO17799 that you decided you did not need with a justification for it. This does make the 100+ controls in ISO17799 somewhat mandatory, but then again they are best practices.

BS7799-3:2006

"Guideline for information security risk management"

This latest sibling if the '7799 family is "only" a British Standard at this point. BS7799-3:2006 is a set of guidelines on how to get one of the hardest parts of ISO27001 done: risk management.

It's IMHO rather thin at the moment, so unless you intend to certify ISO27001 I'd skip on it. Get another source for how to do risk management the easy way: do not go to far in the math part of it, just low/medium/high is hard enough to deal with.

Do not fear!

Get it! Read it!

While the above standards are not available for free download, do get a copy of them (legally of course). Especially the ISO17799 is a standard that is mature and can help you greatly when building an environment and when trying to expand or improve something in the existing environment.

Don't be silly!

ISO17799 is not a policy, do not copy it and say "our policy is to do this". You cannot do that as e.g. the very first control in there addresses itself to management and tells them:

"Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization. "

So ... read the document, read the details, e.g. that goal above has a page of explanation on how to achieve it. and then act on the steps.

Don't try it all in one step. You'll fail. Try it one step at a time, prepare for each possible step and every time try to get more in it and make sure you try to continuously improve the situation. That continued improvement is also what ISO27001 will demand of you, especially if you try to certify it.

Other standards

Security standards

There are loads of other IT security related standards, I've by far never read all of them. And it seems that every time I look there are more of them.
  • ISO13335 is about IT security management. There are 5 parts in this.

  • ISO18044 is about incident management.

  • ISO18043, ISO18028, ISO15408, ISO18045, ISO15442, ISO15446

  • ...
There are also interesting IT related things to look into such as Cobit and ITIL (ISO 20000)

Risk management

A reader suggested the AS/NZS4360:2004 standard for risk managent. I did know about the '7799 family down under, but I'm happy to see there is a standard on risk management that's been aroung since 1994. This is especially important in the light of managing security essentially being managing risk.

Non security

I promise to be brief but I just must point out that other things such as environment, quality, etc. do have their own ISO standards and that those standard also build management systems and that they are compatible and even reference each other. So you might and up looking at ISO14001 (envirnoment), ISO9001 (quality) etc as well.

Conclusion

Go out and buy the ISO17799:2005, you'll love it if you take the time to get to know it. And it's a good ally if you need to write policies or RFPs.
Do watch out for certification as a driver to get this in motion. It can easily lead to a monster on paper that has no impact on the real world. And therefore is a waste of time and effort. 

--
Swa Frantzen -- Section 66

Keywords: ToD
0 comment(s)

Comments


Diary Archives