Critical Comparison of ISF Standards of Good Practice and the ISO 17799
PROBLEM STATEMENT
This document serves the purpose of critically comparing the ISF Standards of Good Practise and the ISO 17799. This paper will include, amongst other issues areas of correspondence, areas of difference, usability and readability
INTRODUCTION
With constant reports in the media of hacked sites, denial of service attacks, computer espionage and newly discovered vulnerabilities in applications and hardware, it is impossible for the management of any organization to ignore the likelihood of a security incident occurring. Over the last few years concerns to protect the organization’s assets and minimize liability has grown substantially, of recent it has become management’s personal responsibility to implement effective information security controls.
The majority of organizations will typically have some security controls in place, often a mix of technology (e.g. firewalls and anti-virus software) and documented policies (e.g. Password Policy, Email and Internet Usage Policy). The real challenge is developing these into an integrated Information Security Management System that will support the organization’s key business processes and strategic objectives as well as protect the electronic assets of the company and mitigate any risks that will result in an unfavorable situation for the company.
Why use a standard one may ask but there are few organizations nowadays who do not have links from their internal systems to the Internet, and who cannot identify outsiders, such as competitors or criminals, who may wish to exploit the information on their systems to their advantage. Thus without a standard approach to an area as diverse and as vital as information security it is unlikely that the organization will consider all aspects of security and not be at risk from a security incident that may seriously damage their business. That is where use of standards is crucial, they will provide guidelines on
This document serves the purpose of critically comparing the ISF Standards of Good Practise and the ISO 17799. This paper will include, amongst other issues areas of correspondence, areas of difference, usability and readability
INTRODUCTION
With constant reports in the media of hacked sites, denial of service attacks, computer espionage and newly discovered vulnerabilities in applications and hardware, it is impossible for the management of any organization to ignore the likelihood of a security incident occurring. Over the last few years concerns to protect the organization’s assets and minimize liability has grown substantially, of recent it has become management’s personal responsibility to implement effective information security controls.
The majority of organizations will typically have some security controls in place, often a mix of technology (e.g. firewalls and anti-virus software) and documented policies (e.g. Password Policy, Email and Internet Usage Policy). The real challenge is developing these into an integrated Information Security Management System that will support the organization’s key business processes and strategic objectives as well as protect the electronic assets of the company and mitigate any risks that will result in an unfavorable situation for the company.
Why use a standard one may ask but there are few organizations nowadays who do not have links from their internal systems to the Internet, and who cannot identify outsiders, such as competitors or criminals, who may wish to exploit the information on their systems to their advantage. Thus without a standard approach to an area as diverse and as vital as information security it is unlikely that the organization will consider all aspects of security and not be at risk from a security incident that may seriously damage their business. That is where use of standards is crucial, they will provide guidelines on
Bibliography: 1. Solms, B., Solms, R. (2007) Information Security Governance. 2. ISF Standards Of Good Practice for Good Practice (2005) [On-Line]. Available: http://www.isfsecuritystandard.com/index_ie.htm, [Accessed] 20/09/07 3. Solms, B., Solms, R. (2001) Incremental information security certification. Computers and Security, 20(4), pp. 308-310 4. International Organization for Standardization and International Electro technical Commission. ISO/IEC 17799:2005 Information technology - Code of practice for information security management. ISO/IEC 2005 5. Andersen, PW. (2001) Information Security Governance. Information Security Technical Report, vol.6, no. 3