| Most organizations are dependent upon their | | | | 3. Corrective controls reduce the effect of an attack. |
| information and business systems, leaving them | | | | 4. Detective controls discover attacks and trigger |
| exposed to critical loss in the aftermath of a security | | | | preventative or corrective controls. |
| breach. Fortunately, by implementing an information | | | | It is essential that any controls that are implemented |
| security management system ("ISMS"), as outlined in | | | | are cost-effective. The cost of implementing and |
| the only internationally accepted standard/code to | | | | maintaining a control should be no greater than the |
| address information security, a business can | | | | identified and quantified cost of the impact of the |
| significantly reduce the risk of a security breach. | | | | identified threat (or threats). It is not possible to provide |
| ISO/IEC 17799:2005 ("ISO 17799"), known as the Code | | | | total security against every single risk; the trade-off |
| of practice for information security management, was | | | | involves providing effective security against most risks. |
| developed by an IT Security Subcommittee of the | | | | No board should sign off on any ISMS proposal that |
| International Organization for Standardization and was | | | | seeks to remove all risk from the business - the |
| published in June 2005. ISO 17799 is superior to other | | | | business does, after all, exist within a risk framework |
| security standards because it is globally accepted and | | | | and, since it is impossible to exist risk-free, there is little |
| comprehensive. ISO 17799 has been cleverly crafted | | | | point in proposing to eliminate every risk. |
| to work well across industries and geographies. Also, | | | | No organization should invest in information security |
| the International Organization for Standardization has | | | | technology (hardware or software) or implement |
| consciously made this standard consistent with most | | | | information security management processes and |
| other existing information security audit and control | | | | procedures without having carried out an appropriate |
| standards, such as those developed by the NIST | | | | risk and control assessment that assures them that: |
| (National Institute of Standards and Technology). | | | | - The proposed investment (the total cost of the |
| Therefore, ISO 17799 can be the common framework | | | | control) is the same as, or less than, the cost of the |
| that links to all other standards, regulatory requirements | | | | identified impact; |
| and corporate governance initiatives. | | | | - The risk classification, which takes into account its |
| ISO 17799 provides practical guidelines for developing | | | | probability, is appropriate for the proposed investment; |
| organizational security controls and effective security | | | | and |
| management practices. An ISO 17799 evaluation | | | | - Mitigating the risk is a priority - i.e. all the risks with |
| results in a snapshot of the company's security | | | | higher prioritization have already been adequately |
| infrastructure, in that it provides a high-level view of | | | | controlled and, therefore, it is appropriate now to be |
| how well (or how badly) a company implements | | | | investing in controlling this one. |
| information security. This standard is a great tool for | | | | Once information security needs and requirements are |
| companies whether establishing or improving | | | | identified, a suitable set of controls from ISO 17799 can |
| information security within their organization. | | | | be established, implemented, monitored, reviewed and |
| The information security process traditionally has been | | | | improved upon in order to ensure that the specific |
| based on sound best practices and guidelines, with the | | | | security objectives of the organization are met. |
| goals of preventing, detecting and containing security | | | | ISO 17799 is a comprehensive information security |
| breaches, as well as restoration of the affected data | | | | code of practice that provides enterprises an |
| to its previous state. While this cumulative wisdom of | | | | internationally recognized and structured methodology |
| the ages is valid, it is also subject to various | | | | for information security. In addition to ISO 17799, the |
| interpretations and implementations. ISO 17799 offers | | | | International Organization for Standardization also |
| an achievable benchmark against which to build | | | | published ISO 27001, which specifies a number of |
| organizational information security. | | | | requirements for establishing, implementing, maintaining |
| Control Selection based on Risks Identified | | | | and improving an ISMS using the controls outlined in |
| ISO 17799 consists of 39 security controls, which can | | | | ISO 17799. |
| be used as a basis for a security risk assessment. | | | | ISO 27001 is the formal standard against which an |
| The controls encompass all forms and types of | | | | organization may seek independent certification of their |
| information, whether they are electronic files, paper | | | | ISMS. While certification is entirely optional, as of |
| documents or various forms of communications such | | | | January 2007, over 3000 organizations world-wide |
| as email, fax and spoken conversations. The standard | | | | were ISO 27001 certified, demonstrating their |
| sets out a variety of hardware and software | | | | commitment to information security. Organizations may |
| considerations, policies, procedures and organizational | | | | be certified compliant with ISO 27001 by a number of |
| structures that protect a company's information assets | | | | accredited certification bodies worldwide. ISO 27001 |
| from a broad range of modern security threats and | | | | certification generally involves a two stage audit |
| vulnerabilities. How organizations shape their | | | | process, with a "table top" review of key |
| information security programs will depend on the | | | | documentation at the first stage and a more in-depth |
| unique requirements and risks they face. An | | | | audit of the ISMS at the second stage. The certified |
| organization should only deploy controls that relate to, | | | | organization would need to be re-assessed periodically |
| and are in proportion to, the actual risks it faces. | | | | by the certification body. |
| Controls can also more simply be described as the | | | | In summary, organizations face threats to their |
| countermeasures for risks. Apart from knowingly | | | | information assets on a daily basis. At the same time, |
| accepting risks considered acceptable, or transferring | | | | they are becoming increasingly dependent on these |
| those risks (through insurance) to others, there are | | | | assets. Technical solutions are only one portion of a |
| essentially four types of control: | | | | holistic approach to information security. Establishing |
| 1. Deterrent controls reduce the likelihood of a | | | | broad information security requirements in the |
| deliberate attack. | | | | framework of the organization's own unique risk |
| 2. Preventative controls protect vulnerabilities and | | | | environment is essential. |
| make an attack unsuccessful or reduce its impact. | | | | |